Briers believes that part of the answer is to measure the monetary value of risk management and to integrate the program with the company’s strategic and operational objectives. Return on investment in this field is hard to measure, but still necessary. For example, would an increase in risk and control costs be outweighed by a reduction in risk financing costs? He cites the example of a very large oil and gas company in Europe that has used its enterprise risk management program to improve the identification of business opportunities, holding managers accountable for upside potential, as well as downside risk.
Wilson agrees that monetary measurement of risk is important, but says that many companies need to do a lot of work before they get to specific metrics. “They need to have clear goals around the risk management program and link those to what internal and external stakeholders expect,” he says. “It is difficult to understand whether risk management delivers value unless there is a consensus among the Board and executives about the goals.”
The Chief Executive Officer should play a crucial role in this regard by formulating the goals for risk management and driving the process to reach a consensus. At one very large ENR company, according to Briers, the CEO personally drafts the description of the top 20 risks and presents them to the Board every quarter. He makes sure that risks are dealt with at planning meetings and is regularly on the agenda of the executive committee. He refuses to delegate this role to a less senior officer.
View larger chart image