102215 enterprise risk management
DESCRIPTION
How Does Your Construction Company view RIsk?TRANSCRIPT
BY MARY PETER
September/October 2015 CFMA Building Profits 23
Risk impacts a company’s profits, people, and strategic objectives. And, how risk is viewed and managed is constantly changing,
particularly in challenging business climates like construction.
HOW DOES YOUR COMPANY VIEW RISK: AS A COST OF DOING BUSINESS OR AS A
COMPETITIVE ADVANTAGE?
Risk Management Evolution
Adverse risk is common in construction – injuries, property loss, cost of materials, security, natural disas-ters, etc. Often the focus is on tangible assets and those that can be insured, with most efforts focused on loss prevention and compliance.
The evolution of risk management has moved to look at a universe of risks and how they are connected, both internally (operationally driven) and externally (regulatory and market driven). This concept, known as enterprise risk management (ERM), takes a proactive, forward-looking view of how risk can impact your company’s strategic objectives, both positively and negatively. ERM has been defined by RIMS, the risk management society™ as:
“…a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an inter-related risk portfolio.”1
Exhibit 1: Evolution of ERM illustrates how familiar construction risks (i.e., insurable financial risks) now include more broad categories such as operational, strategic, and reputational risk.
From this vantage point, risk management has become an important strategic tool that allows your com-pany to be more nimble in response to the changing risk environment.
By providing key risk data that supports strategic planning, ERM illuminates opportunities to focus on your company’s key strengths.
24 CFMA Building Profits September/October 2015
HAZARD RISK MANAGEMENTInsurable financial risks
Exhibit 1: Construction Risk UniverseA company that is aware of its risk universe is more adaptable and responsive.
MARKET• New Competition • Product Demand • Capital Availability• Industry Consolidations • Socio-Political • Energy/Fuel Costs• Bad Real Estate Loans • Commodity Price • Material Costs• Pricing Pressures • Project Financing
REGULATORY• Anti-Trust• Communications• Security• Trade Customs• Labor Practices• Pension• Product Safety• Health & Safety (OSHA)• Procurement• Government Support & Funding• Environment• Tax
HAZARDS & THIRD- PARTY ACTIONS
• Natural Events/Catastrophes• Terrorism• War• Piracy/Counterfeiting• Fraud• Lawsuits• Reputation• Injuries/Accidents
FINANCIAL• Liquidity/Credit• Accounting/Tax• Budgeting/Planning• Capital Structure• Bank & Surety Support• Cost of Capital
GOVERNANCE• Governance• Legal• Code of Conduct (Ethics – i.e., Bid Rigging, Tax Issues)
Internal
Exhibit 2: Evolution of ERMENTERPRISE RISK MANAGEMENT
Operational, strategic, financial, reputational, and insurable risks
Recognition of the value ofTANGIBLE AND INTANGIBLE
ASSETS
HOLISTIC APPROACHCoordinated at the highest level
within the organization
Risk management is a corporate-wideDAILY CONCERN AND IS
EMBEDDED IN THE OPERATIONS
Focus on preservation ofTANGIBLE ASSETS
SILO APPROACHEach department/function
manages its risks independently
Risk Management =SEPARATE FUNCTIONH
ISTO
RICA
L VI
EWTO
DAY
RISKS ARE THREATS –Focused on avoidance of
negative events
Risks can be THREATS AND OPPORTUNITIES
External External
INTEGRATED RISK MANAGEMENT
OPERATIONS• Change Management• Value Chain• Sales & Marketing• Recruiting/Retention• Product• IT• Contract Compliance
STRATEGIC• Strategy & Initiatives• Mergers & Acquisitions• Investor Relations• Stakeholders• Bid Process
Exhibit 1:
EVOLUTION OF ERM
How Do You Implement ERM?
A value-added ERM process is a proactive approach to risk management, where your company’s culture and strategy come together to drive innovation and performance and pro-vide a competitive advantage. ERM moves risk management into a new strategic direction so that efforts are focused on the most important risks and opportunities your company faces.
Many contractors are practicing ERM with various levels of maturity. As shown in Exhibit 2, ERM implementation is a six-step process, with ongoing communication pulling it together. These steps are similar to how a successful con-struction job is planned – a repeatable process that encour-ages learning and improvement throughout the journey.
Step 1: eStabliSh a Strategic erM Foundation
Just as a strong solid foundation is essential for any construc-tion project, it’s crucial that the first step to ERM starts with your company’s culture. The following important aspects are often overlooked.
Obtain Support
Solid governance enables an ERM initiative to become part of your company’s way of doing business. Support of this effort
must come from the top down, with management facilitating discussions to identify, assess, evaluate, and monitor significant risks to the company and its strategic objectives. A collabora-tive, open, and cooperative risk culture must exist for innova-tive action plans to be designed and implemented successfully.
And, the fiduciary responsibility of advisory committees or external board members can lend strong support to ERM. Their support, guidance, and input can be very valuable if used appropriately.
Assign an ERM Leader
Selecting an internal ERM leader is one of the most impor-tant roles to establish and keep ERM alive, effective, and sus-tainable. This individual must be able to communicate about ERM to leadership, management, third parties, and everyone working on the jobsite and in the office.
This person is typically in a managerial or higher level posi-tion with access to the strategic objectives, and is knowl-edgeable about how policies, procedures, and controls work within the company. Common ERM leaders have job functions in risk management, but are not solely focused on safety. Consider appointing the COO or an operational manager to lead the charge and someone else to manage and
September/October 2015 CFMA Building Profits 25
coordinate the day-to-day ERM efforts. Without support and commitment at the executive level, ERM is difficult to launch, implement, and engage.
Leveraging third-party relationships can provide excellent resources. However, even though a facilitator or ERM con-sultant can provide guidance on an ERM program, you must own it – this is your enterprise!
The ERM leader should maintain enterprise level information in one place. This information can be designed in Excel in order to customize the ERM processes and should include:
• Detailed descriptions of risk,
• The category of risk,
• Policies and controls that manage or mitigate the risk, and
• How the risk relates to the company’s risk appetite and strategic plans.
Other information to consider includes:
• The effectiveness of the controls,
• Action plans to improve the mitigation of the company’s key risks to the company, and/or
• How an opportunity can result from establishing a better response to a particular risk.
The ERM leader should control who has access to this matrix since the nature and amount of risk and strategy that it con-tains should be confidential. A risk administrator position may also be established to streamline the data input and reporting tasks as the ERM program matures.
Software programs are also available to organize and manage this information; however, gather this information in Excel first to determine the level of sophistication needed.
Educate Employees
All employees, especially executives and those on the ERM project team, must be educated on why ERM is being imple-mented, how it will improve operations, and what is in it for them. Be sure to stress that this is a cross-functional project, and they will not be penalized for openly discussing risk to the company.
Develop a Common Risk Language
Risk is typically viewed as a threat, and risk management is seen as managing claims and loss control. When developing an ERM program, your company must agree on what risk, controls, risk management, and ERM mean so there is a clear and common language.
Determine Risk Appetite & Tolerance
Leadership, owners, and the board must clearly set and com-municate how much risk the company is willing to accept in the pursuit of successfully achieving its strategic objec-tives (risk appetite) as well as the absolute limit of risk the company expects to take (risk tolerance). The appetite can equate to dollar amounts, IT or customer service downtime, and/or reputation guidelines.
Customize Your Risk Universe
As shown in Exhibit 3: Construction Risk Universe on page 26, both external and internal risks are defined and segmented into seven categories: Regulatory, Market, Hazards & Third-Party Actions, Operations, Financial, Governance, and Strategic. This top-down view outlines interrelated risk categories and may impact your company’s strategy as a whole.
Several of these risks are common and ever present, and some are new or emerging and may be considered game changers in the construction industry. Key risks facing the construction industry today include:
• Skilled workforce availability
• Fast-paced technology changes
• Economic changes
• Subcontractor liability
• Bid rigging
STEP 1: Establish the ERM
Foundation
Exhibit 3: The ERM Process
STEP 2: Identify
Risks
STEP 3: Assess Risks
STEP 4: Evaluate
Risks
STEP 5: Execute Risk
Response Plan
STEP 6: Monitor
ERM
ONGOING COMMUNICATION
Exhibit 2:
THE ERM PROCESS
26 CFMA Building Profits September/October 2015
The construction risk universe chart should be customized to reflect your company’s own risk universe and is a great tool to facilitate discussions on how risk is viewed by people in differ-ent positions and functions. Sometimes it’s easier to identify risks outside of one’s own department, and many leaders also find that it helps to identify risks as opportunities.
While these parameters are likely used in current decision-making, they are not usually defined in a statement or metrics without an ERM process in place. Setting these parameters will allow the ERM team to evaluate a risk they believe is significant, but may not be as material to the overall company. Communication through cross-functional teams, with top management’s support, creates the most value throughout the process.
Step 2: identiFy enterpriSe riSkS that iMpact your Strategic objectiveS
Do you have a niche market, location, supply chain, or a diversity of skilled workers? Where is the competitive advantage in your risk management efforts that accelerates achieving your strategic objectives? Are your complex risks increasing?
Answering these questions will help your company tackle the complexity and value of effective risk management.
Using your customized construction risk universe, determine the enterprise risks that your company faces. What are the biggest concerns? Where are the most opportunities? Open conversation in a facilitated ERM team meeting can help iden-tify and streamline the most concerning enterprise risks. Think about the events that cause risk or issues that competitors may have experienced that you want to avoid in your company.
As one example, consider the skilled labor shortage. If your skilled labor is not currently fulfilled or is prohibiting your company from maximizing its performance, then it’s a risk to your company. To turn this risk into an opportunity, you could implement a relationship with a trade school for edu-cation of special skills and on-the-job training efforts to learn about the benefits of working in construction. This proactive element may bring new workers to your company before they consider joining your competitors.
Highlighting skilled labor shortage opportunities can lead to discussions on succession planning, retaining top employees,
HAZARD RISK MANAGEMENTInsurable financial risks
Exhibit 1: Construction Risk UniverseA company that is aware of its risk universe is more adaptable and responsive.
MARKET• New Competition • Product Demand • Capital Availability• Industry Consolidations • Socio-Political • Energy/Fuel Costs• Bad Real Estate Loans • Commodity Price • Material Costs• Pricing Pressures • Project Financing
REGULATORY• Anti-Trust• Communications• Security• Trade Customs• Labor Practices• Pension• Product Safety• Health & Safety (OSHA)• Procurement• Government Support & Funding• Environment• Tax
HAZARDS & THIRD- PARTY ACTIONS
• Natural Events/Catastrophes• Terrorism• War• Piracy/Counterfeiting• Fraud• Lawsuits• Reputation• Injuries/Accidents
FINANCIAL• Liquidity/Credit• Accounting/Tax• Budgeting/Planning• Capital Structure• Bank & Surety Support• Cost of Capital
GOVERNANCE• Governance• Legal• Code of Conduct (Ethics – i.e., Bid Rigging, Tax Issues)
Internal
Exhibit 2: Evolution of ERMENTERPRISE RISK MANAGEMENT
Operational, strategic, financial, reputational, and insurable risks
Recognition of the value ofTANGIBLE AND INTANGIBLE
ASSETS
HOLISTIC APPROACHCoordinated at the highest level
within the organization
Risk management is a corporate-wideDAILY CONCERN AND IS
EMBEDDED IN THE OPERATIONS
Focus on preservation ofTANGIBLE ASSETS
SILO APPROACHEach department/function
manages its risks independently
Risk Management =SEPARATE FUNCTIONH
ISTO
RICA
L VI
EW
TODAY
RISKS ARE THREATS –Focused on avoidance of
negative events
Risks can be THREATS AND OPPORTUNITIES
External External
INTEGRATED RISK MANAGEMENT
OPERATIONS• Change Management• Value Chain• Sales & Marketing• Recruiting/Retention• Product• IT• Contract Compliance
STRATEGIC• Strategy & Initiatives• Mergers & Acquisitions• Investor Relations• Stakeholders• Bid Process
Exhibit 3
CONSTRUCTION RISK UNIVERSEA COMPANY THAT IS AWARE OF ITS RISK UNIVERSE IS MORE ADAPTABLE AND RESPONSIVE.
and identifying future leaders early to further develop pro-gressive strategic risk management methods. With a proac-tive, forward-looking view, the solution for what seemed like a risk can turn into a competitive advantage.
Step 3: aSSeSS enterpriSe riSkS
With your company’s risk appetite as a guide, assess risks for impact and probability to the overall company. Using the company’s budget, determine the amount of loss that the company can sustain or the reputation risk it can handle before it impacts the company’s ability to gain new, profit-able work; it is a view from the top. However, many find it difficult to look at the material risks from an enterprise-wide perspective.
Plotting the risks on a heat map provides a visual of where these enterprise risks fall. In the Construction ERM Heat Map (page 28), both the impact and probability of a risk is displayed
from the enterprise risk appetite perspective; impact of the risk (financial loss, down time, people, or price volatility) appears on the vertical axis and the probability of the risk (rarely, potentially, possibly, expected) occurs on the horizontal axis.
The risks in the upper right (i.e., high impact, high prob-ability) are most concerning and need quick attention, while risks in the upper left (i.e., high impact, low probability; referred to as black swans) should be closely monitored and may require immediate attention if the risk moves fast and increases in nature.
Consider an example: What would happen if a natural disaster occurred where your company has the highest concentra-tion of ongoing projects? While the situation is unlikely, the impact to your business could be extremely high in terms of lost workdays, materials, and completion dates. This could also create a reputation risk if your company was perceived as
INDUSTRY LEADING CONSTRUCTION SOFTWARE THAT INTEGRATES WITH YOUR ACCOUNTING SYSTEM.
Used by 40,000 constructi on professionals World-class 24/7 instant customer support Constructi on-friendly desktop & mobile apps Proven processes for implementati on Low risk—Soft ware comes with a 12-month money back guarantee!
MobileApps
Estimating Job CostingDispatching Fuel TrackingSafety GPSEquipmentMaintenance
www.HCSS.com 800-683-3196
for the Construction Industry
InnovativeSoftware
September/October 2015 CFMA Building Profits 27
28 CFMA Building Profits September/October 2015
unresponsive. As climate or concentration of projects change, this risk may move to a more likely possibility, and greater focus on the risk response plan would become more urgent.
Conversations about resource allocation should occur at this point in the ERM process. Would the cost for implementing more safety measures or oversight toward a significant risk be less than one that represents a low-impact risk make sense based on your company’s strategy? Which risks are you most comfortable taking on to gain more reward? Which risks are you very comfortable handling (perhaps better than your competitor) that can open up new revenue streams?
For example, as illustrated in the heat map below, your com-pany may be too focused on the low-impact, low probability risks such as property loss or material costs, when it may actually need to focus more on the high-impact, high prob-ability IT security or subcontractor risks.
Your risk management options and concerns may become clearer and “aha” moment(s) may occur. Everyone may not be singing “Kumbaya” together, but at least the ERM team may gain a better understanding of your company’s enter-prise strategic risks and opportunities.
Step 4: evaluate enterpriSe riSkS
This is where the information created and gathered in the first three steps comes together. When evaluating risks, determine:
1) Direction: How are they trending – increasing, decreasing, or holding steady?
2) Velocity: How fast are they moving – slow, moderate, or fast?
3) Effect on Strategy: How is your ERM strategy impacted – directly, indirectly, or not at all?
Once you have discussed and determined these factors, rank your company’s top or key risks and strategic objec-tives. This has been referred to as a Top 10 list, but should include no more than 25.
Using the strategic plan to prioritize enterprise risks, in addition to the impact and probability, will provide an increased understanding of your risk exposure.
Here’s a sample of what might be included:
1) Underbidding; ineffective bid process
2) Expansion plans
3) Subcontractors’ ability to perform quality work
4) Skilled labor shortage
5) Breach of company or customer data
6) Proper customer credit review
7) Third-party vendor contract and insurance gaps
8) Economic market fluctuation (e.g., interest rates, available capital)
9) Technology demands
10) HR documentation enforcement
1
2
3
4
5
6
1 2 3 4 5 6
Exhibit 4: Construction ERM Heat Map
PROBABILITY
IMP
AC
T
PROPERTY LOSSBID PROCESS
MATERIAL COSTS
SURETY SUPPORT
REGULATORY
IT SECURITY
SUBCONTRACTORS
HR LABOR ISSUES
BLACK SWANS SWIM HERE
Exhibit 4:
CONSTRUCTION ERM HEAT MAP
September/October 2015 CFMA Building Profits 29
Step 5: create enterpriSe & Strategic riSk reSponSe planS
Once the top risks are prioritized, risk response plans can be determined. A proactive strategic response identifies poten-tial key risks and enables your company to respond when a risk event occurs.
Equally important is to know your company is effectively managing or controlling risks, and that resources are focused on its most concerning and significant ones. For example, will you plan to:
• Avoid a risk in the future by eliminating the use of certain materials?
• Mitigate a risk by purchasing new equipment to stream-line a routine function on the jobsite?
• Prevent a risk by implementing more stringent subcon-tractor prequalification policies and procedures?
Create an action plan and obtain additional support for those key risks that impact ERM strategy the most. Set a deadline and assign risk owners to create accountability and dedication from the leadership to improving strategic risk management.
Once standard operating procedures (SOPs) are determined around the risks to be managed, turn those SOPs into the way you do business. For example, if there are a number of items each of your PMs should employ on every job, set up your accounting or project management processes (includ-ing through software) to require completion of those items before they can move on to the next step.
The real value of ERM comes from implementing successful response plans to change how risk is viewed, identified, and handled. Each employee has a role once the ERM concept is implemented; it becomes part of your company’s strategic and competitive edge.
Step 6: Monitor riSkS & reSponSe planS
Establish a communication plan that provides consistent reporting on the risks, risk assessments, risk response plans, and the impact to strategic objectives to establish continuous ERM communication. Hold regular meetings to add new or emerging risks, and assess risks and your strategic objectives as they change.
An effective way to accomplish this is to assess your com-pany’s overall ERM risks and response plans annually, con-duct monthly ERM team meetings, provide update reports monthly, and conduct new risk assessments quarterly. To truly bring about change, provide incentives for those who achieve improved results or implement the most important ERM improvements; consider making compliance with ERM strategies part of compensation decisions.
Benefits of Strategic Enterprise Risk Management
Knowledge of the most important, concerning risks and the corresponding risk response plans allow all employees to improve the workplace culture and strengthen their commit-ment to strategic objectives.
Many companies have a clearer view of their risks and oppor-tunities as a result of implementing ERM. They realize that developing a link between risk and strategy leads to improved performance on all levels. Remember, ERM is an ongoing process that is continually flexed to address the complexity of risks and maximize your company’s opportunities. n
Endnote
1. www.rims.org/ERM/Pages/WhatisERM.aspx.
MARY PETER is the Director of Enterprise Risk Management at Eide Bailly LLP in Minneapolis, MN, where she con-sults, designs, and implements ERM programs to identify, assess, respond to, and monitor both risks and opportuni-ties. She develops ERM methodologies, training materials, and deliverables to respond to regulatory requirements and strategic objectives of her clients.
She has more than 25 years’ experience in the risk man-agement and insurance industries, including 10 years in corporate risk management and seven years in ERM con-sulting. She is a member of the U.S. Technical Advisory Committee for ISO 31000 Risk Management Standard; the founder of an ERM roundtable in the Minneapolis/St. Paul area; and a frequent presenter on ERM and other risk management topics at national, state, and local industry conferences.
Phone: 612-253-6662 E-Mail: [email protected] Website: www.eidebailly.com