3 Keys to a Successful ERM Program
The global business environment is volatile and unpredictable. Many businesses face increased challenges and complexities due to disruptive technologies, data breaches, and uncertainty about policy and the climate.
This has led companies to place an increased emphasis on enterprise risk management (ERM) to help achieve key strategic goals and objectives.
A successful ERM program must align with your business goals. This is done by assessing key risks with the right metrics, leveraging existing effective processes, and identifying gaps to work against.
Whether your ERM program is brand new or already initiated, we recommend three key steps to ensure a successful ERM program:
- Shine a spotlight on your organization’s risk profile
- Formulate and define risk tolerances
- Make ERM an agile, ongoing process
Shine a spotlight on your organization’s risk profile
There are many approaches to revealing your organization’s risk profile. Consider the unique attributes of your organization and your culture. For example, examine how risk management silos fit together and relate. Create a framework that ties them together in a way that makes functional sense.
Drill down into key strategic objectives if you lack established risk management practices. Look at what needs to happen operationally and what could interfere with your strategic goals. Work with the teams that constitute your First Line of Defense (FLoD). These frontline managers can help anticipate possible disruptions. If that’s not possible, map out your organization’s operational areas into logical categories. Look at the risks to success in those areas.
Another option is to adopt proven, broadly-accepted risk frameworks like COSO or ISO. However, these frameworks can be difficult to conceptualize and adapt to individual organizations. You may need an outside consultant to help you effectively implement them.
A final method of risk illumination is to construct a comprehensive risk register or risk inventory. A risk inventory is a master document for all potential risks to your company. You may be able to purchase one of these tools with templates for documenting and managing risk. A better approach is to build your own by consulting the experts within your organization and risk professionals in your industry.
Formulate and define risk tolerances
ERM breaks risk down into smaller, more specific components. Risk assessments allow you to break the components down into thresholds. This shows where an area of the business is operating within or outside the acceptable risk. These thresholds translate directly into risk tolerances.
How do risk tolerances relate to risk categories and specific levels of exposure at the business unit and enterprise levels? If you aggregate risk thresholds for specific risks, and roll up scoring, you can show the business’s risk exposure at various levels.
Make ERM an agile, ongoing process
Breaking risk management down into small pieces within your ERM program makes it possible to have an agile ERM process. Manage these pieces with the FLoD — business managers and risk managers who know when there are industry trends, challenges, or process changes. You can also make changes to an individual piece without disrupting the rest of the program.
Recognize cognitive biases that can stifle the potential nimbleness of your program. Risk management training and consultative working sessions can be used to review risk assessments and change the way your organization thinks about risk.
ERM can also help build in learning mechanisms to challenge past modes of thinking. Risk managers can research with the FLoD to illuminate unexpected risks. This can lead to collaborative brainstorming on solutions to potential problems you identify. Such a sense of collaboration encourages business managers to look for risks more proactively.
Employ multiple lines of defense
The Three Lines of Defense (3LoD) model of risk management complements this collaborative approach. It facilitates best practices for regular review of ERM processes, risk manifestation, mitigation performance, and post-mortems of business events:
- When first-line business managers are responsible for completing risks assessments, they provide the business perspective needed.
- The second line’s review of the first line’s work helps uncover areas that the business line may have missed. While the second line is responsible for creating controls, the first line’s assessment provides a unique perspective that helps limit bias or blind spots. When a business event occurs, the second line’s oversight of remediation ensures that the business line doesn’t fail to implement needed plans. This helps avoid similar future risk events.
- The third-line review provides an independent and fresh perspective. One more layer of oversight ensures nothing is overlooked.
Enterprise risk management can seem complicated and intimidating, but adopting these key practices help to streamline its implementation. Which, in the near term and long run, helps protect your organization.