Enterprise risk management has become standard practice for Fortune 500 companies these days, but not so much for mid-market firms. While the financial crisis made it clear how important understanding risk can be, it also made it that much harder for cash-strapped and cost-conscious smaller firms to invest in the software and personnel necessary to make ERM happen.
"Many mid-market firms don't yet have a robust ERM," says Brian Kalish, head of the finance practice at the Association for Financial Professionals. "Certainly for the past year, those that don't have not been dealing with that issue."
"Our company is currently looking at ERM, but for now, it's just me," says Dan Kugler, assistant treasurer for risk management at Snap-On, a $2.8-billion Kenosha, Wis.-based maker of hand and power tools. "We don't have a risk officer yet," says Kugler, whose main responsibility is overseeing Snap-On's property and casualty risk.
Wisconsin-based Oshkosh Corp. began its ERM program back in 2003, when the manufacturer of trucks and heavy equipment had sales of $1.9 billion, says Steve Stich, the company's chief risk officer. With Oshkosh now a $5.3 billion company, Stich heads a six-person risk management office. While the past year was "horrible" in terms of cost-cutting, Stich says management viewed his ERM operation as so important that "we didn't take any staffing cuts."
Oshkosh implemented ERM from both the top down and the bottom up, he says. Senior management defines the top 10 threats and opportunities, scoring them based on the percentage of operating income impacted. They develop mitigation plans when it is deemed necessary, and report all this to the board twice a year. Working the other way, project managers do risk assessments for all major programs and projects, in some cases "on a weekly basis," he says, with reports going up to Stich and senior managers.
Stich added ERM software called Active Risk Manager from Strategic Thought 18 months ago. "It's a good tool that allows us to keep track of everything and report on anything," he says. "Prior to that, it was all spreadsheets."
Still, many mid-market companies fail to understand the importance of ERM, says Craig Rowe, CEO of ClearRisk, which makes ERM software called ClearRisk Manager.
"Intuitively everyone knows an ounce of prevention is worth a pound of cure, but in business you have to make a business case for anything," he says. "And when I talk with mid-market executives, they're all about minimizing the downside, not about the competitive advantages they'll get from ERM."