Risky Business

In business, growth is a good thing because it holds the promise of more profit. But growth also means risk -- and the faster the growth, the bigger the risk. Why? Because growth is not an unalloyed good. Growth forces change throughout the organization, affecting every aspect of the business operation from production to marketing to distribution -- even to back-office functions such as accounting and human resources. In fact, rapid growth can force change so pervasive that it spins out of control, threatening the bottom line. Growth, in short, is a problem -- and the country's top risk managers think they have a solution. They call it enterprise risk management, and they are testing it at a handful of big U.S. corporations, with results that should interest small companies as well. Their experience shows that enterprise risk management can be applied at growing companies of any size. Enterprise risk management is as much a process as a result. It seeks to identify, assess, and control -- sometimes through insurance, more often through other means -- all of the risks faced by the business enterprise, especially those created by growth. And those risks can get out of hand. For example, if you institute just-in-time inventory and a fire shuts down one of your suppliers, your own production may halt, leaving you unable to meet commitments to your customers. If you run cheaper materials through your machinery, your products may not hold up, perhaps giving rise to a rash of warranty claims. If you take your products to new markets overseas, your customers may use them in unexpected, hazardous ways, inviting product liability litigation under laws unlike those of the U.S. If you do business on the Internet hackers could disrupt your service, causing customers to lose confidence in your operations. In short, as you grow risks increase -- and so does the need for enterprise risk management, which seeks to anticipate trouble, not react to it. "Enterprise risk management means looking at the entire organization as subject to risk and putting continuous procedures in place to identify, measure, and manage the risk,'' says Paul Van Zuiden, who heads the Great Lakes risk management practice for the consulting firm Deloitte & Touche, Chicago. "Enterprise is the key word," he says. "If your business is doing new things with new products, new suppliers, new customers, and new markets, it's encountering new risks every step of the way. Enterprise risk management breeds within the enterprise a culture of risk management." According to Van Zuiden, enterprise risk management involves the entire business operation because every aspect either costs you money or generates it -- and because, given today's economic pressures, you improve operations and fatten the bottom line as much by cutting costs as by generating new revenues. "An ounce of prevention is still worth a pound of cure -- although prevention is more complicated than it used to be, especially for growing companies," says Van Zuiden. "You have to analyze every process in the business operation, determine every vulnerability, and plan for everything that can go wrong. "I call this being risk-intelligent, and it has to be a continuous process of analysis and communication." Clearly, enterprise risk management can improve the bottom line. But putting it into practice requires a major effort, and as a result only a handful of risk managers are adopting it. All work for larger companies and are applying it to parts of their operations. Dick Heydinger, director of risk management services for Hallmark Cards Inc., Kansas City, is testing enterprise risk management on a few Hallmark units with help from a team of consultants from insurance brokerage J&H Marsh & McLennan. He notes that enterprise risk management seeks to head off trouble; therefore, it encompasses far more than the traditional hazards -- such as fire, flood, and theft -- envisioned by commercial insurance. "As you're making business decisions, risk management should be part of the process," he says, "because it is more effective upfront than if you try to retrofit a solution to a problem after it arises, when you become the ugly auditor telling people that they made a bad decision in the first place." Heydinger says enterprise risk management involves five steps: identifying risk, measuring it, formulating strategies to limit it, carrying out specific tactics to implement those strategies, and continuously monitoring the effort. Using software developed by Marsh & McLennan he makes the process systematic and consistent, probing for risk and examining the costs and benefits of different approaches. At present, Heydinger has applied enterprise risk management to three Hallmark units comprising about 10% of the company's operations, but he hopes to extend the practice throughout the organization. "It makes sense to hone your skills and shake out your tools on a pilot-project basis," he says. "We think it's a major improvement in our risk management, and we expect to see that it adds value." Another risk manager, Lance Ewing, director of insurance and loss prevention for GES Exposition Services in Las Vegas and vice president of external affairs of the Risk and Insurance Management Society, a trade group, emphasizes the practical benefits of enterprise risk management to a growing company. A subsidiary of Viad Corp., GES Exposition Services presents the annual Comdex technology show and the Consumer Electronics Show in Las Vegas, the PGA championship golf tournament, and, this year, the Democratic National Convention in Los Angeles. The growth of GES in recent years -- 17 acquisitions since 1993 -- makes enterprise risk management a crucial element of the company's corporate culture, Ewing says. Integrating an acquisition into existing operations requires that you explore the risks of both in detail, he says. That means looking for risk in many areas, ranging from environmental hazards past and present to risks involving employee practices, workers' comp, and e-commerce. In addition, every time GES puts on a trade show it faces risks it must anticipate and plan for, Ewing says. "We need 1,000 people to move Comdex in and out of the Las Vegas Convention Center,'' he says, "and because a union supplies them, I never know who they will be or what skills they come to the table with." To this dilemma he applies risk management by repeatedly thinking through the process, identifying risk factors, and providing for them, whether it's steering exhibitors toward freight handlers with special expertise, flying in trained workers for specialized work, or helping union leaders set up special training programs for their members. Not all the risks he faces are insurable, Ewing adds, and even when they are it may not make sense to transfer them to an insurance carrier. Indeed, enterprise risk management means managing risk by the best means available. If insurance is the best means, he says, buy it; if not, find a way to limit the risk before it hits the bottom line.