Every organization encounters an array of risks that affect its ability to achieve objectives. A fundamental role of management is to ensure those risks are managed in a way that allows for overall success. There’s no “one size fits all” model of risk management; approaches vary depending on multiple factors such as organization size, type, complexity, and culture. Often, the approach will mature over time.
When it comes to building an effective risk management strategy, an enterprise risk management (ERM) program is often cited as an answer to a myriad of organizational challenges. This article will share several principles to help guide an organization embarking on an ERM program journey, help set realistic goals, and explore steps to take in order to determine which parts of an ERM framework to implement.
Benefits of ERM Programs
In 2017, the Committee of Sponsoring Organizations of the Treadway Commission identified the following benefits of effective ERM programs:
- Increasing the range of opportunities
- Identifying and managing risk entity-wide
- Increasing positive outcomes and advantages while reducing negative surprises
- Reducing performance variability
- Improving resource deployment
- Enhancing enterprise resilience1
No two ERM programs are the same in their development and operation; each should vary in structure and requirements and be customized to an organization’s specific needs. In fact, your organization might not even need to fully build out a robust ERM program. The AICPA and NC State Poole College of Management’s 2021 The State of Risk Oversight report notes that “more than two-thirds of organizations surveyed still cannot claim they have ‘complete ERM in place.’”2 This data indicates that many organizations have either not attempted an ERM implementation or only implemented a partial program. This also helps clarify why most organizations describe their ERM implementation as a journey.
ERM Is a Journey in Maturity
NC State Poole College of Management’s Enterprise Risk Management Initiative provides elements of an ERM process that not only effectively demonstrate the five foundational actions of ERM, but also show ERM as a repetitive process that should be refined in each cycle.3 In addition, Exhibit 1 indicates that the ERM program itself is driven by the organization’s culture and leadership, making it a dynamic process that aligns the program with where the organization and its needs are at a point in time.
Most risk management practices are rooted in basic management principles that guide good business decision-making and are executed by a hands-on management team. For example, traditional risk management approaches start with basic questions such as:
- If we’re going to build a structure, how should we design it in a way to not fall down later?
- How can we ensure the structure is designed in a way that best suits its purpose for being built?
- How can we build the structure so the total construction cost stays within an established budget?
Built into these questions are fundamental management decision-making processes that have risk management components to consider, but there are often challenges to address at the project or business unit level.
Some organizations reach a point where these types of questions evolve into bigger-picture scenarios, such as an organization that builds various types of structures for different customers with specific contractual requirements to build to a specific standard, on a specific time frame, and with specific materials for a specific cost. With a myriad of additional requirements and presumably additional risks for not meeting these requirements, management may need more formal risk management practices to assist in meeting organizational objectives. In addition, some of the questions move well beyond the project or even portfolio level and begin to affect organization-wide planning and decision-making.
As noted in Exhibit 1, the basic elements of ERM shouldn’t be foreign concepts or terms to managing organizations. Companies that haven’t adopted an ERM framework likely have each of the elements at play within their day-to-day business practices but may find that they’re not well coordinated or cohesively arranged.
Connecting and coordinating these elements will help an organization begin its ERM journey at a speed and direction that meets its own unique needs.
With plenty of guidance from various ERM frameworks and publications that fill out other ERM program components beyond the ones shown in Exhibit 1, recognize that, in the early stages of building your ERM framework, the main program elements just need these simple organization-specific definitions:
- What is a risk?
- What is a high, medium, or low risk rating?
- What is risk mitigation?
Each organization’s risk management practice will evolve based on the business requirements, and rarely will this evolutionary journey follow the same path as other organizations. Recognize that an ERM program implementation will always have a starting point, but its ultimate destination won’t be found in any detailed design or framework, nor will the speed of the journey be predictable — particularly if a company is building and refining the program as its business needs dictate.
When embarking on a unique ERM journey, you are in control of the pace and direction of the implementation. However, to help ensure your organization is on the right path and addressing the right issues, it’s imperative to know why you are on that journey.
Know the “Why” & Design for It
The creation of an ERM program springs from various and diverse needs. Understanding your organization’s specific reasons for implementing ERM will help build a customized program.
Some ERM program implementations begin due to a business cycle presenting unexpected and unsatisfactory outcomes. Others come from management’s desire to centralize or unite common business problems/challenges for planning and evaluation purposes. ERM programs can also help management answer questions from its boards or other stakeholders on how they view their organization’s top risks and how well they are prepared to respond and manage these situations.
Knowing your organization’s primary purposes for implementing an ERM program can help ensure that the program’s first steps address and are customized for these essential needs.
If a program is being implemented because the board or C-suite wants to see a list of the organization’s top risks, keep the initial discussions and inputs at the executive level and tie the focus into the organization’s strategic business plans.
Mitigating Top Risks
Once you’ve completed the top risk identification process, move on to identifying how to mitigate those top risks and gain opinions of how well the organization is mitigating these risks. Only after you’ve reached this point should you think about expanding the program’s focus to find or evaluate other risks that don’t fall in that priority order.
Bad Business Events
If a program is requested because of a bad business event, don’t look for other types of similar potential problems. Instead, focus initial efforts on understanding the risks that drove the event, how they should have been identified, and what mitigating management actions could prevent them in the future.
After a deep dive on these topics, consider what was learned from this exercise to inform your next actions. For example, look for other adverse events to evaluate and plan around or assess what you learned about your organization’s control environment and other management activities to more closely evaluate.
ERM programs can often suffer from scope creep and, if not kept in check, could unnecessarily drain resources and contribute to an unsustainable framework that the organization never really needed or wanted. In addition, when ERM efforts stray from the original “why” purposes, they run the risk of being tagged as bureaucratic necessities or create “check the box” mentalities of a new program that management has implemented. Keeping the program’s “why” as the primary focus of all initial ERM work can help ensure the outcomes will be seen as valuable and contribute to the organization’s success.