Contractors: Adopting Enterprise Risk Management or Falling Behind?

Contractors: Adopting Enterprise Risk Management or Falling Behind?

In this post, we’ll give some background on the growth of Enterprise Risk Management and how it relates to the construction industry, and explain why adopting an Enterprise Risk Management philosophy for running your construction business is a wise decision. We say philosophy, because at its core, ERM is a shift in thinking, a shift in managing your business. It applies best in high risk industries, like construction, which have high failure rates due to persistent failures to recognize and mitigate risk across the entire business.

Enterprise Risk Management Growth

In a 2001 survey, Enterprise Risk Management: Implementing New Solutions, it was noted that 41% of the public companies surveyed indicated that they were currently implementing some form of ERM program.  As a result of Sarbanes-Oxley Act (aka SOX, the compliance requirements set forth after the Enron debacle), that number has been climbing ever since.  Why?  Quite simply, the rules of the game have changed for public companies.  They must now prove they have strong internal controls, complete intregrity and systems to manage all risks they face.  Unexpected “surprises” are no longer accepted; they now have swift consequences.  Given this environment it’s no wonder that Enterprise Risk Management (ERM) is being adopted by public companies at an ever increasing pace.

In the United States, the Securities and Exchange Commission, as well as the U.S. Federal Reserve and the American Institute of Certified Public Accountants, are demanding more accountability from corporate directors in terms of identifying risks and developing systems for managing them.  The National Association of Corporate Directors is encouraging audit committees to expand their scope of risk management reviews. Dunn and Bradstreet has released software to provide ERM Solutions. Standard & Poors, one of the largest credit rating companies of businesses worldwide, has announced that it is now including questioning about a company’s ERM practices to determine ratings for credit.  This rise in expectations requires a level of risk management knowledge and capability not found in many organizations, so companies are scrambling and reacting to institute risk-based controls.

But how does all this apply to private companies that don’t have to worry about compliance issues brought forth by SOX? Plainly stated, ERM is not just for the “Big Guys” anymore.  As Tim Ling, president and chief operating officer of Unocal, stated: “I think you will see almost all companies over the next few years moving in the same direction [as we are], really trying to integrate the notion of risk management with the notion of just business management. To me, running a business is all about managing risk.”  Essentially, managing risk is really about properly managing a business, and therefore managing risk can create shareholder value if done correctly.  Thus, ERM is now seen less as a reactionary requirement to regulations, and more as just plain old good business practice. In fact, according to the RIMS 2011 ERM Benchmark Survey, over 75% of the 14K public and private companies in the survey had active ERM programs or were investigating ERM adoption:


Why Contractors make good Candidates for ERM

Does ERM apply to contractors? Yes, more than ever. Since ERM best fits companies in high risk fast moving industries, contractors are prime candidates for adoption. Here are some reasons why:

  1. Abundance of Risk – There are so many risk factors in a construction business that it is hard to manage them all. In essence, a contractor is like a juggler, typically having a ton of balls in the air, each being a problem that needs to be solved. Unfortunately, the functioning of the company is usually last priority. Since money is made or lost in the field, solving problems in the field typically takes precedence over solving problems in the company.
  2. Tight Time Constraints – As every contractor knows, the construction industry moves at a million miles a minute, which makes it very difficult to implement risk controls, or in other words, fix internal problems. The industry is very competitive, margins are small and great pressure exists to keep overhead down. So if overhead is already stretched thin and key management personnel are focused on solving problems in the field, there isn’t much time or human capital to get risk controls implemented. An internal problem may get temporarily addressed and go away for a while, until many months later when it pops up again and everyone looks at each other and says “didn’t this happen before,” and the cycle repeats itself.
  3. Insufficient Knowledge – Since contractors are so busy, do they have time to learn? If they don’t have the proper guidance, do they know the options available to improve the function of their company? The answer to both questions is usually no. Unfortunately, since they are so busy, they don’t have time to seek out those professionals who can give them advice, and to compound matters, Enterprise Risk Managers who understand the construction industry are hard to come by.
  4. Unstable Controls – During day to day activities at a construction company, internal problems often come up and management will conclude that “we should do something about this.” Unfortunately, the pressure to constantly meet day to day deadlines in a fast moving environment does not allow management sufficient time to methodically establish a plan to install risk controls effectively, and even if installed, management does not have time to perfect or monitor the control to assure it remains in place. As a result, a “quick fix” is often used as the solution. However, when a risk control is quickly put in place there usually isn’t enough thought behind it. Therefore it simply does not stick, especially when not monitored.

All of these characteristics make contractors great candidates for ERM. So let’s talk about the how ERM can actually overcome the challenges for implementing risk controls as stated above, namely: the abundance of construction risk, the time constraints upon management, the insufficient knowledge about ERM and unstable controls.

How ERM overcomes the challenges for implementation of risk controls

  1. ERM establishes a culture. First and foremost, ERM establishes a new corporate philosophy, a change in thinking toward a risk-based mindset, not only amongst management, but amongst all in the company. If nothing else were to be accomplished, just this mind shift alone is of huge benefit. When people realize how the company’s ability to make a profit can be put at risk directly by their work, there is a behavioral change. Not only do they realize the impact of their work, but they also gain a feeling of just how valuable they are, how valuable their work is, and how their work can be part of the company’s success. Since it is well documented that bottom-line performance can be largely attributed to employee fulfillment, an ERM approach to running business certainly has its benefits.
  2. ERM creates root level accountability.The ERM methodology enables management to deal effectively with problems, even though an abundance of risk may exist. The accountability for mitigating risk is spread to all levels in all departments and therefore the responsibility for implementing controls is not just up to time-strapped management, but up to everyone.
  3. ERM relentlessly drives improvement. Persistence. ERM does not go to sleep after a risk control is put in place. It relentlessly monitors the controls put in place and persists to uncover new risks. Risk is forever changing and new risks arrive on the scene all the time. The ERM process fully incorporates a “risk-sensing” mindset by constant reassessment and monitoring to validate current controls as well as address new risks.


In short, ERM addresses an abundance of risk by following a systematic process that educates the workforce on elements of risk within their area of responsibility, empowers them to individually install risk controls which are then monitored within the process to make sure the controls remain fully in place, thus creating a “no surprises” management environment.  Without an ERM framework, the failure to recognize risks or to mitigate known risks can make it difficult to compete, financially weaken the company, and potentially jeopardize its future.

So there you have it. ERM is being adopted worldwide and it is a perfect fit for construction. It will just be a matter of time before you will be expected to run your business with a risk-based approach. In fact, banks and sureties are already asking contractors, “Who handles enterprise risk management for your company?” Do you want to be the company that lags behind in understanding and taking action on business risks, or do you want to be a survivor in today’s fiercely changing and competitive environment? As to the ultimate question: “Should I personally get engaged in a risk-based mindset and adoption of ERM,” we leave you with some final questions:

  • What can happen to create value in your company?
  • What can happen to destroy value in your company?
  • What degree of confidence do you have in the outcomes?

To learn more, contact Druml Group for construction enterprise risk management solutions.