Unless ERM is treated as a team sport, with the company Board fully “on board,” the company will flounder when:
- Overwhelmed with other issues,
- Unfamiliar risks related to specific situations occur or
- The sheriffs in the C-Suite who formerly interacted with the ERM designee Board member view the political risks as too costly to point out the “175-pound gorillas” in the room.
This puts one’s business at risk of a 175-pound gorilla growing into the proverbial 800-pound gorilla or even worse, into 800 dead rats. Before the blink of an eye and with brute strength, that dreaded multimillion-dollar roof comes crashing down.
In real life, there are never enough resources vis-à-vis people, money or time needed to take advantage of the myriad opportunities to solve all of the problems rapidly piling up on one’s desk. So, how does one increase Board and organization involvement in integrating enterprise risk management into the corporate DNA? And where can the right person be found to assist in reaching that goal?
How you might find value for your organization
Fortunately, at the National Association of Corporate Directors Global Board Leaders’ Summit, attending professionals provided generous and timely advice.
They confidentially offered new insights and suggested 12 highly focused steps for organizations in the various phases of transforming ERM into a team sport, requiring only minimal investments of money, people and time.
Review of Rating Scale
Organizations are graded on a level of 1 to 10. At level 1, there is little or no full Board involvement with ERM; all such decisions are delegated to a internal or external risk expert. This is indicative of complete apathy and preference to ignore. At level 10, the opposite end of the scale, Board members are fully engaged and exhibiting a strategic and value-based orientation, as well as enthusiastic ERM buy-in.
Increasing Board participation and engagement in ERM
Three key elements with broad application to some degree include the following:
- The lower the score, the less risk management function or expertise within the organization. Logically, small cap, middle market or family businesses are less likely to employ a Chief Risk Officer or risk management department.
- What infrastructure do most organizations have that can be expanded upon at a reasonable cost? Logical starting places include strategic planning, safety, procurement, business continuity and internal audit.
- Taking into account the wisdom of one’s organizational peers. This type of resource is readily available and the roadmaps listed can be applied to one’s own organization to search for underlying strategic operational issues without spending political capital with colleagues.
The next step is based on the previously calculated business score.
If the organization is between 1 and 3: Do what needs to be done to start the process. Just verbalizing that this can be an issue is a reasonable first step. Passionate advocates may suggest that the million-dollar blind spot, if found now, may save your company, your job or a friend’s job further down the line.
The top three suggestions for moving forward:
1. Obtain the CEO’s buy-in for ERM and have them drive accountability.
2. Create an agenda to address the organization’s top major risks.
3. Hire an IT Director to search for and resolve seemingly invisible system risks.
If the organization rated between a 4 and 6: Good, why not move toward applying a common-sense orientation to risk management processes to add ROI and move further away from the Sarbox Hell of the prior phase?
The three top suggestions offered to move up:
4. Align compensation with risk strategy and its execution.
5. Coordinate a strategy review, with benchmarks, on how to get to conference-winning team sport status.
6. Finalize resolution of all remaining items from the lowest phase on up.
Once seeing what exists versus needs, consider where can you add some bench strength in areas that may be lacking or decide where and how to outsource to obtain access to specific skill sets that may be limited within your organization.
If the organization rated between a 7 and 9: Going for Great –well done! After a deserved pat on the back, consider how to further improve and receive even more value from balancing risk and reward and expand that lead.
The 3 top suggestions for a first place win:
7. Maximize the collective wisdom of the team – i.e. through group brainstorming and scenario planning.
8. Determine if it is necessary for your company to move up to a 10 at this time.
9. Involve an independent third party who can provide truly objective feedback.
Once the distinction between “what exists” and “what is needed” is made clear, areas requiring some extra bench strength and/or where to outsource to obtain limited access to specific skill sets become clear.
If the organization rated a 10: Golden Great, you are at the top of your game and probably reaping ROI benefits that make the process well worth the effort.
The 3 top suggestions offered to maintain this outstanding status:
10. Complete the move to a dedicated resource group.
11. Take ERM to an even higher level by analyzing what or how an outsider could demolish your company.
12. Invest in compliance software and in a competent team to manage it.
In conclusion, give careful consideration to these proven 12 suggestions and apply those that make the most sense at this point in your organization’s life cycle. After all, taking any of these actions will help make ERM more of a team sport and increase your chances of success.
Portions of this piece were initially shared in Risk & Compliance Magazine and are republished here with the author’s permission.
Gary W. Patterson, president & CEO of 
