Office, Bureau or Agency-wide ERM implementation. Which is best (part 1 of 2)?
Question asked by Web User
(part 1 of 2) We are a bureau within a much larger agency. Some are calling for us to implement ERM, but there appears to be no meaningful action to do so at the higher agency level. How can we implement ERM without doing so at the agency level? Will doing so even be helpful?
AFERM Experts Say...
One way of answering this question is to first ask: (1) what is the purpose of ERM? and (2) what is the key mechanism of ERM in accomplishing this goal? ERM seeks to develop an organization-wide, portfolio view of risk that allows balancing results, resources and risks in a manner that maximizes stakeholder value. The key mechanism is two-fold. In the words of John Fraser, former Chief Risk Officer of Canada’s Hydro One, ERM is about “conversation” and “prioritization”. By conversation, John is referring to an open conversation of risk across the organization. This in turn leads to meaningful prioritization of risk treatments at an enterprise level contributing to maximizing stakeholder value.
Implementing a formal ERM program may indeed have little value if those conversations and prioritizations are already occurring. This can easily be the case in small organizations that are already well interconnected and have not grown to the size and complexity where functional and programmatic silos have evolved as a result of organizational structures. A basketball team, as a very simple example, understands the risks to each of the other players at any point in the game and reacts to those risks in a manner designed to win the game. However, as any organization grows to require larger numbers of participants and more complex organizational structures to coordinate efforts, this group interaction in understanding risks begins to fall apart. Instead, many business decisions and associated risks are management within organizational silos. Concrete efforts need to take place to this conversation and prioritization across the enterprise is to take place.
With the preceding as background, it is clear that where an organization sits in the overall organizational hierarchy is not the critical factor. The key considerations are: (1) will the organization considering implementing ERM potentially benefit from that implementation, and (2) does it have the capabilities to be successful in that implementation.
The answer to point one is “yes” if the organization is large enough and complex enough to benefit from a conscious and organized approach to identifying, sharing, and managing risk across the organization in an integrated fashion. For a group of a dozen individuals, this level of sharing and integration is likely already present. However, when organizations grow to hundreds and thousands of individuals, then the resulting organizational silos make the benefits of ERM almost inevitable. If so, then the second question must be answered: does the organization have the capabilities to implement ERM. Internal organizational capabilities can be developed, but the starting point is to know that the organization has sufficient autonomy within the larger organizational structure to pull together the necessary governance structures, make the necessary risk-informed resource allocations, and develop the necessary cultural changes. The leader of a bureau typically has the needed level of autonomy and resource allocation discretion. If those necessary prerequisites are present, then the implementation of ERM within the bureau is possible even when the higher level organization (agency or department) has not yet sought to implement ERM.