Warren Buffett once said that “it takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” Although the investment guru might not have been thinking about enterprise risk management when he came up with that pithy truism, the underlying philo-sophy is much the same.

Although ERM has been dismissed as a trendy buzzword by skeptics, proponents say it’s a holistic, integrated approach to risk that draws pieces from the risk puzzle from all areas of a company’s operations to create as complete a picture as possible of what’s at stake.

Having an integrated approach to risk management helps a company manage volatility and keeps cash flow more stable, making it a more attractive investment, says Trevor Mapplebeck, a partner in Toronto with Oliver Wyman, a New York-based consulting firm that helps companies and organizations with financial strategies and risk management.

Historically, organizations had managed risk in “silos,” Mapplebeck says. For example, the chief financial officer looks after finances, such as interest-rate effects; the vice president of operations analyses manufacturing risks; and human resources executives study labour relations risks. However, if all this risk data and insight aren’t fully integrated and then discussed at the executive committee and board level, it’s hard to evaluate the true nature of the risk effectively, Mapplebeck says.

In ERM, risks are quantified as much as possible. And rather than simply drawing up and spitting out an exhaustive shopping list of risks, the key ones are singled out. This, in turn, allows the company to determine how much risk to assume and to decide how to most effectively deploy capital and use various strategies for managing that risk. These include assuming, transferring, mitigating, reducing, or eliminating the risks.

“Management must choose either to keep a risk on its own books or to move it off,” says Prakash Shimpi, managing principal of consulting firm Towers Perrin’s ERM practice in New York. “Both these choices come at a cost. Transferring risk incurs a fee, while keeping the risk requires capital to bear that risk.”

Companies can also look inward and do some soul-searching about their “risk appetite” — in other words, how much risk they are prepared to assume. This is a business strategy established at the board level, but Mapplebeck says it’s important that the risk appetite be consistent across the organization and in line with bondholders’ and shareholders’ expectations.

So, although there are obvious strategic advantages to ERM, it goes without saying that identifying key challenges and articulating them for stakeholders is necessary to comply with most regulatory regimes, including the Sarbanes-Oxley Act in the U.S, which requires that companies do a fraud-risk assessment.

There are also risk-related regulations at stock exchanges and securities commissions across North America. In addition, companies are under more pressure than ever, given the considerable ink devoted to business failures, accounting scandals, white-collar crime, toxic or tainted products, credit crunches, market corrections, mortgage defaults and the subprime mortgage crisis.

“The capital markets’ turmoil of recent months has managers and boards of financial institutions fundamentally rethinking their risk-management functions,” says a Standard & Poor’s Corp. report published on May 7 and authored by credit analysts Steven Dreyer and David Ingram in New York.

Now, it seems that credit-rating agencies also want to get a closer look at the internal housekeeping practices of public companies — and this is driving a surge of interest in ERM across the corporate world.

S&P has announced it will begin to discuss a company’s approach to ERM this year as part of its ratings of non-financial companies, particularly in the area of cyclical and volatile commodities. For example, an aluminium company should be closely examining how it is managing risks that could threaten both its supply of bauxite, which is used for aluminium production, and its electricity supply, as aluminium producers are huge consumers of power, says Jim Thomson, a principal with Towers Perrin in Hartford, Conn.

S&P has already been looking at the ERM practices of financial services companies for about three years, Thomson says, adding that about four in five companies have been rated “adequate,” with a few above and a few below that rating.

S&P itself notes that since mid-2007, it has changed ratings on some financial institutions as a result of its view of their risk appetite, risk management, or both.

@page_break@However, it is starting from scratch when it comes to non-financials, notes Mapplebeck, whose firm is helping companies and organizations prepare for these S&P ratings.

“What they don’t have yet is an effective comparison or benchmark across the different industries,” Mapplebeck says. The companies will eventually be rated on a scoring scale of “excellent,” “strong,” “adequate,” or “weak” in their ERM, focusing on risk-management culture and strategic risk management, he says, noting the process will play out throughout 2009.

“We will do an evaluation of current ERM programs and frameworks in place for organizations, and we embed S&P’s expectations and requirements into that evaluation,” Mapplebeck says. “The ultimate goal is to ensure risk is formally measured and integrated into key decision-making processes, including: strategic planning, budgeting and forecasting, capital allocation and so on.”

By doing so, the company is better able to manage performance volatility and cash flow. This is important for debt payments; hence, the interest by the credit-rating agencies, Mapplebeck.

ERM entails moving away from a cost/benefit analysis to a “risk/reward” approach, according to S&P. The rating agency adds that ERM is, among other things, “a toolkit for trimming excess risks and a system for intelligently selecting which risks need trimming.” However, it notes that ERM is not a tool to eliminate all risk.

“Rating analysts will incorporate an ERM discussion into each company’s regular credit review, emphasizing risk-management culture and strategic risk management,” says S&P in its May report. “Our analysis is likely to focus on significant gaps when a company is compared with industry peers.”

One strategy for closing those gaps is delegating responsibility for risk management into the corporate governance structure, ensuring that key people are accountable. And accountability is key when public safety is at stake, says Mark Rodrigues, risk-management officer at Cara Operations Ltd., Canada’s third-largest restaurant chain.

Rodrigues says when he was involved with a major food industry association, he learned that many other food companies did not have comprehensive safety programs in place with individuals accountable for the programs. These companies should be asking themselves what the magnitude of the risk is and what controls are in place to mitigate that risk, he says.

Another example of risk issues that are not related to compliance or financial risk are looming demographic shifts that will affect staff availability and turnover — key issues for the restaurant industry, Rodrigues says. Other issues specific to his industry include product recalls and food-handling regulation.

“Fundamentally, for any public company, the biggest risk it has is reputational risk,” Rodrigues says. “If you give your customers a reason why they should not shop with you, that’s the biggest cost you have in the company, and it’ll be the hardest thing to correct.” IE