Many efforts to implement ERM are unfocused, severely resourced constrained, and pushed down so far into the organization that it is difficult to establish relevance. The near-term results are “starts and stops” and ceaseless discussions to understand the objective. Risk is often an afterthought to strategy and risk management an appendage to performance management. Ultimately, the ERM implementation runs out of steam and is no longer sustainable.
While there is no one-size-fits-all, the following design principles will help overcome these issues:
- Define the primary objectives of the risk management process. What does management want to accomplish with risk management? The activities of the risk management process typically include the identification, sourcing, measurement, evaluation, mitigation and monitoring of risk. However, the purpose of the process varies from company to company. One company may seek to improve its governance process. A second company may intend to reduce risk or performance variability to an acceptable level and prevent unwanted surprises. Another company may seek to facilitate taking more risk in the pursuit of value creation opportunities. Still another might want to position itself as an early mover in the marketplace relative to its competitors. The point is, management needs to have a clear view as to what ERM is intended to accomplish so the “why” question can be addressed effectively.
- Integrate the process with the core business activities. Regardless of how the process is designed, its effectiveness and relevance diminish greatly if it isn’t integrated with core management activities such as strategy setting, annual business planning, performance management and budgeting. Effective integration can result in risk management becoming more integrated with the rhythm of the business so that it can make value-added contributions to establishing sustainable competitive advantage and improving business performance.
- Determine whether the organization’s culture will help or obstruct the implementation process to ascertain the extent of needed change. Even the most well-intentioned risk management process can be compromised if dysfunctional organizational behavior exists and is allowed to fester. If the CEO is not willing to pay attention to the warning signs posted by the risk management function, if the reward system is not sufficiently balanced with the long-term interests of shareholders, if the board is not asking the tough questions about the assumptions and risks underlying the strategy, or if risk management is so mired in the minutiae of compliance that it is not focused sufficiently on strategic issues, it is not likely risk management will have an impact at the crucial moment when a contrarian voice is needed. Every effort should be made to transition the organization’s culture to one that encourages open communication, sharing of knowledge and best practices, transparent risk reporting, continuous process improvement, and a strong commitment to ethical and responsible business behavior. Transitioning to such a culture takes time.
- Determine the enhancements to infrastructure that are needed. Given the nature of the organization’s risk management process, the core management activities with which that process is to be integrated, and the strengths and limitations of the organization’s culture, is the organization’s existing infrastructure sufficient to accomplish the desired objectives? By infrastructure, we mean the company’s policies, internal activities, organization, reporting and systems related to managing risk. If the answer is “yes,” then we move on to execution. If the answer is “no,” the next question becomes: What changes are needed? Changes could include any combination of things, including a risk management policy, more explicit dialogue around risk appetite, a risk management committee, a chief risk officer, improved risk reporting, a crisper delineation of board and management responsibilities, and more reliable systems and data.
- Align the analytical assessment approach with the unique characteristics of the risks the company faces. While risk maps, heat maps and other traditional risk assessment approaches may provide a quick overview and ranking of risk, these tools can lose their value and grow stale over time once their novelty wears off. Why subject risks with different characteristics to the same assessment methodology? For example:
- Strategic risks warrant the use of a contrarian analysis approach applied to the critical assumptions underlying the strategy.
- Operational risks require an assessment of the various components along the value chain within which the organization’s business model is applied to assess exposure to loss of key suppliers, major customers and logistics, among other things.
- Financial risks are more susceptible to the use of measurement tools as they relate to cash flows as well as market, credit, currency and other related risks.
- Compliance risks require analysis of the organization’s conformance with specific laws, regulations, internal policies and/or contractual arrangements.
The point is, use the appropriate analytical framework according to the unique characteristics of the risks, rather than the same analytical grid that can leave many managers wondering what to do next.
- Assign ownership of the risk assessment process to the managers who are best positioned to achieve expected actionable results. Engage the appropriate managers who are best positioned to own the risk assessments as well as the appropriate responses to act on the assessment results. Holding these managers accountable for driving and owning the risk responses is fundamental to any effort to integrate risk management into strategy setting, business planning and performance management. Often, ownership will vary for strategic, operational and compliance risks.
- Support the ERM implementation from the top. The above design principles define what executives should be looking at when evaluating the role and effectiveness of risk management within the organization. They give way to this last principle: Support the implementation effort from the top. Without that support, it’s game over.
One final observation: When implementing ERM, there should be a strong bias toward keeping things as simple as possible and to leveraging existing processes and tools.