Enterprise risk management (ERM) has emerged as a best practice in gaining an overview of strategic, financial and operational threats, and in determining how to mitigate and manage those risks.
A comprehensive approach to risk management is important because it helps management comprehend the true potential of threats and allows organizations to address the cumulative nature of risk.
The following steps can help your company achieve the ERM objective.
- Just Do It!
The process of creating an ERM program is valuable, revealing much about your organization and the interrelatedness of elements within it. Document your efforts in your board minutes and share them with any auditors. You will generally find those parties willing to provide constructive feedback because they have a vested interest in the success of your efforts.
- Get a Champion
Your board of directors is accountable to shareholders and the SEC (if your company is public)—and possibly to other entities by industry—for the adequacy of risk management procedures, controls and ultimately for the competence of management. A logical champion of your ERM efforts is the chairperson of your board audit or ERM committee, followed by the chair of the board and other board members. If these individuals understand that an ERM program can help them discharge their duties and protect them from personal financial risk, you will likely see top-level buy-in and a trickle-down effect through senior management.
- Merge the Silos
If existing risk committees and sub-committees are functioning as intended and get consistently high marks from outside auditors, it’s unlikely that fundamental changes are needed. Yet it is important they understand where they fit in the bigger picture. A board-level champion can help provide this perspective, and reinforce the role of the ERM committee in setting the organization-wide level of acceptable risk.
- Weight the Risks
Certain areas of risk have the potential to seriously harm your organization. Others, however, are less critical. When your management team assembles an ERM framework, create a logical mechanism for assigning relative weights to each area of risk, and to selected components within those areas.
- Create a Dashboard
A dashboard containing a high-level summary of major risk elements supported by “drill-down” detail enables board members and senior managers to connect all the pieces of the risk management puzzle.A dashboard need not be complex. Some managers use Microsoft Excel to create multi-layered risk workbooks, which summarize details provided by the risk sub-committees into a single page of high-level information.
- Understand Risk and Reward
Some risks are worth taking, because the reward is greater than the likelihood and consequences of failure. In other cases the reward does not outweigh the potential consequences. Then there are risks not worth considering, when the risk is a “bet-the-farm” proposition, or is illegal or immoral. Each risk committee and sub-committee should understand the risk-versus-reward proposition.
- Set Limits
One important function of the board ERM committee is to work with management to establish limits to risk taking. Management should make recommendations to the board, supported by reasonable data and arguments, which establish the boundaries of the organization’s risk appetite. Management’s role is to advise and inform, with the ultimate decision resting with the board.
- Understand the Cumulative Nature of Risk
An organization that could sustain itself through one or two major weaknesses, or several minor ones, will succumb under too many. For this reason, the board ERM committee should set limits for both individual risks and cumulatively.
- Make It Easy
In the areas of setting limits and risk weighting, management should make it as easy as possible for board members to comprehend and participate in the process. Distill complex regulations, and use accepted business terminology. Implementing an ERM framework should be spread over several months, if possible. Give the board ERM committee two or three recommendations per month, in advance, so they can be reviewed, summarized, presented and adopted at the regular monthly meeting.
- Refine, Refine, Refine
New risks emerge every day, and your process must be flexible enough to identify, quantify and incorporate them. The chief risk officer and other senior managers should devote time to researching emerging risks, imagining worst case scenarios and creating stress tests to understand the implications of critical failures.
A Top-To-Bottom Effort
It is possible for ERM practices to become part of your organizational culture. Global awareness of the process and a rank-and-file understanding of the board’s focus on effective risk management are critical to obtaining the buy-in of the entire organization. After all, risk management is everybody’s job—today more than ever.