Thursday, December 5, 2019
Corporate Compliance Insights
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Gaining Traction with Enterprise Risk Management

by Jim DeLoach
February 20, 2015
in Risk
Gaining Traction with Enterprise Risk Management

Many efforts to implement ERM are unfocused, severely resourced constrained, and pushed down so far into the organization that it is difficult to establish relevance. The near-term results are “starts and stops” and ceaseless discussions to understand the objective. Risk is often an afterthought to strategy and risk management an appendage to performance management. Ultimately, the ERM implementation runs out of steam and is no longer sustainable.

While there is no one-size-fits-all, the following design principles will help overcome these issues:

  • Define the primary objectives of the risk management process. What does management want to accomplish with risk management? The activities of the risk management process typically include the identification, sourcing, measurement, evaluation, mitigation and monitoring of risk. However, the purpose of the process varies from company to company. One company may seek to improve its governance process. A second company may intend to reduce risk or performance variability to an acceptable level and prevent unwanted surprises. Another company may seek to facilitate taking more risk in the pursuit of value creation opportunities. Still another might want to position itself as an early mover in the marketplace relative to its competitors. The point is, management needs to have a clear view as to what ERM is intended to accomplish so the “why” question can be addressed effectively.
  • Integrate the process with the core business activities. Regardless of how the process is designed, its effectiveness and relevance diminish greatly if it isn’t integrated with core management activities such as strategy setting, annual business planning, performance management and budgeting. Effective integration can result in risk management becoming more integrated with the rhythm of the business so that it can make value-added contributions to establishing sustainable competitive advantage and improving business performance.
  • Determine whether the organization’s culture will help or obstruct the implementation process to ascertain the extent of needed change. Even the most well-intentioned risk management process can be compromised if dysfunctional organizational behavior exists and is allowed to fester. If the CEO is not willing to pay attention to the warning signs posted by the risk management function, if the reward system is not sufficiently balanced with the long-term interests of shareholders, if the board is not asking the tough questions about the assumptions and risks underlying the strategy, or if risk management is so mired in the minutiae of compliance that it is not focused sufficiently on strategic issues, it is not likely risk management will have an impact at the crucial moment when a contrarian voice is needed. Every effort should be made to transition the organization’s culture to one that encourages open communication, sharing of knowledge and best practices, transparent risk reporting, continuous process improvement, and a strong commitment to ethical and responsible business behavior. Transitioning to such a culture takes time.
  • Determine the enhancements to infrastructure that are needed. Given the nature of the organization’s risk management process, the core management activities with which that process is to be integrated, and the strengths and limitations of the organization’s culture, is the organization’s existing infrastructure sufficient to accomplish the desired objectives? By infrastructure, we mean the company’s policies, internal activities, organization, reporting and systems related to managing risk. If the answer is “yes,” then we move on to execution. If the answer is “no,” the next question becomes: What changes are needed? Changes could include any combination of things, including a risk management policy, more explicit dialogue around risk appetite, a risk management committee, a chief risk officer, improved risk reporting, a crisper delineation of board and management responsibilities, and more reliable systems and data.
  • Align the analytical assessment approach with the unique characteristics of the risks the company faces. While risk maps, heat maps and other traditional risk assessment approaches may provide a quick overview and ranking of risk, these tools can lose their value and grow stale over time once their novelty wears off. Why subject risks with different characteristics to the same assessment methodology? For example:
    • Strategic risks warrant the use of a contrarian analysis approach applied to the critical assumptions underlying the strategy.
    • Operational risks require an assessment of the various components along the value chain within which the organization’s business model is applied to assess exposure to loss of key suppliers, major customers and logistics, among other things.
    • Financial risks are more susceptible to the use of measurement tools as they relate to cash flows as well as market, credit, currency and other related risks.
    • Compliance risks require analysis of the organization’s conformance with specific laws, regulations, internal policies and/or contractual arrangements.

The point is, use the appropriate analytical framework according to the unique characteristics of the risks, rather than the same analytical grid that can leave many managers wondering what to do next.

  • Assign ownership of the risk assessment process to the managers who are best positioned to achieve expected actionable results. Engage the appropriate managers who are best positioned to own the risk assessments as well as the appropriate responses to act on the assessment results. Holding these managers accountable for driving and owning the risk responses is fundamental to any effort to integrate risk management into strategy setting, business planning and performance management. Often, ownership will vary for strategic, operational and compliance risks.
  • Support the ERM implementation from the top. The above design principles define what executives should be looking at when evaluating the role and effectiveness of risk management within the organization. They give way to this last principle: Support the implementation effort from the top. Without that support, it’s game over.

One final observation: When implementing ERM, there should be a strong bias toward keeping things as simple as possible and to leveraging existing processes and tools.


Previous Post

Stop the Conversation

Next Post

Advising Clients to Pursue an Honorable Course

Jim DeLoach

Jim DeLoach has over 35 years of experience and is a member of Protiviti’s Solutions Leadership Team. With a focus on helping organizations respond to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner, Jim assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2017.

Related Posts

"bias" on green post-it note on pink background

The Curious Case of Bias in Risk Assessments

December 3, 2019
double exposure of android bust over binary code

The 3 Final Pillars of the Cognitive Risk Framework

November 22, 2019
hazy image of businesspeople facing front, concept of future team

Preparing for Generation Z – The Future of the Front Line in Risk Management

November 19, 2019
robot hand holding metal padlock and key

Enterprise Risk 2020: Are We Ready for Security 4.0?

November 15, 2019
Next Post
Advising Clients to Pursue an Honorable Course

Advising Clients to Pursue an Honorable Course

Free Downloads

OFAC whitepaper cover
Compliance Job Interview Q&A
Reputation Risk Management Research

RSS SEC Litigation News

  • Lester Burroughs December 5, 2019
    SEC Charges Connecticut Man with Defrauding Retail Investors
  • SBB Research Group LLC, et al. December 4, 2019
    SEC Charges Hedge Fund Adviser and Top Executives with Fraud
  • NIT Enterprises, Inc., et al. November 29, 2019
    SEC Halts Penny Stock Scheme Targeting Seniors

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks Big Data blockchain board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management corporate culture corporate governance culture of ethics cyber risk data analytics data breach data governance decision-making Dodd-Frank DOJ due diligence fcpa enforcement actions GDPR GRC HIPAA information security internal audit internet of things (IoT) KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • Audit
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • HR Compliance
  • Leadership and Career
  • News
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights