0 Easy Steps To Implement Enterprise Risk Management
0 likes16 views
This document outlines 10 easy steps to implement enterprise risk management (ERM). The steps include: 1) defining the value ERM provides to the organization; 2) researching ERM standards and frameworks; 3) inventorying existing risk management practices; 4) seeking support from executives and stakeholders; 5) keeping the ERM process simple; 6) starting small by focusing on a specific business area; 7) going for quick wins by prioritizing top risks; 8) delegating risk ownership to accountable managers; and 9) reporting on ERM progress. The overall goal is to build risk management capabilities throughout the organization to support strategic objectives.
0 Easy Steps To Implement Enterprise Risk Management
- 1. 10 Easy Steps to Implement Enterprise Risk Management Carol Fox
- 2. 10 Easy Steps to Implement Enterprise Risk Management At RIMS, we define enterprise risk management (ERM) as a discipline, not in the sense of punishment, but as the mastery and continued maturation of risk competencies. Essentially, ERM is all about building risk management capabilities throughout the organization. As risk professionals, we often focus on ERM as an end to itself rather than a means to support the organization’s objectives. But to be useful, that is exactly what it must center around: providing value to the company. Alas, there is no magic bullet to implement a program that will hit that target. But there are some key guidelines you can follow. With that in mind, the following 10 simple steps may help guide you as you begin planning your journey. 1. Define what value your organization will gain from ERM Because it is so difficult to demonstrate ERM value through traditional investment metrics (return on investment, return on equity, return on assets, or risk-adjusted return on capital), many companies make the business case. This looks at ERM in four categories: shareholder value, risk mitigation, process consolidation and silo elimination. While these are worthy goals, they can be difficult not only to measure but to articulate to management and the board. Since leadership is always focused on value creation, the link between ERM and the organization’s strategy is often weak at best. So how does ERM actually contribute to the organization’s value? How can that be demonstrated and measured in terms that are meaningful? You first have to discover what value your organization is trying to create, as well as protect. Is it simply increased share price? Or is it reducing volatility to enable a more efficient use of capital? Or perhaps, for non-profits, is it delivering more services to a broader constituency? Whether value is expressed as market share, profit, service provision, donor levels, social impact or some other benefit, how do the enterprise risk management competencies advance the organization’s mission and related objectives? In other words, what business need will be met through a structured ERM approach? 2. Research and understand different standards and frameworks Advocates of certain risk management standards and frameworks may encourage you to believe that there is one, and only one, “right” way to define and manage risk. If you operate in a regulated environment, you indeed may need to comply with specific risk management standards. But risk management practices tend to be universal and evolve over time, whereas standards (and regulations, for that matter) may not keep up with more current, innovative practices. Even so, learning about each of the major standards can generate ideas. A 2011 RIMS executive report, “An Overview of Widely Used Risk Management Standards and Guidelines,” analyzed six frameworks, and nearly all were found to be similar in certain ways. For example, each requires, among other aspects, the adoption of an enterprise approach with executive-level sponsorship; structured process steps, oversight and reporting of the identified risks; a risk appetite definition with acceptable tolerance boundaries; and monitored treatment plans.
- 3. 10 Easy Steps to Implement Enterprise Risk Management Although we uncovered a number of common elements in our research, certain success factors were either missing or underdeveloped, most notably root-cause analysis and risk appetite management. Moreover, we found that 44% of North American risk practitioners choose to adapt their practices from a number of standards rather than adopt any one standard. Learning as much as you can will give you a solid foundation to decide what elements are the most vital to your ERM initiative. 3. Inventory what your organization is already doing Many organizations already have controls in place for widely understood risks, such as business disruption, environmental liability or worker injuries. It is likely that the individuals responsible for these controls also conduct risk assessments. While this is not enterprise risk management, it is a start. And understanding what your organization is already doing allows you to leverage existing practices within a broader ERM environment. Additionally, having a common, collective understanding concerning which risks should be accepted, avoided, transferred (or shared), mitigated or exploited can reduce organizational dissonance about what is acceptable to the organization’s stated objectives. 4. Seek support and help Implementing an enterprise risk management program is not the time to go solo. Many parts of the organization have a legitimate stake in the discussion, and they can become either powerful allies or forceful detractors. The “power of one” comes into play in recruiting those who can make a positive difference in your implementation. Your most important advocate should be an executive sponsor—ideally more than one. Once your sponsors are on board, determine who best understands the risks your organization faces. Many successful implementers have formed a working committee of internal stakeholders, such as operations, sales, accounting, legal and internal audit. If you include the leaders responsible for management controls in a working committee, it usually accelerates collaboration. Mostly, however, you should seek out people who are knowledgeable about your organization and able to influence others, which means the cast may vary depending upon the scope of operations. If your organization’s mission is innovation, for example, include leaders from research and development. Or, if your organization focuses on education, include faculty leaders. You may also want to consider external sources of support, such as insurance brokers, external auditors or consultants. But heed this word of caution when engaging external supporters: be sure to clearly communicate the specific role you want them to play. Sometimes, this may require a strong nondisclosure agreement. 5. Keep it simple Focus on the basics. Once you have established why you are implementing ERM, work to de-mystify the process. Be able to distill your messages down to two-minute sound bites that explain, in plain English, how ERM is different from previous approaches. Refrain from using jargon; choose terms
- 4. 10 Easy Steps to Implement Enterprise Risk Management that are already understood in the organization. In the same vein, simplify process graphics to illustrate the steps the team will be taking. Remember to keep the message focused on the organization’s objectives rather than on the risk management process itself. To the end user, the ERM program mandate is less important than gaining value by making better-informed decisions about risk. While a formal training program may be characteristic of a mature program, simple process training, using available tools and templates, is quite appropriate when first getting started. 6. Start small What should be the scope of an ERM implementation? A number of successful implementers have begun by focusing on a specific business area or single goal. The state of Washington’s strategic goal is to improve the health and safety for all citizens, for example, so its ERM goal became fostering ERM implementation in all of its 165 state agencies. While this scope may seem daunting at first, nine specific and achievable objectives—including assigning risk management to a specific employee within each agency—were agreed upon over a multi-year period. Parameters were set for success, and the scope of activities was limited in a manageable way. By initially targeting implementation in a controlled way and monitoring progress against a single goal, Washington achieved a higher overall commitment. And now the state has something it can build on. 7. Go for the quick wins Don’t try to cover every possible risk. Start with those that matter most for the success of your organization’s strategic objectives. By identifying and analyzing the risks that may have a material impact on the ability to execute strategy, the odds of creating value quickly are much higher. If you prioritize by risk criteria—severity, importance or speed to onset—action plans can be executed immediately and revisited to validate the chosen responses. Understanding which risk criteria are important to leadership creates an opportunity for frank discussions about just how much risk the organization wishes to pursue, both for specific objectives and in the aggregate. These leadership discussions tend to reveal where the organization may be culturally when it comes to risk-taking or risk aversion. Overall, this exercise can go a long way towards establishing a barometer of the organization’s risk appetite. 8. Delegate “fixes” to risk owners Who will do something about the risks? The obvious answer is whoever is accountable for managing the business functions most closely associated with those material risks. For example, a chief information officer may be accountable for managing risks associated with potential data breaches. Not all risks can be neatly compartmentalized, however. Risks such as unauthorized social media releases may not find a “natural” owner, but a specific individual still needs to be named. There always should be one identified owner held accountable for the risk management plan decisions and execution. This person will likely need to rely on others to make the plan work and manage
- 5. 10 Easy Steps to Implement Enterprise Risk Management interconnected risks, but naming an individual risk “owner” will help move the chosen response plan to action. 9. Report on progress Progress reports highlight the difference that enterprise risk management makes in your organization and should be reported in at least two ways: by material risk and by ERM program progression. The risk owners should be reporting in their normal business updates on key issues, such as the material risk outcome target, specific activities that have taken place since the last report, challenges in executing the risk plan, and a trend assessment in the risk profile against the targeted outcome. Periodic reports to senior management on ERM program progression might include progress related to milestones for specific ERM objectives. In Washington state, one of those milestones is the percentage of agencies that assigned risk management responsibilities to a specific employee over defined time periods. One result shown in a 2011 ERM progress report was self-evident: a liability reserve reduction of $600 million. And an intangible result was that the organization improved its overall risk management capabilities and competencies throughout its 165 agencies. 10. Develop your “soft skills” How do you “sell” ERM within the organization? First of all, understand the dynamics of your internal market. People “buy” what they perceive to be of worthwhile to them and to their performance objectives. The question you need to be prepared to answer is “what benefit will they gain if they implement enterprise risk management practices?” There is power in positive persuasion. Focus on the expected positive outcomes for the individuals you want to engage rather than trying to convince leadership that “we have to do this to comply with our ERM policy.” Above all, you need to be an excellent communicator with a specific value message: “Enterprise risk management is a discipline that protects—and creates—value for the organization. By implementing ERM, you personally will be able to deliver results with both tangible and intangible benefits.” Reprinted with permission from Risk Management Magazine. Copyright 2012 Risk and Insurance Management Society, Inc. All rights reserved. About the Author Carol Fox, ARM, is Vice President of Strategic Initiatives at RIMS, the risk management society. A Miami University graduate, she has held progressively responsible risk management positions in the customer care, telecommunications, manufacturing, defense and insurance industries, at the same time serving as an active RIMS member and volunteer. Carol served as the chair of the U.S. ISO 31000 Technical Advisory Group on risk management standards from 2015 to 2018, was a participant on the COSO ERM Advisory Council for the 2017 revision, and serves on the Advisory Board for Miami University Isaac and Oxley Center for Business Leadership. Known for her risk management experience and writing, in 2011, Treasury and Risk named her as one of the 100 Most Influential People in Finance.
- 6. SoftExpert ERM software enables organizations to identify, analyze, evaluate, monitor, and manage their enterprise risks using an integrated approach. It brings together all risk management related data in a single and comprehensive environment, including a reusable library of risks and their corresponding controls and assessments, events such as losses and non-conformities, key risk indicators, issues and treatment plans. Process-oriented risk identification Risk repository The software serves as the foundation for the company’s enterprise risk management efforts through its ability to unite and support different risk categories like strategic, financial, security, compliance, environmental, assets, products, processes and projects. These categories can be part of broader applications and risk family solutions, such as Operational Risk Management, IT Risk Management and General Compliance Management. Risk assessment Risk response planning and monitoring SoftExpert ERM is designed to be flexible and configurable, supporting whether the risk management standards defined by ISO 31000, COSO and PMBOK, as well the company’s unique requirements. Tests and Control Self-Assessments Risk monitoring portals Learn More at: https://www.softexpert.com/enterprise-risk-management-erm/
- 7. Manage business process change with checklists About SoftExpert SoftExpert is a market leader in software and services for enterprise-wide business process improvement and compliance management, providing the most comprehensive application suite to empower organizations to increase business performance at all levels and to maximize industry- mandated compliance and corporate governance programs. Founded in 1995 and currently with more than 2,000 customers and 300,000 users worldwide, SoftExpert solutions are used by leading corporations in all kinds of industries, including manufacturing, automotive, life sciences, food and beverage, mining and metals, oil and gas, high- tech and IT, energy and utilities, government and public sector, financial services, transportation and logistics, and healthcare. SoftExpert, along with its extensive network of international partners, provides hosting, implementation, post-sales support and validation services for all solutions to ensure that customers get the maximum value from their investments. SoftExpert Excellence Suite The Roadmap for Business Excellence and Enterprise Compliance More information: www.softexpert.com | sales@softexpert.com Disclaimer: The content of this publication may not, in whole or in part, be copied or reproduced without prior authorization from SoftExpert Software. This publication is provided by SoftExpert and/or its network of affiliates strictly for informational purposes, without any guarantee of any kind. The only guarantees related to SoftExpert products and services are those contained within a contract. Some product functionalities and characteristics presented herein may be optional or may depend on the makeup of the offer(s) acquired. The content of this material is subject to change without prior notice.