Enterprise risk management (ERM) is one of those topics so daunting that companies often don’t know where to begin. Often folks experience difficulty agreeing on what it is.
At the end of the day, busy executives want some practical advice on how to begin implementing ERM. A couple of years ago I published my thoughts on the topic, along with several related posts, at Corporate Compliance Insights, an online journal featuring thought leadership from compliance and ethics professionals from around the world. I am proud to be a monthly contributor.
ERM is a favorite topic of mine and central to much of what we do at Protiviti, so I thought I’d revisit it here. Although by no means comprehensive, I’ve found the following five steps to be effective for boards and management to get the ERM ball rolling.
5 Steps to Getting Started
Step 1: Conduct an enterprise risk assessment (ERA) – Prioritize critical risks within the context of your enterprise strategy with quality inputs to assist in the formulation of effective responses. A solutions focus adds value to the process, which would otherwise end up with a list of risks and nothing more (what I call “enterprise list management”).
Step 2: Determine a compelling value proposition – Empower a working group of senior executives to articulate the role of risk management in the organization and determine the structure and timetable for making it happen. Pay attention to the expectations of the CEO. What is the business case that defines the benefits to be gained from implementing ERM and the economic justification for moving forward?
Step 3: Focus initially on one or two top areas – ERM should begin where the bleeding is obvious. Possibilities include: (a) compliance with corporate governance initiatives, (b) evaluating ERA results to identify priorities (such as IT cybersecurity risk or regulatory risk), and (c) integrating ERM with core management processes (such as strategy setting). Different companies will have different needs. The idea is to advance the organization’s capabilities for one or two priority risks.
Step 4: Advance ERM infrastructure – With the credibility and confidence of a couple of successes under your belt, examine your company’s risk management infrastructure. Elements of ERM infrastructure include, among other things, an overall risk management policy, an ERA process, inclusion of risk management on the board and CEO agendas, a chartered risk committee, clarity of risk management roles and responsibilities, dashboards and other risk reporting, a common risk language, a chief risk officer (or equivalent executive), a risk appetite statement, and an integration of risk responses with business plans. If your company is looking to get started with ERM but lacks any of these key elements, now would be a good time to consider filling those gaps.
Step 5: “Move the chains” – ERM is an incremental improvement process. To use an American football analogy, every time you gain 10 yards, you move the chains and set your sights on the next 10 yards (i.e., your next objective). But, unlike in football, there is no predetermined “end zone” because ERM is a journey, not a destination. As changes occur in the marketplace, your risk management capabilities may grow stale. Accordingly, update your ERA for change and periodically determine the current and desired states for each priority risk using your business strategy as a context, and plan steps to close significant gaps.
One thing most everyone agrees with: The ERM implementation process does not occur overnight. The steps I’ve outlined here provide a starting point for the ERM journey. They will give you, as senior management and board members, a framework for evaluating the organization’s efforts.
That’s my 10-cent tour. For a much more detailed analysis of ERM, I invite you to download a free copy of Protiviti’s Guide to Enterprise Risk Management, which answers more than 160 frequently asked questions on this subject. Other authoritative sources include the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Enterprise Risk Management – Integrated Framework, or ISO 31000: 2009, Risk management – Principles and guidelines.
Have you implemented an ERM program at your company? What was your experience? What progress have you made? Any advice you’d like to share with your peers?