ERM CASE STUDY ASSIGNMENT
JokerScar
Chapter33CaseStudy.pdf
CHAPTER 33
Challenges and Obstacles of ERM Implementation in Poland ZBIGNIEW KRYSIAK, PHD Associate Professor of Finance, Warsaw School of Economics, Poland
SL̄AWOMIR PIJANOWSKI, PHD President, POLRISK Risk Management Association, Poland
T his research is about the status of enterprise risk management (ERM) imple- mentation in Poland’s companies. We analyze the challenges and obstacles to a more mature stage of ERM rather than a compliance- or governance-
driven one. Poland, after the transition into the free market economy in 1989, became open to the knowledge and transfer of the best practices from around the world. Since 1995, with the publication of AS/NZS 4360 and COSO II in 2004, as well as easy access via the Internet, it seems that theoretically there should not be a delay in implementing modern risk management (RM) processes in Poland. While there is contact with authors and thought leaders taking part in the creation of various ERM standards, and with some professionals implementing ERM in vari- ous companies, barriers still exist. These barriers are due to geographical distances, language differences, budget constraints, a lack of awareness, or other business pri- orities. We (the authors) first heard about AS/NZS 4360 in 2004 while looking for inspiration from various standards to improve risk assessment methodologies for our companies. In 2004, the aforementioned standards were translated into Polish and published in the Polish Ministry of Finance’s Orange Book Risk Management— Principles and Concepts. A similar publication had also been done earlier by the UK Ministry of Treasury, and another handbook of risk management for the audit department, which included descriptions of some risk management tools and stan- dards. Later, in 2005 and 2006, the Ministry of Finance also led a project implement- ing ERM in selected units of public administration as a pilot phase.
Managers in Poland were becoming familiar with ERM concepts mainly by educating themselves. In 2006, the POLRISK Risk Management Association1 was established, and later became a member of the Federation of European Risk Man- agement Associations (FERMA).2 Under POLRISK, ERM has been popularized in a more structured way by its first founding members and other officers. Since 2006, ERM experts from around the world have begun to come to Poland as speakers in the annual conferences organized by POLRISK.
577
www.it-ebooks.info
578 Implementing Enterprise Risk Management
There are many people involved with Poland’s ERM efforts.3 We have the honor to be two of them. For example, late in 2009, Slawomir Pijanowski, on behalf of POLRISK, with the support of Kevin W. Knight, AM, initiated the preparation for adoption of ISO 31000 in Poland. In 2011, Mr. Pijanowski, as representative of both POLRISK and the Polish Committee for Standardization, joined ISO/PC 262, contributing to the elaboration of ISO 31004. It is, however, difficult to demonstrate the benefits of ERM in Poland, because there are few good examples of ERM imple- mentation in domestic companies. Additionally, there are few CEOs or indepen- dent parties who have observed how ERM adds value. This state of ERM imple- mentation provides the motivation for our case study. This case study examines the reasons, challenges, and obstacles of ERM implementation and will help us reach the right conclusions.
METHODOLOGY TO DIAGNOSE THE STATUS OF ERM IMPLEMENTATION The sources used in this article come from:
� Research performed by the authors on approximately 100 companies in 2006 and with 300 managers in 2010.
� The POLRISK Risk Management Association, with 100 members, at vari- ous workshops, conferences, seminars, and training courses where ERM has been challenged, questioned, and openly discussed.
� Participation in the creation of an ERM program in the telecommunications industry.
� Exchanging practical knowledge, experience, or training about ERM among the Polish practitioners (various managerial positions, CEOs, boards, experts, and specialists) of the following industries: telecommunications, energy, logistics (road, post, railway industry), oil and gas, consulting, insur- ance, banks, hospitals, and construction.
We would like to share our observations by pointing out areas of weakness, as well as the challenges of demonstrating ERM’s value per se for boards, managers, and operational employees. There are 3,000 companies in Poland with more than 250 employees that would potentially benefit from ERM implementation. Assum- ing that ERM is justified for companies with at least 250 employees, then our stud- ies deal with about 10 to 20 percent of such companies in Poland. The research includes only private companies, excluding the financial industry (i.e., insurers, banks, investment funds, etc.), and not public administration.
We use the following three definitions of ERM:
1. Enterprise risk management can be defined as an integrated approach to credit risk, market risk, operational risk, business risk, and economic capi- tal management. This includes risk control, mitigation, and risk transfer to maximize the value of the company (Lam 2003).
2. In ISO 31000, risk management is defined as coordinated activities to direct and control an organization with regard to risk (ISO Guide 73:2009, definition 2.1).
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 579
3. Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied in the strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO II, 2004 definition).
An important issue at the top of the risk management activities is value cre- ation. What creates a company’s value are vision, strategy, knowledge on how to commercialize ideas, innovation, implementation, managers’ and employees’ attitudes, and decisions influencing specific value sources and drivers. To create shareholder value, a company has to take on the right risks, retain them, and man- age them within its boundaries. The major risk management activities here are as follows (Antikarov 2012):
� Identify the strategic risks associated with each strategic alternative and select the strategy with the best risk/reward characteristics.
� Build and apply strategic flexibility/agility to take advantage of new strate- gic opportunities and protect against materialized strategic risks.
� Build and apply operational flexibility and resilience to manage ongoing business environment volatility.
� Build and apply financial flexibility allowing the company to survive, exe- cute its strategy, and not transfer ownership during periods of financial distress.
� Build full risk assessment into the performance evaluation of existing busi- nesses and the corresponding rewards and compensation of management and employees.
� Build full risk assessment into the evaluation, ranking, and selection of new investment projects.
In Exhibit 33.1, we display the general framework of the methodology we use for the analysis of the case study. We will present the status of ERM implementa- tion in Poland relating to the four stages of risk management maturity described by Purdy (2010): increasing levels of maturity for (1) management of specific risks, (2) the approach to risk driven by governance, (3) risk management driven by the changes within the organization, and (4) the integrated approach. In the applied methodology, the characteristics proposed by Antikarov (2012) fit more or less to Purdy’s “Integrated” stage 4 shown in Exhibit 33.1. Exhibit 33.2 displays the main components of risk management proposed by ISO 31000.
MAIN ISSUES IN POLAND’S ERM IMPLEMENTATION There are many issues faced by companies in Poland in the process of ERM imple- mentation. The main systemic natural obstacles are:
� There has been little attention paid to ERM among nonfinancial sectors, although the level of interest has slowly increased since 2004, approaching the highest interest around 2009 to 2011.
www.it-ebooks.info
580 Implementing Enterprise Risk Management
Risk Specific Governance Driven Change Driven Integrated E
ff ic
ie n
c y
o f
R is
k M
a n
a g
e m
e n
t P
ro c
e s
s (
R e
tu rn
s /E
ff o
rt )
Different types of
processes for different
types of risk.
Risk categorization is
largely consequence
based.
Attempts to integrate
measurement.
Negative perception
of risk.
Terms hazards, risk, and threats are used interchangeably.
Risk is seen as harm,
loss, and detriment.
RM is closely linked
to insurance.
Risk is motivated by
reporting.
High-level risk
assessment is
stipulated by reporting
requirements, normally
only once or twice a
year.
Risk measures vary
according to types of
risk.
Risks are seen as
events—mostly with
negative
consequences.
There are inconsistent
approaches for
managing different
types of risk.
Risk is associated with
management of change.
RM processes are
separate but are invoked
by decision-making
process.
Risk is driven by
performance-based
standard.
Risk is seen as effect of
uncertainty on
objectives.
Uniform system
for analysis of most
types of risk.
Risk is implicit in all
decision making.
RM processes are
integrated into key
organizational
processes.
RM is integral to the
system of
management.
RM is culturally driven
by performance
standard.
Risk is seen as effect
of uncertainty on
objectives.
Effective RM leads to
resilience and agility.
Degree of Integration of Risk Management, Extent of Accountability
Stage 1 Stage 2 Stage 3 Stage 4
Exhibit 33.1 Risk Maturity Levels Used in Methodology. Source: G. Purdy, “How Good Is Our Risk Management? How Boards Should Find Out,” Risk Watch, Conference Board of Canada, December 2010.
a) Creates and protects
value
b) Integral part of all
organizational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured,
and timely
f) Based on the best
available information
g) Tailored
h) Takes human and
cultural factors into
account
i) Transparent and
inclusive
j) Dynamic, iterative, and
responsive to change
k) Continual improvement
of the organization
Principles (Clause 3)
Mandate and
commitment
(4.2)
Design
of framework
for managing
risk (4.3)
Implementing
risk
management
(4.4)
Continual
improvement
of the
framework
(4.6)
Monitoring
and review of
the framework
(4.5)
Framework (Clause 4)
C o m
m u n ic
a ti o n a
n d c
o n s u lt a ti o n (
5 .2
)
M o
n it o
ri n
g a
n d
r e v ie
w (
5 .6
)
Process (Clause 5)
Establishing the context
(5.3)
Risk assessment (5.4)
Risk identification (5.4.2)
Risk analysis (5.4.3)
Risk evaluation (5.4.4)
Risk treatment (5.5)
Exhibit 33.2 ISO 31000:2009 Relationships between Principles, Framework, and Process Source: ISO 31000:2009.
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 581
� There are few domestic companies that can be used as examples of good ERM and as a benchmark for the Polish business community. In other words, there are few examples that can be used as good references regarding risk management matters such as financial results, reports, management discus- sion and analysis (MD&A), and communication of risk within the investor relations process.
� There has been a relatively short time for gathering experience from com- panies on ISO 31000 implementation; only two years have passed since the publication in March 2012 of PN-ISO 31000:2012, Risk Management— Principles and Guidelines. The Polish Committee for Standardization reports that there is interest in ISO 31000, but there are common misun- derstandings of what ISO 31000 really is. One of the examples is in using the term risk mitigation instead of modification or treatment. Also, there is no guidance on ISO 31000 in the Polish language. These translation issues are delaying adoption of various guidelines because all those activities need sponsorships for funding. The same holds for risk management books; some of the classics, such as works by James Lam, are not translated into Pol- ish, and this is blocking widespread practical knowledge on ERM. Any meaningful guidance remains within the advisory services industry, with no guarantee that risk management is done coherently or correctly with the approach prescribed by ISO 31000. In contrast, Australia and New Zealand have had more than 17 years of experience with standards of risk man- agement, and there are many publicly available guidelines being applied by public and private companies in those countries, creating stronger fun- damentals there as compared to in Poland. That is what we can call the “experience gap.”
� There are very few domestic experts in Poland who have had the oppor- tunity to implement ERM as a real change management process instead of a governance-driven one. There are few companies interested in building the value of the company through effective risk management. However, there are some ERM implementations in Poland in logistics, energy, oil, gas, telecommunication, mining, insurance, and the public sector. Risk manage- ment becomes a more important topic due to investors’ requirements in the construction industry and the European Union directives for the railway industry.
� The POLRISK Risk Management Association needs further development in order to become a strong, recognizable body for legislative initiatives related to governance and risk management for the good of the business commu- nity. In Polish enterprises there is a need for building the risk manager pro- fession, which would have to be built almost from scratch. The issue of the scope of duties of a risk manager is often discussed in the European forum because a risk manager’s responsibilities are perceived differently from country to country. In the FERMA bylaws the responsibilities of the risk manager are not addressed, but FERMA is considering covering that issue in the requirements for the certification of risk managers. This all presents big challenges to the harmonization of educational programs with expected skills for risk managers in European countries. When this is done, it will be
www.it-ebooks.info
582 Implementing Enterprise Risk Management
a big step in the promotion of the profession and risk management itself in Poland and elsewhere in Europe.
� MBA programs and higher education in Poland do not include enough enterprise-wide risk management topics. There are one or two exceptions of postgraduate studies including ERM standards. One way to promote ERM is to integrate ERM studies with strategic management and value-based risk management courses and executive MBA programs.
� The tradition of risk management became broken under the various socialist economic systems between 1945 and 1991. For example, there are at present only a few captive insurance companies in Poland. Before World War II, there were around 300 captives and mutual insurance companies. The use of such risk management techniques by many organizations was an impor- tant part of the culture then relating to managing risk. Risk managers in international companies are now managing captives together with coordi- nating ERM. We are in the process of rebuilding the number of captives and that culture. The POLRISK Risk Management Association also supports this process.
Apart from the aforementioned systemic issues in Poland, there is also con- fusion among proponents of ERM in Poland about what are regarded as weak- nesses of the ERM concept itself, concerning the tools, models, terminology, pub- licly available materials, and articles. Examples of concerns are:
� In most of the cases, the risk matrix or heat map does not show the efficiency of controls.4
� There is also a lack of references to or use of historical data or simulation as justification for the respective risk level to support decision making. Greater use of actual data is considered necessary to assure a high quality of risk management.
� There seem to be two schools of holistic risk management currently strug- gling with each other on the pros and cons of the setting of risk appetite or concepts like inherent and residual risk.
Due to a lack of understanding by those involved and the apparent confusion over the foregoing concepts, these differences do not help the followers of ERM, because in many cases, they are not able to clearly and in a convincing way explain or translate those different concepts into decision making processes and value creation. Problems arise if executives who are trying to properly understand ERM are asked to explain why the concept of risk appetite is needed. Executives, man- agers, and directors expect a clear message about whether this exercise with ERM can increase performance, reduce costs, optimize margins, or make good decisions on current resources and capital allocation. All of these issues, both at the inter- national level and at the local level, only confirm that ERM as a concept itself still is not stabilized or is not ready to be used. As a result, managers we have spoken with indicate that they are not going to implement ERM because of these problems.
Risk management terminology, principles, frameworks, and processes in Poland are orientated primarily toward either internal controls or governance.
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 583
Some companies are making efforts to influence value via risk management. ERM is viewed by managers in Poland as an optimizing activity in achieving objectives and therefore is perceived as integrally related to strategic management. The major question stated by practitioners in Poland is: “What is the real added value of ERM?” The partial answer to that question can be obtained by referring to the meaning of good performance or good execution of strategy and goal achieve- ment. In Exhibit 33.3 we offer an answer in the form of comparative statements of good practices of the execution and performance of the strategy applied from classic books on the topic. ERM is frequently commented on by Chartered Institute of Management Accountants (CIMA)-designated experts, CEOs, CFOs, financial controllers, and other top managers as something they are already doing, which they perceive as:
� Strategy development and its execution by risk management � An idea that is perhaps worthy to apply and utilizes various risk criteria
focused on efficiency and performance or risk controlling as part of business controlling
Using three of the best books on strategy execution (Kaplan and Norton, Bossidy and Charan, Welch) and one on performance (Peters and Waterman), we put together the comparative statements indicating some ideas and sources of ERM principles being used in management mainstream practice and literature. Since many Polish executives refer to these books, ERM must be shown in the light of which practices should be part of a company’s management framework, as is also recommended in ISO 31000. Exhibit 33.3 shows the relationship between ERM con- cepts and strategy execution and performance.
From these comparisons, there are important conclusions that may be applied to the case study of ERM in Poland. Suboptimal efficiency of management may result from the fact that ERM is a missing link between strategic management (SM) and value-based management (VBM). Selling ERM in isolation from strategy and value-based management creates a risk of unsuccessful ERM implementation. Sell- ing the triple package of SM, ERM, and VBM together and creating the adequate educational program increase the chance that the value proposition related to ERM will be accepted by the boards of directors at enterprises in Poland.
Moreover, in the view of Polish CFOs and CEOs, a properly defined strategy is in fact a reflection of a new or updated arrangement of a company’s capital and assets/resources allocation. Therefore, the risk management function must be close to strategy and produce a strategic portfolio of initiatives, programs, projects, and processes. Thus the reporting line of the risk management department should always be where decisions are made on capital and resources allocation— that is, in the strategy department or in CFO-managed business units such as value-based financial controlling and budgeting (i.e., operating expense [opex] and capital expenditure [capex]). If these functions were supported by various tools applied for risk assessment, monitoring, and modeling, then most of the CEOs and CFOs would be interested in applying such approaches into their daily management practice.
www.it-ebooks.info
E xh
ib it
33 .3
C o
m p
ar at
iv e
St at
em en
ts o
f G
o o
d P
ra ct
ic es
in St
ra te
g y
E xe
cu ti
o n
an d
P er
fo rm
an ce
R o
b er
t S
.K ap
la n
an d
D av
id P.
N o
rt o
n ,T
h e
E xe
cu ti
o n
P re
m iu
m (2
00 8)
Ja ck
W el
ch ,W
in n
in g
(2 00
5) L
ar ry
B o
ss id
y an
d R
am C
h ar
an ,
E xe
cu ti
o n
(2 00
2) T
o m
P et
er s
an d
R .H
.W at
er m
an Jr
., In
S ea
rc h
o f
E xc
el le
n ce
(1 98
2)
M an
ag em
en t
sy st
em li
n k
in g
st ra
te g
y to
o p
er at
io n
s: 1.
D ev
el o
p th
e st
ra te
g y
(s tr
at eg
ic an
al y
si s,
SW O
T ,
ri sk
as se
ss m
en t
o f
st ra
te g
y ,
h o
w b
es t
to co
m p
et e)
.H er
e w
e sh
o u
ld k
n o
w at
le as
t th
e ty
p e
o f
st ra
te g
y an
d re
la te
d ri
sk .R
is k
ta k
in g
is re
la te
d to
ty p
e o
f st
ra te
g y
an d
it s
fl ex
ib il
it y
in M
ic h
ae l
R ay
n o
r’ s
(2 00
7) se
n se
:l o
w co
st ,d
if fe
re n
ti at
io n
, d
iv er
si fi
ca ti
o n
. 2.
P la
n th
e st
ra te
g y
(s tr
at eg
y m
ap s—
li n
k s
w it
h ri
sk s.
H o
w w
e m
ea su
re o
u r
p la
n :s
et ti
n g
o b
je ct
iv es
— b
as is
fo r
ri sk
as se
ss m
en t
o f
th e
o b
je ct
iv es
, st
re ss
te st
in g
o f
as su
m p
ti o
n s,
st ra
te g
ic p
ro je
ct ,p
ro g
ra m
s, p
o rt
fo li
o s,
in it
ia ti
v es
,w h
o w
il ll
ea d
ex ec
u ti
o n
o f
st ra
te g
y ?)
E st
ab li
sh th
e co
n te
xt .H
er e
is a
p la
ce fo
r ri
sk li
m it
s, (a
p p
et it
e) to
le ra
n ce
s ag
ai n
st ta
rg et
s in
st ra
te g
ic p
la n
.
St ra
te g
y is
a g
am e,
v it
al ,
d y
n am
ic .N
o sc
ie n
ti fi
c ap
p ro
ac h
to st
ra te
g y
is n
ee d
ed ;
o v
er lo
ad in
g st
ra te
g y
w it
h sc
ie n
ce is
u n
p ro
d u
ct iv
e. Ja
ck W
el ch
d ef
in in
g st
ra te
g y
as “a
ll o
ca ti
o n
o f
re so
u rc
es ”;
“s tr
at eg
y is
w h
at re
m ai
n s
af te
r re
m o
v in
g b
ig w
o rd
s re
la te
d to
it .”
“S tr
at eg
y is
m ak
in g
ch o
ic es
o n
h o
w to
b e
co m
p et
it iv
e. (A
s fo
r st
ra te
g y
,y o
u sh
o u
ld th
in k
le ss
an d
ac t
m o
re .I
n o
th er
w o
rd s,
th is
is ag
ai n
ab o
u t
ex ec
u ti
o n
.) St
ra te
g y
is si
m p
le —
y o
u ch
o o
se g
en er
al d
es ti
n at
io n
an d
p u
rs u
e it
w it
h y
o u
r b
es t
ef fo
rt .”
F o
rg et
ab o
u t
sc en
ar io
s, p
la n
s, w
h o
le -y
ea r
re se
ar ch
an d
10 0-
p ag
e re
p o
rt s,
re co
m m
en d
at io
n s,
an d
so o
n .T
o b
e n
u m
b er
o n
e o
r tw
o in
ea ch
in d
u st
ry —
to re
ac h
th is
g o
al y
o u
h av
e to
re p
ai r/
re st
ru ct
u re
,s el
l, o
r cl
o se
th e
co m
p an
ie s.
”
E xe
cu ti
o n
:T h
re e
co re
p ro
ce ss
es o
f ex
ec u
ti o
n o
f an
y b
u si
n es
s: 1.
St ra
te g
y p
ro ce
ss —
li n
k p
eo p
le an
d o
p er
at io
n s.
St ra
te g
y re
v ie
w .
2. O
p er
at io
n s
p ro
ce ss
— li
n k
st ra
te g
y an
d p
eo p
le .
3. P
eo p
le p
ro ce
ss —
li n
k st
ra te
g y
an d
o p
er at
io n
s. T
h re
e b
lo ck
s o
f ex
ec u
ti o
n :
1. Se
v en
es se
n ti
al b
eh av
io rs
o f
le ad
er s:
K n
o w
y o
u r
p eo
p le
an d
y o
u r
b u
si n
es s.
In si
st o
n re
al is
m .S
et cl
ea r
g o
al s
an d
p ri
o ri
ti es
.F o
ll o
w th
ro u
g h
. R
ew ar
d th
e d
o er
s. E
xp an
d p
eo p
le ’s
ca p
ab il
it ie
s. K
n o
w y
o u
rs el
f. 2.
F ra
m ew
o rk
fo r
cu lt
u ra
l ch
an g
e— o
p er
at io
n al
iz in
g cu
lt u
re :B
eh av
io rs
ar e
b el
ie fs
tu rn
ed in
to ac
ti o
n (p
ri n
ci p
le a)
re w
ar d
p er
fo rm
an ce
(c o
m p
ar e
L am
[2 00
3] —
”P ay
fo r
th e
p er
fo rm
an ce
y o
u w
an t”
), al
lo w
ro b
u st
d ia
lo g
u e.
B eh
av io
rs d
el iv
er th
e re
su lt
s. So
ci al
so ft
w ar
e o
f ex
ec u
ti o
n ,l
ea d
er s
g et
th e
b eh
av io
rs th
ey ex
h ib
it an
d to
le ra
te .
� A
b ia
s fo
r ac
ti o
n ,a
ct iv
e d
ec is
io n
m ak
in g
— ”g
et ti
n g
o n
w it
h it
.” �
C lo
se to
th e
cu st
o m
er —
le ar
n in
g fr
o m
th e
p eo
p le
se rv
ed b
y th
e b
u si
n es
s. �
A u
to n
o m
y an
d en
tr ep
re n
eu rs
h ip
— fo
st er
in g
in n
o v
at io
n an
d n
u rt
u ri
n g
“c h
am p
io n
s. ”
� P
ro d
u ct
iv it
y th
ro u
g h
p eo
p le
— tr
ea ti
n g
ra n
k -a
n d
-f il
e em
p lo
y ee
s as
a so
u rc
e o
f q
u al
it y
. �
H an
d s-
o n
, v
al u
e- d
ri v
en —
m an
ag em
en t
p h
il o
so p
h y
th at
g u
id es
ev er
y d
ay p
ra ct
ic e—
m an
ag em
en t
sh o
w in
g it
s co
m m
it m
en t.
� St
ic k
to th
e k
n it
ti n
g —
st ay
w it
h th
e b
u si
n es
s th
at y
o u
k n
o w
. �
Si m
p le
fo rm
,l ea
n st
af f—
so m
e o
f th
e b
es t
co m
p an
ie s
h av
e m
in im
al H
Q st
af f.
584
www.it-ebooks.info
3. A
li g
n th
e o
rg an
iz at
io n
(i t
is in
fa ct
“d es
ig n
o f
ri sk
m an
ag em
en t
fr am
ew o
rk ”
an d
“e st
ab li
sh th
e co
n te
xt ”
p h
as es
o f
ri sk
m an
ag em
en t
p ro
ce ss
in IS
O 31
00 0)
. 4.
P la
n o
p er
at io
n s
(a n
d in
cl u
d e
ri sk
m an
ag em
en t
p la
n ).
5. M
o n
it o
r an
d le
ar n
(i s
o u
r st
ra te
g y
w o
rk in
g ?
it is
n ’t
to o
la te
?) .T
h es
e q
u es
ti o
n s
sh o
u ld
b e
as k
ed fi
rs t
at th
e “d
ev el
o p
th e
st ra
te g
y ”
p h
as e
(w il
lo u
r st
ra te
g y
w o
rk ?
ar e
as su
m p
ti o
n s
cr ed
ib le
? is
o u
r st
ra te
g y
fe as
ib le
?) .S
im il
ar to
m o
n it
o r
an d
re v
ie w
in IS
O 31
00 0.
6. T
es t
an d
ad ap
t (t
h at
is ,w
h at
sh o
u ld
re su
lt fr
o m
“m o
n it
o ri
n g
an d
re v
ie w
” p
h as
e) .(
C o
n ti
n u
o u
s im
p ro
v em
en t
in IS
O 31
00 0—
p ar
t o
f fr
am ew
o rk
.) W
h at
is m
is si
n g
? P
ri n
ci p
le (d
) fr
o m
IS O
31 00
0— R
M ex
p li
ci tl
y ad
d re
ss es
u n
ce rt
ai n
ty .
T h
re e
st ag
es o
f st
ra te
g y
ex ec
u ti
o n
: 1.
E la
b o
ra te
b ig
id ea
— B
ig H
ai ry
A u
d ac
io u
s G
o al
s (B
H A
G s)
fo r
b u
si n
es s,
sm ar
t, re
al is
ti c,
fe as
ib le
,r el
at iv
el y
q u
ic k
w ay
o f
g en
er at
in g
co m
p et
it iv
e ad
v an
ta g
e. 2.
A ss
ig n
ri g
h t
p eo
p le
to ri
g h
t ta
sk s
to su
cc es
se s
w it
h im
p le
m en
ta ti
o n
o f
id ea
.( W
e co
u ld
sa y
to th
e ri
g h
t ri
sk m
an ag
em en
t fr
am ew
o rk
an d
p ay
k ey
at te
n ti
o n
to “e
st ab
li sh
th e
co n
te xt
p h
as e”
as in
IS O
31 00
0. )
3. C
o n
ti n
u o
u sl
y w
it h
p er
si st
en ce
se ek
b es
t m
et h
o d
s o
f im
p le
m en
ta ti
o n
o f
id ea
,a d
ap t
it ,i
m p
ro v
e it
— in
co m
p an
y o
r o
u ts
id e
o f
it .(
C o
n ti
n u
o u
s im
p ro
v em
en t
in IS
O 31
00 0—
p ar
t o
f fr
am ew
o rk
.) W
h at
is m
is si
n g
? P
ri n
ci p
le (d
) fr
o m
IS O
31 00
0— R
M ex
p li
ci tl
y ad
d re
ss es
u n
ce rt
ai n
ty .
3. T
h e
jo b
le ad
er sh
o u
ld n
o t
d el
eg at
e— h
av in
g th
e ri
g h
t p
eo p
le in
th e
ri g
h t
p la
ce .
A ll
o f
th e
ab o
v e
ar e
ri sk
m an
ag em
en t
fr am
ew o
rk ac
ti v
it ie
s as
in IS
O 31
00 0
if lo
o k
ed at
fr o
m a
ri sk
p er
sp ec
ti v
e an
d im
p le
m en
ta ti
o n
o f
th e
p ro
ce ss
.W e
se e
al so
th e
ri sk
m an
ag em
en t
p ri
n ci
p le
s “a
d d
v al
u e,
in cl
u d
e h
u m
an an
d cu
lt u
ra lf
ac to
rs .”
W h
at is
m is
si n
g ?
P ri
n ci
p le
(d )
ex p
li ci
tl y
ad d
re ss
es u
n ce
rt ai
n ty
.
� Si
m u
lt an
eo u
s lo
o se
-t ig
h t
p ro
p er
ti es
— au
to n
o m
y in
sh o
p -f
lo o
r ac
ti v
it ie
s p
lu s
ce n
tr al
iz ed
v al
u es
. (A
ll o
f th
e ab
o v
e ca
n b
e se
en in
p ri
n ci
p le
s o
f ri
sk m
an ag
em en
t an
d fr
am ew
o rk
sc o
p e
an d
h av
e to
b e
a ta
il o
re d
in es
ta b
li sh
in g
th e
co n
te xt
in ri
sk m
an ag
em en
t p
ro ce
ss an
d fr
am ew
o rk
le v
el .)
W h
at is
m is
si n
g ?
P ri
n ci
p le
(d )
fr o
m IS
O 31
00 0—
R M
ex p
li ci
tl y
ad d
re ss
es u
n ce
rt ai
n ty
.
S ou
rc e:
A u
th o
r’ s
re se
ar ch
,S .P
ija n
o w
sk i.
585
www.it-ebooks.info
586 Implementing Enterprise Risk Management
BOARD PERCEPTION OF ERM: “WE HAVE TO CHANGE THE WAY WE RUN THE BUSINESS, BECAUSE LACK OF ERM CREATES INEFFICIENT MANAGEMENT” In program and project management terms, ERM is, in fact, change management or an organizational change project or program. So the board, ideally, should be the first catalyst for change, instead of any lower level of management. Our experi- ence shows that an attempt by middle-level managers to convince board members about ERM is not effective and can create, to some extent, a misunderstanding, as we show next. The critical thing here is to see who the messenger is. It should be the CEO who raises the need, or it could be the board of directors, or the audit commit- tee in a supervisory board representing the interests of owners or key stakeholders. As for any conviction, this may happen first informally in terms of bilateral talks between one board member and an “n – 1” manager (“n” means board level). Then if there is trust and proper understanding by the board member, the senior execu- tive may be able to explain ERM to the board member and have him or her promote the idea at the board level. A misperception of ERM by boards in Poland, especially in highly regulated industries such as energy, mining, or telecommunications, can be summed up in one simple sentence: “I won’t sign anywhere formally that I know about any risks and that I continue managing the company, or a functional area, despite the identified risk.”
Let us examine examples of how ERM concepts might be communicated and how the board may misunderstand what is intended:
� Telling the board how it should manage risk, as, of course, it is highly proba- ble that such a message will be rejected. The board believes that it is already hired to oversee the management of the organization, including its risks, and to achieve appropriate results. If there is a better system than what is applied now, we have to be ready to show how much the financial results will change by using it.
� Saying to the board that the current motivational system should be changed to include rewards not only for performance but also for risk treatment meth- ods that should lead to better performance.
� Saying to the board that management should identify which of the top man- agement staff are the primary risk owners for each major risk. The directors already feel that they are responsible for the results or performance, so the nomination of a risk owner is perceived to some extent as a redundant activ- ity. If responsibility has already been assigned for performance, what else needs to be done?
� Saying to the board that the current decision-making process could be better if risk assessment techniques were used to support decision making. This could be interpreted as saying, “I could tell you, as an ERM follower, how to make better decisions.” This could be risky.
� Saying that current coordination processes of various parts of company are not optimal (e.g., that higher costs are being incurred from having separate
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 587
insurance for individual areas of the organization), and that some solutions optimize costs but generate other risks.
� Saying that the current strategy execution could be better and also the bud- geting process (including capital allocation).
� Saying that one risk champion will overview what other top management staff are doing.
� Telling the board that they have to commit to what they are already obliged to do by signing off on the policy of risk management.
� Telling the board to change the managerial information and reporting to include risk profiles and risk assessments.
� Telling the board to change the culture, or even the corporate identity, in order to allow mistakes and failures and thereby to learn from the past, and to openly speak about risks. Would this mean the board should tolerate staff making mistakes twice or tolerate incompetence among the staff?
These examples of the challenges of communicating with boards when seeking to implement ERM are based on what we have experienced in practice. If someone presenting ERM concepts communicates them in the wrong way to the board, such as: “I know better,” “You manage inefficiently,” “You could do it better,” “I would like to criticize how you manage the company,” or “You are not competent,” thus giving the message that the board is managing the company poorly because it does not have ERM in place, this is highly risky. Therefore, good preparation and use of properly worded arguments are critical to avoid such perceptions, regardless of whether the messenger is a consultant or an “n – 1” director or manager. When anyone who is suggesting using ERM is on a lower level than the executive board, all of the foregoing questions arise and can be mental blocks. Let us see now in more detail who in Poland is usually getting management to buy in.
WHO IS GETTING MANAGEMENT BUY-IN FOR ERM? The ERM implementation activities in Poland are mainly driven from the following sources:
� Governance stimulation, such as a supervisory board (board of directors) recommendation, governance (stock exchange), or audit good practices committees. For public administration units, the Public Finance Act states that there is an obligation to include risk management as part of managerial supervision.
� POLRISK Risk Management Association, since the beginning of its existence � Internationally operated brokers in Poland. � Risk management consulting companies. � The companies themselves or head offices of international companies that
are operating as subsidiaries or affiliates in Poland.
Our survey of 100 POLRISK members showed that a lot of interest in ERM in Poland is generated by various specialists or senior experts related to business
www.it-ebooks.info
588 Implementing Enterprise Risk Management
continuity management, information technology (IT), physical security, opera- tional risk, project risk management, internal audit or internal supervision from commercial and public sector, internal control, and legal attorney, but rarely pure insurance managers. Some board members or directors showed interest, but not many. Professional consultants who participated in POLRISK discussion panels or workshops told us that they had problems with communication and explaining ERM concepts to the boards.
We decided to explore the challenges of communicating with boards, and after discussions with executives it appeared that the key aspect is the context in which ERM is presented. We have identified that problems with executive communica- tion are related to two main personality profiles in business. The first is that it is difficult or almost impossible to be both a good manager and an expert in the sub- ject matter simultaneously. Why? The main difference is how decisions are made: The expert needs almost a 99 percent certainty to give a recommendation on a specific solution, system, or expertise. In turn, the manager operates and makes decisions with more uncertainty involved—it does not matter if there is a 60 per- cent certainty or an 80 percent certainty. The point is that this substantial difference requires the development of different skills.
The decision of an individual to pursue or develop a career toward being a highly skilled executive or an effective manager means resignation from being an expert, which means in turn also abandoning the expert’s mentality and way of making decisions. And when in corporate reality those two mentalities meet on boards, audit committees, or any executive meetings, those differences arise and are reflected in attitudes, wording, and beliefs. For managers, the uncertainty of making decisions is normal—they may even pursue it. Experts, however, when talking about uncertainty while presenting ERM, use terms like “mitigate” or “avoid” risk in a different context. They are not decision makers, so they do not understand that anyone who makes important business decisions accepts that there are regulators, audits, internal competitors, and the like who may second- guess the decisions of any given manager.
Therefore, the pure concept of documenting all assumptions, risk analysis, and consequences of decisions seems to be ERM utopia, as no manager would like to deliver any formal evidence or proof for potential corporate enemies or competi- tors that the decision was made despite high risk—because this may later be eas- ily judged as incompetence and could be used to terminate the manager’s contract immediately. So, paradoxically, not documenting everything is in fact the behavior of good personal risk management. This we know from several very experienced managers we interviewed. Why are we saying this? The reason is that ERM buy-in is often promoted (we assume this is the case not only in Poland) by experts or consultants rather than by pure managers—and hence problems with communi- cation, mentality, and business justification arise. The manager is bold, risk taking, and brave by nature, whereas the expert is more risk averse, cautious, circumspect, and risk avoiding by nature.
This is a paradox. ERM is often suggested and promoted by experts who do not like to take risks and are not making important decisions. Successful ERM has been driven by CFOs or CEOs who are passionate about ERM—we directly know that this is the case. So perhaps awakening a passion for risk management in CEOs
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 589
or CFOs is the right way to go. When we include the differences in experience of both groups of professionals, it is very hard to find a common understanding even on an interpersonal level, excluding knowledge of risk management itself.
SPECIFIC CHALLENGES AND OBSTACLES OBSERVED IN RISK MANAGEMENT In this section, we describe key issues within the risk management domain that we identified during our study, obtained during interviews with managers, and gath- ered on specific topics (for example, risk appetite) from various risk management experts.
Terminology
Authors of both scientific and business literature seem to exhibit little discipline for using the same terminology about risk consistently. Terms such as informa- tion, noise, uncertainty, risk, ambiguity, threat, hazard, opportunity, vulnerability, exposure, consequence, and strengths are examples of where we observe a lack of precision in definitions. What we observe (not only in Poland) is mixing the meaning of threat with risk, showing risk as the opposite of opportunity, instead of threat and opportunity. This issue directly influences practitioners’ perceptions and approaches to ERM. Another example is the hypothesis of informational effi- ciency of a capital market, which has a lot to do with investors’ risk management and their evaluation of companies. The efficient market hypothesis (EMH) does not have a precise definition of what information is (see Pijanowski 2005–2006), and that is why the hypothesis is called unsolvable, but when we define parame- ters of information and uncertainty, it can be solved in a convincing way.
Moreover, we have observed that the current inconsistencies and ambiguity regarding the term risk appetite cause directors not to buy into the ERM concept because it cannot be properly explained or justified by its followers.
Principles
If we look at the implementation of ERM in Poland, we see that risk is not part of key managerial decisions, despite a risk management policy being formally agreed upon. The only decision regarded as relating to risk is to comply with the law (i.e., “We have to do it, so we must do it”). We know several cases where one consulting company corrected the other consulting company’s frameworks. Our conclusion is that ERM is often sold in isolation from strategy and value-based management.
Risk Management Frameworks
Our experience shows that ERM processes in Poland—mainly frameworks, poli- cies, procedures, and methodologies—are mainly governance driven. There are of course some exceptions, and in the energy sector it has been identified that there
www.it-ebooks.info
590 Implementing Enterprise Risk Management
is a company that makes an effort to increase its value through effective risk man- agement.
Writing a risk management policy is relatively easy. Typically, the policy is combined with a risk assessment methodology. The main framework that is used in Poland is COSO 2004—almost always fully used by the public sector. We can say that it is an auditor-based view of risk management. Some companies use the MoR (Management of Risk) Framework (UK Office of Government Commerce), some became interested in ISO 31000, some frameworks were developed and delivered by consulting companies, and some were elaborations of the company’s own framework as based on various aspects from the different frameworks just mentioned.
Risk Owners
After the relatively easy part—writing some documents—the execution phase starts. What are the typical challenges during the execution phase? In an ERM implementation in which we participated, confirming the risk owners was one of the first challenges, as business managers perceived being a risk owner as an unfavorable label in the company. For example, a billing process owner did not understand that he should be a risk owner since he managed the budget and had targets and goals related to the billing process. The billing process owner did not want to be a risk owner for political reasons—he did not like to be associated with IT billing systems problems, and he postulated that the head of IT should also be a risk owner. This is an example of a typical silo-based approach. For middle- or high-level managers, being a risk owner looks like a dangerous role. Finally, after discussions that confirmed that he had the budget to influence the process and by referring to the risk management policy, he had to agree, but he was not happy with the new responsibility. So perhaps it is better to call the role a risk manage- ment leader, risk coordinator, or risk manager, rather than a risk owner.
Organizational Placement of ERM
Another topic that we explored was the organizational arrangement of where the risk management function or department should be placed. Our research showed that typically the function either was within the internal audit department, the internal supervision department, or the insurance department, or was a direct report to the CFO. The way it appeared was as though one was chasing people to get them to perform risk management (legal, internal control, insurance, etc.). Almost nobody wanted to be responsible for ERM, as it was treated as a new scope of responsibilities with compensation remaining at the same level.
The Influence of the Size of Organizations
We observed that the nature of risk management frameworks in medium-sized companies could be different than for larger companies. Board members of medium-sized companies told us that silo-based thinking was not an issue in many medium-sized companies as there are simply no silos. Executives also asked, “What is the business case for risk management in medium-sized companies?”
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 591
When we explored the matter in more detail, it was evident to us that integration was not the main issue; instead the lack of managerial information on margin or profitability of various projects and contracts was really the issue, as well as what to write in tender offers about how the company manages risk of customer demands (for example, investors expect it from vendors in the construction industry) and vendor credibility before making decisions. We have to be aware not to provide arguments on ERM benefits like integration of various risk treatment activities in medium-sized companies, as they may not be as applicable for those companies as for big companies.
Risk Management Process
Risk identification is one of the key steps of the risk management process. We explored how people describe risk and found that a lot are confusing threat with risk or mixing up other risk terminology. When we looked into how people describe risk, we found that the risk description being used in companies is not a real risk description at all. There are a lot of risk registers with no risk information but rather only threat or vulnerability descriptions that are understandable only to the person who wrote them (almost 95 percent of the cases we checked). People are rating risks without explaining why, or without justification of what supports making decisions and what does not. The Statement of Context5 is not present, which would help readers to understand why specific risk criteria have been set. Almost nobody is aware that the Statement of Context is one of the deliverables of the “establish the context” phase of the risk management process in ISO 31000.
The reason for this is that there is no proper guidance on how to describe risk properly in the absence of risk management implementation guidelines. Due to this lack of more detailed guidance, despite being interested in ISO 31000, corpo- rate representatives have problems with understanding it, resulting in a poor opin- ion of the ISO 31000 standard in Poland. Unfortunately, ISO TR 31004, produced by the ISO/PC and the ISO/TC 262 Working Group in its final version, does not fulfill this requirement; therefore, we will have to elaborate on it on our own with the support of international experts who really know ISO 31000 and how it should be implemented.
If we have no good guidance on risk management and there are no volunteers to take responsibility for promoting ERM, we will have to create the right profes- sion and professionals to deal with risk. When we looked into the formal profes- sions registry of the Social Policy and Labor Ministry in Poland for job position lists that include risk in the name, we found only underwriter—being translated as a risk management specialist and an appraiser of a company’s risk. That leads us to the conclusion that is the title of the next section—we have to build the chief risk officer (CRO)/risk manager profession from scratch.
WE HAVE TO BUILD THE CHIEF RISK OFFICER/RISK MANAGER PROFESSION FROM SCRATCH In 2009, the POLRISK Risk Management Association board asked its office assis- tant to contact 253 companies by phone, including 77 percent associated with the
www.it-ebooks.info
592 Implementing Enterprise Risk Management
Polish Association of Listed Companies on the Warsaw Stock Exchange (WSE), to inquire about whether they had a risk manager who potentially could join the association. We wanted to diagnose the awareness and needs related to risk man- agement in Poland, primarily among listed companies on the WSE. The results of these phone interviews are as follows. Thirty-three (13 percent) of the companies did not want any further contact. The main reasons were that they were not inter- ested because they did not have risk managers, they were not interested at all, they received from their head office a strategy already written and ready to implement (“We receive strategy out of the box”), they were just tired of receiving various training offers, and the like. In a few cases it was mentioned that “Risk manage- ment is outsourced.” The most interesting example from a global company was: “Risk management is at the discretion of the head office.” Only 11 companies out of 253 (4.3 percent) declared potential interest in joining the POLRISK Risk Man- agement Association.
This is perhaps not fully representative research on the perception of risk man- agement in Poland, but it shows, together with other surveys, that we have to build the risk manager profession in Poland from scratch. Of course, this conclu- sion does not apply to financial risk managers holding the PRM (Professional Risk Manager—Professional Risk Managers’ International Association [PRMIA]) des- ignation or the FRM (Financial Risk Manager—Global Association of Risk Profes- sionals [GARP]) designation. More than 1,000 people in the financial industry are similarly certified in Poland.
After the intensive telephone interviews, we changed the strategy of increas- ing the POLRISK membership. POLRISK, after two years of pilot risk management courses, confirmed that there was an interest in risk management professional development, and now it is updating the program scope of knowledge necessary for risk managers and chief risk officers, who will be expected to present a holistic big picture of the company’s risks. Fortunately, we will also join with the FERMA certification of risk managers projects like the other European associations that are members of FERMA.
When we showed one example of a mature ERM implementation in North America, one of the Polish managers told us that ERM promoted by middle-level managers looks like “a cry for help” for those who would like to be recognized at the board level. Many risk management group discussions on LinkedIn only con- firm that statement. This is the most radical but real opinion on ERM we have ever heard. Again, this was a lesson for us; we, as a community, have to be well pre- pared to know what specifics strictly belong to ERM and how it can be integrated with strategic and value-based management.
WHAT NUMBERS SAY ABOUT ERM MATURITY One of our surveys showed that about 2 percent of the companies were willing to implement ERM in 2006, and this increased to around 12 percent in 2010. However, most of the companies that have implemented ERM have fewer than 250 employ- ees. Only 2 percent of companies with more than 250 employees had implemented ERM by 2010. This shows that Polish companies are still at the beginning of the ERM journey.
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 593
The survey in 2006 was based on the information obtained from about 100 companies and in 2010 the information was collected from about 300 managers. The ERM implementation was divided into six stages, where stage 0 means no ERM and stage 5 means ERM is an integrated system. The characteristics of all stages are described as follows:
� No functions, organizational structure, and analytical tools are in place to be available for ERM, and there are no plans to implement ERM. (Phase 0: No ERM)
� There are some initial preparations toward ERM implementation. (Phase 1: ERM Introduction)
� There exist selected tools and instruments in the analytical area applied for ERM. (Phase 2: ERM Analytical Tools and Instruments)
� There are some functions, processes, procedures, and tools implemented for ERM. (Phase 3: ERM Functions, Processes, and Tools)
� There is a mature infrastructure applied to risk management, but an inte- grated ERM system doesn’t exist, which would be heading toward the holis- tic approach. There are plans to develop existing infrastructure toward an integrated ERM system. (Phase 4: ERM Mature but No Integrated System)
� There is an integrated system of ERM. (Phase 5: ERM Integrated System)
In Exhibit 33.4, we display in graphic mode the stages of ERM implementation in Poland and their major characteristics.
Exhibit 33.5 reflects the advancement of ERM within the companies in Poland in 2006. About 42 percent of the enterprises were not applying any type of ERM, and none of them had an ERM integrated system. Only 2 percent of the enterprises had mature ERM systems, 23 percent were in the introductory phase, 8 percent had
There is an integrated system of ERM
A mature infrastructure is applied but not an integrated system of ERM
Some functions, processes, procedures, and tools use ERM
Major tools and instruments are used in the analytical areas for ERM
Some initial preparations made toward ERM implementation
No functions, organizational structure, or analytical tools are in place for ERM Phase 0 Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
No ERM ERM
Introduction
ERM Analytical Tools and
Instruments
ERM Functions,
Processes, and Tools
ERM Mature but No
Integrated System
ERM Integrated
System
The direction of more advanced models of ERM in Poland
Exhibit 33.4 Stages of ERM Development Source: Author research, Z. Krysiak.
www.it-ebooks.info
594 Implementing Enterprise Risk Management
Phase 0: No
ERM 42%
Phase 1: ERM
Introduction
23%
Phase 2: ERM
Analytical Tools
& Instruments
8%
Phase 3: ERM
Functions,
Processes, and
Tools 25%
Phase 4: ERM
Mature but
No Integrated
System 2%
Phase 5: ERM
Integrated
System 0%
What is the stage of the ERM development? : 2006
Exhibit 33.5 Stages of ERM Development in 2006 in Poland Source: Author research, Z. Krysiak.
available analytical tools, and 25 percent implemented ERM functions, processes, and tools.
Exhibit 33.6 reveals the advancement in ERM within the companies in Poland in 2010. We observed that from 2006 until 2010 there was significant progress in the advancement of ERM implementation. An integrated ERM system was present in 12 percent of the companies versus 0 percent in 2006. We observed as well that in 2010 more enterprises (4 percent) had switched to mature ERM, compared to the 2 percent in 2006. In 2010, about 40 percent of the companies still were not engaged in ERM, which is very close to that observed in 2006 (42 percent). The advancement in ERM was made basically by the group of companies that in 2006 had started the process.
What is the stage of the ERM development? : 2010
Phase 0: No
ERM 40%
Phase 1: ERM
Introduction
20%
Phase 2: ERM
Analytical Tools
& Instruments
4%
Phase 3: ERM
Functions,
Processes, and
Tools 20%
Phase 4: ERM
Mature but
No Integrated
System 4%
Phase 5: ERM
Integrated
System 12%
Exhibit 33.6 Stages of ERM Development in 2010 in Poland Source: Author research, Z. Krysiak.
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 595
Did the Enterprise appoint a CRO? : 2006
Yes
22% Yes
24%
No
78%
No
76%
Did the Enterprise appoint a CRO? : 2010
Exhibit 33.7 Appointment of CROs in Polish Companies Source: Author research, Z. Krysiak.
RISK MANAGEMENT FRAMEWORK—ACCOUNTABILITY In Exhibit 33.7, we show how many Polish companies have appointed a CRO. The responsibility for leading the risk functions in the company, as measured by appointing a CRO, was reported by 24 percent of companies in 2006, and 22 percent of companies in 2010. Approximately 80 percent of the companies did not see this as an important issue. In later research (i.e., the Polish Edition of the Aon Global Risk Management Survey), the existence of a risk management department or a CRO was reported as 29 percent in 2011 and 25 percent in 2013.
In Exhibit 33.8, we show who was appointed with the CRO responsibility. For 2010, the CRO function was performed in about 81 percent of the cases by finan- cial directors versus 43 percent in 2006. This shows that the responsibility of a CRO is moving to a more appropriate level, and that enterprises are recognizing the importance of ERM. The same scope of research in the Polish Edition of the Aon Global Risk Management Survey showed that if there is no risk management department in companies operating in Poland, then the CEO and CFO are the key job positions responsible for ERM; that is: CEO in 2009, 30 percent of answers; in
Financial
Analyst
2%
Nobody
30%
Who in the Enterprise has the
responsibility of the CRO? 2006
Financial
Director
81%
Financial
Director
43%
Chief
Economist
0%
Chief
Economist
5%
Chief
Accountant
15%
Chief
Accountant
20%
Financial
Analyst
4%
Who in the Enterprise has the
responsibility of the CRO? 2010
Exhibit 33.8 Functional Managers Charged with the Responsibility of the CRO in Enter- prises in Poland Source: Author research, Z. Krysiak.
www.it-ebooks.info
596 Implementing Enterprise Risk Management
2011, 39 percent; and in 2013, 34 percent; and CFO in 2009, 30 percent; in 2011, 52 percent; and in 2013, 31 percent. These results were different than in the Global Edition of Aon’s survey; that is, the CFO was the key role in 35 percent of the cases versus 25 percent for the CEO in 2013. In turn, if companies have a risk manage- ment department in Poland, the role of the CFO is a leader both in the Polish Edi- tion and the Global Edition of the Aon survey. The question “To whom does the Risk Management Department report?” was that RM reports to the CFO/treasury as follows: in 2009, 45 percent; in 2011, 42 percent; and in 2013, 51 percent.
IMPACT OF THE RISK ASSESSMENT TOOLS ON THE PERFORMANCE OF THE COMPANIES The quality of risk management depends very much on the tools, analytical mod- els, and resources available at the enterprise. This area was included in the research to find out how different risk and value measures and metrics are quantified, mod- eled, and used in the decision-making process during the creation and updating of the strategic planning and also the shaping of the overall ERM process. This study was based on approximately 100 companies in Poland operating in differ- ent businesses in several geographical markets, including international and global markets, and of different sizes. The criteria to diagnose the quality of risk manage- ment were:
� Type of methods used for the company valuation � Application of discounted cash flow (DCF) analysis for project appraisal � Utilization of Monte Carlo simulation � Evaluation of investment projects supported with the real option method � Assessment of the enterprise’s default risk in both the short term and the
long term � Comparison of the dynamics in company value and its risk � Estimation of the enterprise’s losses due to risk realization � Analysis study on the adequacy of the company’s capital against the esti-
mated risk � Credit, market, and operational risk analysis � Monitoring of the risk profile from different specific perspectives � CRO functions and responsibilities � Organizational and human resources dedicated to ERM � Stage of the development of ERM within the enterprise � Types of financial instruments and the scope of their applications to ERM
Based on these criteria, we evaluated the frequency and the quality of the prac- tice of all issues related to the criteria. The evaluation led to our rating of the risk management quality in the enterprises. The rating was designed to be an integrated measure to differentiate the quality of risk management among the enterprises. This rating was related to the financial results to reveal the impact of ERM on com- pany value. Proving a positive relationship between the rating of risk management and the enterprise value would provide a very attractive measure for the partial assessment of the risk management quality and the maturity of ERM.
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 597
y = 0.0055x – 0.0293
R2 = 0.2223
0%
2%
4%
6%
8%
10%
12%
19171513119
N e
t In
c o
m e
/T o
ta l B
a la
n c e
Rating
Relation between (Net Income/Total balance) and Rating of ERM (≥9)
Exhibit 33.9 Relationship between Net Income/Total Balance Ratio and Rating of ERM (Rating ≥9) Source: Author research, Z. Krysiak.
The relationship between the financial results and the rating of the risk man- agement quality is displayed in Exhibit 33.9. The financial results are reflected by the ratio of net income to total balance. The regression in Exhibit 33.9 relates to the enterprises with high ratings equal to or over 9. We can draw the conclusion that high ratings showing good quality of risk management have a positive impact on the financial results. From the statistical point of view this correlation is not very strong, but as a practical matter it can be interpreted as positive. The improvement in the quality of risk management in the future can be observed in an increasing value of R2. The high deviations of the financial results for the enterprises with the same ratings mean that the tools, models, instruments, and other technical resources in the process of ERM are applied in various companies with different final effects.
In contrast, Exhibit 33.10 shows no relationship between financial results and the rating of risk management quality for the enterprises with ratings below 9. Additionally, Exhibit 33.10 shows that the deviations of the financial results for the
y = 0.0018x + 0.0795
R2 = 0.0046
0%
5%
10%
15%
20%
25%
9876543210N e t In
c o
m e
/T o ta
l B
a la
n c e
Rating
Relation between (Net Income/Total Balance) and ERM Rating (≤8)
Exhibit 33.10 Relationship between Net Income/Total Balance Ratio and Rating of ERM (Rating ≤8) Source: Author research, Z. Krysiak.
www.it-ebooks.info
598 Implementing Enterprise Risk Management
9
21%
11.25
21%13.5
21%
15.75
26%
>15.75
11%
Frequency distribution of the ERM ratings (for high ratings ≥9)
Exhibit 33.11 Frequency Distribution of ERM Ratings for High Ratings ≥9 Source: Author research, Z. Krysiak.
same ratings are very high, which indicates that low ratings reveal a low quality of risk management.
In Exhibit 33.11 we show the frequency distribution of ERM ratings equal to or over 9. Exhibit 33.11 also demonstrates that the enterprises are in different stages of ERM implementation. The progress in the implementation of ERM tools for the companies with high ratings is quite evenly spread out. There are about 21 percent of the companies in each group with ratings of 9, 11.25, and 13.5. The rating of 15.75 was assigned to 26 percent of the studied companies, and 11 percent received ratings over 15.75.
The study of the more detailed financial reports for the companies with the high ratings, which was performed for the five years preceding the case study, indicates that the financial results of different types (i.e., from profit and loss, bal- ance sheet, and cash flow statements) reveal increasing trends and low volatility over time. The enterprises with high ratings show consistency between the goals stated in the strategy and the execution of the strategy. The companies operating in international markets, and those with foreign shareholders, usually achieved high ratings. Based on the outcomes shown in Exhibits 33.9 and 33.10, we can draw the very rough conclusion that the criteria used for the evaluation of the quality of risk management in this case study are useful to obtain a good diagnosis.
CAPITAL ALLOCATION: A FREQUENTLY MISSED PART OF THE ERM FRAMEWORK AND RISK TREATMENT One of the key issues in ERM is the allocation of capital based on the identified risks. The capital at risk or capital on risk (CoR) in financial institutions is called the economic capital and is estimated based on the value at risk approach (Jorion 2007). This capital should play an important role in protecting the enterprise against the default risk. The allocation of the capital for risk, based on the quantification of the potential risk impact, may be called a risk budgeting process. The ability to assess the capital based on risk may be perceived as a kind of maturity in the evolution of ERM. One of the important standards of ERM in supporting the development
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 599
Capital on Risk (CoR)
Business Risk
Operations Risk
Control of Operations
IT Systems Production and
Logistic Infrastructure
Employee Relations
Market Risk
Business Events
Financial Factors
Credit Management
Regulatory Compliance
Service Competi- tiveness
Product
Capital
Exhibit 33.12 Examples of Main Risk Sources to Be Covered by Capital on Risk Source: Author research, Z. Krysiak.
of the strategy is the identification of the most important risks (e.g., the top 10) out of the dozens or hundreds inherent with the enterprise’s activities. From that perspective, the identification of risks and the quality of the budgeting process impact the accuracy of the estimated capital required.
The study of the risk profiles within the enterprises in Poland involved 36 types of different risks. These risks have been characterized by measures like the proba- bility of risky events, the exposure from risky events, and the level of control over risk drivers or risk sources. Exhibit 33.12 displays the classification of the studied risks. At the bottom there are 12 subgroups of risk. Each subgroup was further subdivided into three detailed risks, so that we finally obtained 36 specific risks.
The study was performed at the end of 2010 by obtaining information from approximately 300 managers from different types of companies. We think that the only approach to modeling of the economic capital underestimates its value because models do not consider decision-maker perceptions about the risks. We assumed that managers as the decision makers have appropriate business under- standing and that they provide substantial information about risk characteristics regarding all business processes. The collection of the data from the managers across the different businesses and functional areas of activity demonstrated an adequate knowledge about the risky events, the importance of particular types of risks, relationships between the risk outcomes, and the level of risk control. Based on this research, we determined the expected average risk impact across industries in Poland and the value of the economic capital.
Exhibit 33.13 shows the 10 most important risks and the level of control assigned to each risk. The level of control of 5 would be the highest control, while 0 would mean that no control is in place. The most important risks within the top 10 perceived by managers in Poland are shareholder and stakeholder relations, cost structure, and solvency and cash flow. At the very bottom of that list are investment projects’ strategy, business continuity and downtime, and fraud, theft, reliability, quality.
The research confirms also how an important part of the risk management pro- cess in ISO 31000 is communication and consultation with stakeholders. We have to implement very efficient controls here, such as high managerial competencies
www.it-ebooks.info
600 Implementing Enterprise Risk Management
Exhibit 33.13 Top 10 Risks in Enterprises in Poland in Respect to Level of Risk Control
Top Risks Level of Risk Control
Shareholder and stakeholder relations 3.80 Cost structure 3.76 Solvency and cash flow 3.53 Quality of products and services 3.47 Products and services offered 3.47 Credit capacity and creditworthiness 3.44 Liquidity of funding sources 3.44 Investment projects’ strategy 3.40 Business continuity and downtime 3.36 Fraud, theft, reliability, quality 3.36
Source: Author research, Z. Krysiak.
and communication skills in order to properly manage board perceptions (see the 10 key points listed earlier in the section titled “Board Perception of ERM.”
The assessment of the probability of risks, exposures, and level of controls was used to calculate expected losses, as presented in Exhibit 33.14, which afterward served to calculate the capital on risk. Based on the data obtained from the study, the expected value of the capital on risk should be three to five times that of the net income (NI).
This implies that by increasing the equity by the value of capital on risk, which should be invested in liquid and risk-free assets, the return on equity (ROE) would be reduced. Assuming that current ROE equals 20 percent, return on risk-free assets equals 5 percent, and there is no change in the net income, then the increase of the equity to between three and fives times NI would drop the ROE down to between 14.5 percent and 12.5 percent, respectively. The other consequence of that is the change in the structure of the capital, which potentially could lead to the increase in the weighted average cost of capital. The risk inherent in the enterprise
Exhibit 33.14 Top 10 Risks in Enterprises in Poland in Respect to Expected Losses
Top Risks Value of Expected Losses in Relation to Net Income
Cost structure 0.14 Management of malfunctions 0.14 Business continuity and downtime 0.13 Liquidity of funding sources 0.12 Account receivables 0.12 Fraud, theft, reliability, quality 0.12 Solvency and cash flow 0.12 Shareholder and stakeholder relations 0.11 Management and responsibilities 0.11 Products and services offered 0.10
Source: Author research, Z. Krysiak.
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 601
is not cheap. This example shows that, on one hand, an enterprise pays approx- imately one-quarter of ROE, but on the other hand, this expense could save the enterprise in case one or more risk events materialize.
CONCLUSION If we want to change our companies to be risk-based managed companies, ERM must be sold as an integral part of a triple package: value-based management, strategic management, and strategy execution, with ERM as an important link between these. Critical changes in the positioning of ERM as part of such a package are necessary to move from governance-driven phases to being change driven (or the integrated phase of risk management maturity).
The top 10 risks identified by our research show that, from a framework per- spective, key risks are correlated with management and stakeholder expectations and perceptions. This confirms that the communication and consultation process is a critical part of the risk management process defined in ISO 31000, and it must be performed by highly skilled managers or other professionals with little tolerance for mistakes.
Experts and managers need to use consistent and easy-to-understand risk- related terminology across all stages of the risk management process to facilitate proper and efficient communication. The simpler, the better. People have prob- lems with differentiating data from information, hence the problem of mixing risk information with threat data or opportunity data instead of considering informa- tion on both threat and opportunity. It is important for communication to express that risk is a relationship between potential causes and effects, and these two may never be totally separated. Risk management is a never-ending learning experi- ence and reminds us to keep terminology and language consistent throughout, as to the principles, framework, and risk management process being integrated with strategy planning, execution, and value-based management and controls.
Exhibit 33.15 shows the results from our experience, business practice, and research. ERM in Poland is mainly driven by governance concerns, which apply to around 12 to 20 percent of 3,000 companies with over 250 employees. As for branches interested in holistic risk management (such as energy, gas and oil, con- struction, logistics, insurance, telecommunications, pharmaceuticals, chemicals, mining, public administration, aviation, and legal companies), this is a good basis for change. Because a public finance act and obligation include risk management as part of managerial supervision, risk awareness will be communicated to around 40 percent of the working population in Poland, as many people work in pub- lic administration. Taking into account the obstacles and challenges we have in Poland, there is much good news. It would be worth further research to observe how Poland progresses in relation to other countries. That would give us all, as an international community, the ability to observe how well ERM is progressing, worldwide or not. There is already some research in this area—for example, Aon’s Risk Maturity Index.
We must be aware of the weaknesses of risk management in the context of human attitudes. The perception of top executives and boards is that risk still has negative connotations in many languages and cultures and it is a natural barrier. Not everyone is keen to talk about risk; people like to concentrate on successes and
www.it-ebooks.info
602 Implementing Enterprise Risk Management
Exhibit 33.15 ERM Maturity Level in Poland’s Nonfinancial Industry
Stage 1 Stage 2 Stage 3 Stage 4
Terminology Risk specific Never-ending
challenge Principles Risk specific Governance
driven Framework Risk specific Governance
driven Process Risk specific Governance
driven Change driven A few
companies
Integrated A few companies on
the way, POLRISK members, energy industry
Source: Authors’ research.
opportunities. Also, managers may resist talking about risk in order not to be per- ceived as incompetent professionals. They assume that if they are professionally good at something, they should not be generating risks.
Medium-sized firms may need less integration of strategic management with risk management due to the lack of silos in those companies, as “the left hand knows what the right hand is doing.” What they need is up-to-date and online information, reports on how the business is performing, and what is the mar- gin level. They need a reasonable risk management tool kit and supervision of margins.
A strong risk management profession with a defined scope of knowledge is necessary to promote risk management. The natural reporting line for a risk man- ager within an organization structure should be to the CFO or higher, and be aligned with the value-based controlling and strategy department or unit. Those departments should be working in integrated ways so that proper capital and asset resource allocation is made toward identified risk levels and cost/benefit analysis with integrated risk treatment options across the company.
A strong risk management association is also necessary to promote best prac- tices in risk management and the gathering community of risk management pro- fessionals. In 2013, POLRISK changed its mission to the creation of value from effective risk management integrated with strategic management and value-based management. The promotion of ERM as a concept is no longer sufficient; there must be demonstrated value creation for a company arising out of it. The ERM journey continues.
QUESTIONS 1. List and describe the challenges of implementing ERM in Poland. 2. The quality of risk management depends on many criteria. Discuss the criteria that can
be used. 3. What were the main drivers for ERM implementation in Poland?
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 603
NOTES 1. More information on the POLRISK Risk Management Association can be found at the
association’s website: www.polrisk.pl. 2. More information on the Federation of European Risk Management Associations can be
found at www.ferma.eu. 3. We would like to mention and honor here all the people we know, but we are aware
that this would be an imperfect and incomplete list. However, we are sure that on such a list there are at least POLRISK founding members; former presidents Rafal Rudnicki and Tomasz Miazek; current POLRISK board members Ewa Szpakowska, Hanna Gol̄aś, and Jerzy Podlewski; and all active previous and current POLRISK members.
4. The need for evaluating the quality and extent of risk treatments, including controls, is essential, and the techniques for including this in risk assessments are described in Enter- prise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, edited by John Fraser and Betty J. Simkins (Hoboken, NJ: John Wiley & Sons, 2010), on pages 162, 163, 166, 173, and 174.
5. The Statement of Context is an output from the “Establishing the context (5.3)” stage of the risk management process (Clause 5 Process in ISO 31000:2009 standard).
REFERENCES Antikarov, V. 2012. “Enterprise Risk Management for Non-Financial Companies—From
Risk Control and Compliance to Creating Shareholder Value.” ERM, Society of Actu- aries Monograph M–AS12–1, Chicago. www.soa.org/Library/Monographs/Other- Monographs/2012/April/2012-Enterprise-Risk-Management-Symposium/.
Bossidy, L., and R. Charan, with C. Burck. 2002. Execution: The Discipline of Getting Things Done. New York: Crown Business.
Copeland, T., and V. Antikarov. 2003. Real Options. New York: Texere. Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading
Research and Best Practices for Tomorrow’s Executives. Robert W. Kolb Series in Finance. Hoboken, NJ: John Wiley & Sons.
Jorion, Philippe. 2007. Value at Risk: The New Benchmark for Managing Financial Risk. New York: McGraw-Hill.
Kaplan, R. S., and D. P. Norton. 2008. The Execution Premium: Linking Strategy to Operations for Competitive Advantage. Boston: Harvard Business School Publishing.
Krysiak, Z. 2011. “Strong Risk Management Culture as a Major Factor at Modern Organi- zation” (Polish title, Silna kultura zarz
ℷ adzania ryzykiem jako cecha nowoczesnej organizacji).
e-Mentor 2:39, s. 24–31. Krysiak, Z. 2013. “The Value of the Operational Risk in the Holistic Approach” (Polish title,
Wartość ryzyka operacyjnego banku w uj ℷ eciu holistycznym). Bezpieczny Bank 1:50, s. 112–129.
Lam, James. 2003. Enterprise Risk Management: From Incentives to Control. Hoboken, NJ: John Wiley & Sons.
Monahan, Gregory. 2008. Enterprise Risk Management—A Methodology for Achieving Strategic Objectives. Hoboken, NJ: John Wiley & Sons.
Pagach, Donald, and Richard Warr. 2011. “The Characteristics of Firms That Hire Chief Risk Officers.” Journal of Risk and Insurance 78:1, 185–211.
Peters, T., and R. H. Waterman Jr. 1982. In Search of Excellence: Lessons from America’s Best-Run Companies. New York: Harper & Row; Profile Books, 2004.
Pijanowski, S. P. 2005–2006. “Is the Polish Stock Market Weak Form Efficient?” Inter- national Journal of Banking and Finance 3/4 (Special Issue), 33–62. (Journal of North Malaysia University.) The eight papers in this special issue were selected after
www.it-ebooks.info
604 Implementing Enterprise Risk Management
blind peer review as the top papers among 144 papers submitted for publication. http://epublications.bond.edu.au/cgi/viewcontent.cgi?article=1041&context=ijbf.
Purdy, G. 2010. “How Good Is Our Risk Management? How Boards Should Find Out.” Risk Watch, The Conference Board of Canada, December, 9–11.
Purdy, G. 2013. “Most Effective and Efficient Way of Managing Risk.” Workshop material for POLRISK Risk Management Association, Warsaw, May 9.
Rappaport, A. 1998. Creating Shareholder Value: A Guide for Managers and Investors. New York: Free Press.
Raynor, M. E. 2007. The Strategy Paradox. Warsaw: Studio EMKA. Shimpi, P. 1999. Integrating Corporate Risk Management. New York: Texere. Shimpi, P. 2005. “Enterprise Risk Management from Compliance to Value.” Financial Exec-
utive 21:6, 52–55. Welch, Jack, with Suzy Welch. 2005. Winning. New York: HarperBusiness. Wiklund, D., and B. Rabkin. 2009. “The Balance Sheet Perspective of Enterprise Risk Man-
agement.” Financial Executive 25:2, 54–58.
ABOUT THE CONTRIBUTORS Zbigniew Krysiak, PhD, is an Associate Professor of Finance at the Warsaw School of Economics in Warsaw, Poland. He gained a doctor of philosophy degree in eco- nomics from Warsaw School of Economics for his research into the application of options in default risk assessment and company valuation. He holds an MBA (mas- ter’s degree in banking and financial engineering) from the University of Toulouse, France. He was a visiting professor at Pepperdine University in Los Angeles and Northeastern Illinois University in Chicago. Currently, he is teaching students at Northeastern Illinois University on financial engineering in business applications. He is the author or coauthor of more than 100 publications, intended both for prac- titioners and for the academic community, concerning finance, risk management, financial engineering, and banking.
Dr. Krysiak has about 25 years’ experience in business, working for European and American nonfinancial and financial enterprises. The functions he has held include: management board member of Bank Guarantee Fund, managing director of the Property Finance division and adviser to the president at PKO Bank, vice president of the management board at Intelligo Bank, vice president at AIG Bank, financial manager at PepsiCo in Poland, and member of the supervisory board at the insurance company TU Europa. He was a member of the European Banking Industry Committee (EBIC), and a member of the Mortgage Funding Expert Group (MFEG) at the European Commission. He is a member of the Scientific Committee of the Warsaw Stock Exchange in Poland.
Sl̄awomir Pijanowski, PhD, is President of the POLRISK Risk Management Asso- ciation in Poland, where he is responsible for development of good risk manage- ment practices for the Polish market. He is a member of the Technical Committee No. 6 Management Systems at the Polish Committee for Standardization, a mem- ber of ISO/TC 262 Committee, where he was one of four task leaders elaborat- ing on the first draft of the ISO 31004 standard, Risk Management—Guidance for the Implementation. He is coauthor of Risk Management for Sustainable Business, published by the Polish Ministry of the Economy. He initiated and completed the
www.it-ebooks.info
CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 605
project of adoption of the ISO 31000:2009 standard into Polish PN-ISO 31000:2012, Risk Management—Principles and Guidelines.
Dr. Pijanowski has had long-term experience in the areas of change management, organizational transformation, strategic-level program and project management, business continuity, IT security, banking, and business systems implementations. He was coauthor of the methodology of one of the first Polish implementations of ERM in a leading telecommunications company in Poland. He verified the quality of the risk registers of the Orange Technological Partnership in UEFA EURO 2012 Football Championships in Poland. He acted as an external expert for the National Foresight Program “Poland 2020” in the following research fields: safety, informa- tion technology (IT), and information and communications technology (ICT). His PhD is from the Poznań University of Economics, department of investment and capital markets, where he also graduated from the Faculty of Management with a specialty in capital investments and financial strategies of enterprises.
www.it-ebooks.info
