The good news is that the idea of developing a solid Enterprise-wide Risk Management (ERM) program is really starting to get some traction. More people are talking about it, the regulators are encouraging it (read: requiring it) and more articles are being written about it. And that’s all very, very good. Here’s the problem. The vast majority of the population still has no idea what ERM really means, or looks like.
The standing definition comes from COSO, “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Ok, that’s nice. But, seriously, what is ERM? I still don’t know.
It’s so much easier when we develop a management technique and then give it a name than when we come up with a name and then try to engineer the technique. (BTW, GRC is in the same boat right now, but that’s another article.) You end up with a hundred different opinions on what that looks like and even more on how you should build it. Ultimately, this isn’t really a very good approach. So, like me, if you have read every scrap of literature on ERM and find yourself saying “I still have no idea what ERM is or what I’m suppose do to,” take heart, you are in very, very good company.
The big problem with so many of the definitions and descriptions that you read is that they all seem to be ignoring the simple fact that managing risk across the enterprise is very complicated. Risk comes in a thousand forms and risk management programs will always be comprised of many elements. In short, “enterprise” does not mean one central system. It means that we understand, and manage, how all of these many pieces fit together. It seems to me that this is what a lot of people are missing.
In this piece I have endeavored to look at ERM from as brutally honest and practical of perspective as humanly possible. My hope is that this gives some concrete points to think about in building your own ERM program.
As is usually the case, the best place to start is to try to strip away some of the misconceptions and talk about what ERM is not.
- One central system or overarching methodology that somehow addresses all areas of risk across the organization – Since risk comes in many different types and management methods, this would be impractical, if not impossible to implement.
- A one-size-fits-all framework for every area of the organization – An organization is made up of many functions, operations, businesses, people, processes, etc. Risk management systems must be tailored to meet the specific and unique needs throughout the business.
- An extension of just one risk type (e.g., operational risk management) across the organization – ERM needs to encompass all risk types; the challenge is how to do that.
- Aggregating risk information from the entire organization into one metric – How we report risk to the Board and senior management will look very different depending on what risk we’re talking about. Even trying to aggregate all of this into one mini-dashboard is of questionable value.
- A list of risks common to the entire organization – While this is informative, and important, it is only a sliver of the overall risk universe.
Ok, that was easy – now this gets harder. What is enterprise risk management? (Deep breath).
- A program that ensures that risk of all types is actively identified, assessed and managed throughout all parts of the organization – This means that while you will have different programs for managing credit risk, operational risk, market risk, strategic risk, etc. a structure exists that addresses how these pieces fit together and ensures that no risks are falling in the gaps (boundaries). The “ERM picture” may look like a hub and spoke – that’s ok. The trick is figuring out what you’re missing, the hub or some of the spokes (or both).
- A framework for establishing standards to ensure consistent approaches are used throughout the organization – This means establishing common risk language, clear definitions (what does “red” mean), assessment methods based on industry best practices, guidance on what is qualitative and what is quantitative, etc.
- A structure for gathering risk information from within the organization and presenting it to the Board and senior management in a format that is informative and actionable – Risk programs are meaningless if the results can’t be brought to the governing bodies with the opportunity to take action, whether that be just better awareness of risk trends, adjusting risk tolerances or even something as simple as asking clarification on an event.
- A culture that accepts that risk must be managed and does so with transparency and accountability – This means avoiding risk management boundaries. If it’s a risk, you manage it, regardless of “whose” risk it is. Everyone understands that you’re all working towards the same goal, profits.
Maybe you’re starting to feel like you really do have something that looks like an ERM program, or maybe some of the pieces? The truth is, you probably do, but you’ve never been able to really articulate it. So how do you know if you really have an ERM program? The following are some “success metrics” that may be indicative as to whether you have the beginning of an ERM framework in place (or if not, what you need to work towards.)
- The Board and senior management have a high confidence level that mechanisms are in place to manage the different types of risk throughout the organization and to respond quickly when new risks emerge
- The Board and senior management are actively informed on risk types, trends and mitigation methods
- The Board and senior management have a forum for expressing risk tolerance which is implemented accordingly
- Surprises are kept to a minimum, and when they do happen are accompanied by lessons learned and intentions for improving
- Changes in compliance requirements are implemented proactively and efficiently, without great turmoil or confusion
- Good communication channels exist across business lines and operating functions
- Risk is openly addressed starting at the point of strategy and all the way through execution
- Take any given risk scenario and you can quickly point to a part of the program that is intended to address that risk
- Woven into the very fabric of the organization is a thought processes (both in strategy and execution) that routinely asks the questions, “What could go wrong?” and “What would it mean?” These are not add-on questions, they are just part of the process
Finally, there are few implications of this idea that ERM is not an all-encompassing “thing,” but instead is a process of tying many pieces together.
- There’s no such thing as “risk appetite,” instead there are “risk appetites” (plural.) It all depends on what area of risk you are talking about. Risk appetite, or tolerance, may be expressed qualitatively or quantitatively, depending on the specific area of risk.
- The Chief Risk Officer is the single-most important person in this equation, because he or she is the central point charged with the design of how all of this fits together. This person is critical to the program, so they had better know what they are doing.
At this point in time an ERM framework is not mandated by law or regulation, and, honestly, I’m not sure it should be. But it absolutely should be expected, not because anyone of authority said so, but simply because it is a spectacularly good management technique.
To learn more about building an effective ERM program contact Eric Holmquist at Accume Partners at (856) 793-1581 or email@example.com. Visit accumepartners.com
No comments yet.