Simplifying Enterprise Risk Management Implementation
Regardless of company size and industry, implementing an Enterprise Risk Management (ERM) initiative is not easy. The greatest challenge for any ERM implementation lies in finding the balance between value creation, and understanding and mitigating the risks that threaten that creation of value. It takes time to build ERM into organization culture. It also takes time to train employees in that culture and embed risk thinking into their day to day decision making.
The typical implementation approach requires the analysis of risks across the company, rather than siloing them by business unit or functional area. This approach requires the involvement, enthusiasm and perseverance of a large number of managers. There's no one-size-fits-all formula for addressing risk. While there are guidelines, organizations have to take the models and customize them to their own strengths, weaknesses and culture. Consequently, push from the top, as well as buy-in from operating management, is critical. For any risk management initiative to be successful it must be positioned as "value-add"; the minimizing of risk exposure while allowing for innovation and growth.
The Board's Role
Patience, coupled with incremental and iterative implementation, is often the best approach for gaining organizational acceptance, and building a risk intelligent environment. I always recommend having the board start by addressing the overall risk culture (the company's internal environment) through policies, procedures, training and organizational communication. Additionally, the board must link risk issues to business strategy and set clear objectives. The importance of focus and emphasis on risk management from the top of the organization cannot be overstated.
ERM Process
Identifying Top Risks
Management should start by defining the organizational objectives, identifying the potential risk events, and conducting an organizational risk assessment. The risk assessment weighs the likelihood and impact of the various risks. That analysis allows management to identify, select and address the risks that are the most threatening to the organization. Management should prioritize these risks and select a small number of the highest priority areas to address first. Priority areas should focus on risks that pose the greatest immediate threat to the organization's ability to stay in business and compete in the marketplace.
Assessing Top Risks
Priority areas can then be fully analyzed using an appropriate ERM framework and other best practices and tools. Risks need to be clearly defined. The amount of acceptable risk must be agreed upon and also well defined. At that point, response plans and internal controls that prevent or detect the threats posed by these risks can be devised. A balance of innovation and growth capability with risk minimization is what management is trying to strike. The organization should employ experienced consultants or employees to help guide them during these initial efforts. Learning to implement the right processes and use the appropriate tools is critical at a stage when the organization is addressing its highest risk areas.
Responding to Top Risks
An effective risk management process will make the importance of addressing these critical risk areas self-evident to both management and the board. Once that is accomplished it should be relatively easy for them to gain organizational support. Finally, an action plan must be devised to establish ongoing monitoring processes that detect the potential risks, assign responsibilities for managing those risks, establish the appropriate communication tools, and implement the means for testing the effectiveness of the processes.
Taking the time to carry out the action plan effectively becomes the most critical step in the overall implementation process. The highest priority risks need to be effectively managed and controlled, because they are the highest priority risks! Consider the firms that were solely reliant on the Japanese suppliers that were devastated by the recent tsunami. If they had properly evaluated the risk of supply disruption, they had probably lined up alternative suppliers, built up safety stock inventories, or arranged for business interruption insurance. They would have created response plans. However, if they had not conducted a proper risk evaluation, they would have had no response plan in place, and would have been caught unprepared.
Steps for Further Down the Line
Once success is achieved on the priority risk management areas, the organization can use that success to drive the next round of risk management initiatives. They should apply the lessons learned, the processes used, and the value achieved to educate the greater organization, and address the next layer of risks. Success breeds success. The next phase of initiatives should be incremental and small enough to be manageable and measurable. With each success, management will be able to reinforce the value process, and the risk management culture will begin to take root.
A serious commitment to managing risk across an organization requires a long term commitment by the board and management, and the willingness to start small and build on success. It is not a fast process, but if the goal is long term sustainability, then it is a worthwhile process. After all, since long term health and profitability is every organization's goal, shouldn't the solution also be built for the long term?
This publication contains information in summary form and is intended for general guidance only. It is not intended to be a substitute for detailed research nor the exercise of professional judgment. Neither BPM nor any member of the BPM firm can accept any responsibility for loss brought to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.
View Clark's Bio
