If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you.
I don’t say that to scare you but to provide a small dose of reality.
Building, launching, and refining an ERM program that is more than a tool for satisfying regulators and ratings agencies and avoiding negative risks will take time and a bit of trial and error.
That much hasn’t changed a whole lot since the original version of this article was published in the fall of 2016. However, one thing (…out of many) that has changed is the importance of informed and measured risk-taking in pursuit of strategic goals and objectives.
This statement is true regardless of industry, sector, or geographic location(s).
Although many organizations implicitly understand this point, very few are actually successful in building an ERM program that helps the company create a strategic advantage. According to the latest State of Risk Oversight report from NC State, only 12% of respondents felt their program helped their company build a strategic advantage over competitors. This statistic makes me extremely sad and yet more determined to get organizations to think about and approach ERM differently.
The fact remains that it can be difficult to know where to start, even with the plethora of resources out there. While the original version of this article provides a step-by-step process, much has changed based on general trends and my experience as both consultant and practitioner.
The process outlined below is broken down into different buckets or phases that build on each other. Like manufacturing a product, this process will involve trial and error, so don’t be discouraged if something doesn’t seem to be working out the first (or even the second) time. As one of my favorite singers, “Princess of R&B” Aaliyah, says in one of her hit songs – “If at first you don’t succeed, dust yourself off and try again.”
With that said, let’s dive into the first phase of this process. You will notice this section consists of the ground work that must be done before you even begin designing the actual ERM program.
Phase #1: Forming a Solid Foundation – Governance, Culture, and Why your Company Wants ERM
This first bucket or phase represents those things that must absolutely be done first. Without these, the entire house of cards will come crashing down at the first signs of difficulty.
Like so many other resources on the subject of setting up an ERM program, the first iteration of this article jumped right into developing a framework as the first step. After speaking with many organizations through the interceding years though, it became clear that companies needed to address foundational matters before moving forward.
When I speak to any company about ERM these days, one of my first questions asks what governance, including decision-making processes, they have in place. At first, I was stunned at how many would say “not much.”
It may seem mundane, but I cannot overstate the importance of having a solid corporate governance structure in place to ensure processes are efficient, effective, and managed appropriately. By corporate governance, I’m talking about mission, vision, values, strategic plan, board oversight, internal management oversight committees, escalation process, corporate policies (even just the basics like HR and information security), and so on.
Now a small company may be able to get away with not having these in place, but without a mission, vision, strategic plan, what does your company have to assess risks against? Who validates what risk is acceptable and what needs to be escalated? Without clear communication between different areas, information is siloed, making it impossible to know how risks and opportunities fit into the bigger picture.
This shouldn’t be surprising considering that the origins of the COSO standard lie in compliance and corporate governance.
Beyond this, another equally important foundational matter is cultivating the right culture.
We’ve all heard the saying “culture eats strategy for breakfast.” Well, I can tell you for a fact, this is equally true when it comes to an ERM program.
Risk culture is quite simply the attitude of everyone in the company from the bottom all the way to the C-suite toward risk, opportunity, and strategy. Tone at the top, communications, and accountability are just a few elements of a positive risk culture.
Cultivating this culture requires persistence and concerted effort to change rather than strictly relying on top-down directives, which will only create animosity and frustrate progress.
And for the last foundational piece before developing a framework – you need to know the driving reasons for company leaders to want ERM in the first place, along with their expectations.
What is the current situation and how can ERM help?
What do they want to get out of ERM in the long-term?
Are they responding to regulations like ORSA? Or have they heard that ERM is a way to ensure goals are met and the company operates more smoothly?
Without understanding executives’ motivation for ERM and where they want the company as a whole to go means you won’t be able to determine the risks that need attention. Nor will you be able to advise which risks the company should be taking. In this situation, it’s highly probable you will need to scrap everything and start over, which is something you should want to avoid for a variety of reasons.
The following articles here on the blog dive into more detail on each of these foundational elements of building and launching an ERM program.
- Why a Strong Governance Foundation is Vital to Successful ERM
- 5 Critical Steps to Cultivating a Positive Risk Culture
- ERM Implementation: What Risk Professionals Consider the #1 Challenge to Be
- 3 Easy to Use Tips for Understanding Why Executives Want ERM
- 3 Underlying Components to Building a Successful Strategic Plan
Once these foundational areas have been addressed, you’ll be ready to move into…
Phase #2: Developing your ERM Framework
The “framework” of an ERM program is essentially its own governance document and high-level overview for guiding the processes you will develop in the next phase. This framework document will be shared with executives and the Board.
That being the case, it’s important the framework is kept high level. Since adaptability is of utmost concern, you don’t want to be constantly updating this document for two reasons. One is the level of scrutiny it will get from executives and the Board, and two, if/when ERM is audited, the framework will be the first document auditors will examine. The document will automatically be outdated as you modify policies and procedures, so it could lead to trouble if the information it contains doesn’t match what the company is doing in practice.
Instead, the framework should refer out to other documents that don’t have to go through the same level of scrutiny.
This doesn’t mean the framework document should contain nothing of substance whatsoever. One of the most important elements of the framework is clearly stating roles and responsibilities for the ERM program, including:
- Where in the corporate organizational structure will ERM reside?
Since ERM should be working closely with senior management, it’s important for it to have a high-profile position in the company. Programs merged with audit or stuffed lower down the rungs of the company ladder tend to not receive the attention necessary for more than a surface-level impact.
- Who will ultimately be responsible for ERM?
Somewhat similar to #1 but deserving of its own section, mid-sized and larger companies with ERM will often appoint a Chief Risk Officer (CRO) that reports directly to the CEO. Many feel that this role is needed to give ERM the visibility needed to put words into action, or as explained in the 2022 State of Risk Oversight Report from NC State:
While an organization might designate an individual to be the risk leader for their organization, if that individual is too far removed from the senior leadership of the organization, the ERM process is less likely to get visibility and focus from those at the enterprise level.”
One approach to increase ERM engagement is to have management-level risk committee(s). This group(s) typically include representatives from multiple business units, so it has the positive effect of ensuring information is not stuck in siloes.
- How will the Board oversee ERM?
Also, depending on your company, the framework should include the composition of any Board oversight. For some, this is a legal requirement, but robust Board oversight is increasingly becoming an expectation across-the-board these days. The Board may conduct its oversight on its own, or there could be a separate Board committee that could better focus its efforts.
When it comes to standardized frameworks, there are several out there, with the most notable ones being ISO 31000 and COSO. These standards can be helpful guides and starting point, but as Frank Martens and Carmen Rossiter explain in the book Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives:
While generally accepted frameworks are a useful starting point, they are generic by their inherent nature. Organizations that incur the effort to develop their own tailored framework see the greatest influence from their respective frameworks.”
Also, as Norman Marks explains at several points in his articles and books, the best risk practices are well ahead of these standards.
A word of caution – don’t try to force a certain standard onto your organization!!
The overarching goal of any framework is to support decision-making by helping the company identify and assess risks and opportunities to achieving strategic objectives. This will work differently for every company, even ones in the same industry, so while it is tempting to copy/paste from others, doing so rarely works out.
To learn more about each of these elements of an ERM framework and governance document, I invite you to check out these other resources here on the blog:
- ISO 31000 vs. COSO – Comparing and Contrasting the World’s Leading Risk Management Standards
- ERM and Internal Audit: The Right Relationship
- 3 Key Infrastructure Elements for a Successful ERM Program
- Chief Risk Officer: An Increasingly Vital Role in Effective Risk Oversight
- The Board’s Role in Risk Oversight and Why It’s Important
With these elements of a framework hand, you will be ready to move into…
Phase #3: Developing Processes
Once a framework is put together to guide the ERM program, you’re now ready to begin developing the various processes that will help executives understand risks and opportunities and thus inform their decision-making.
This is where you will plan out the methods your company will use. Will one-on-one interviews work better or will surveys provide the insights your company needs? What about a combination of those methods?
This will be, by far, the most iterative part of your ERM journey. In one sense, it will never be final as the conditions and needs of the company are constantly changing. Therefore, you’ll always be refining processes as you go along, which is why you shouldn’t include this type of information in your framework.
Companies tend to get hung up here as they compare themselves to what others are doing rather than focusing on what works for them. It’s also why you should not be discouraged if a particular method isn’t working.
Rather than rolling out a particular approach to the whole company, work with one or two business units to “pilot” the processes. This way you can refine what works without running the risk of others getting upset and abandoning ERM altogether. For the sake of brevity here, I’m not going to get into too much detail on the various processes.
The following articles will provide a thorough explanation of each process plus how to best harness them for your needs.
- 5 Effective Methods to Identify Risks in your Organization
- Enterprise Risk Assessment – Transforming Risk Information into Action
- Enterprise Risk Analysis – Prioritizing Risks for Maximum Benefit to the Organization
- The Ultimate Primer for Effective Risk Reporting
- Risk Monitoring: 6 Considerations for Understanding this Make or Break Moment for ERM
- Why Assigning a Risk Owner is Important and How to Do It Right
- 5 Simple Questions for Assessing the Effectiveness of ERM Processes
If you compare this version of this article to the previous one, you should notice the differences. Beginning with the end in mind and taking steps to understand why your company wants ERM is so critical to a successful endeavor.
The original article also included risk appetite and tolerance as one of the steps. While these are important in their own right, many companies find it difficult to develop and implement them immediately.
To be successful, it’s important to start slow. Rome wasn’t built in a day, so there needs to be the expectation that this will take time.
Where are you in your ERM journey? What roadblocks have you experienced in the past when you were setting up an ERM program?
I’m interested in hearing your thoughts on this extensive subject. Please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
This article briefly explains this complicated subject, it’s still quite possible you could still get stuck. If you find yourself in this situation and are ready to move forward, please feel free to reach out to me today to begin discussing your specific issue and possible ways forward!
