The two primary benefits of enterprise risk management (ERM) are reducing financial and operational surprises and improving performance to increase probability of achieving strategic objectives. Any size organization would profit from these benefits, but many small to medium-sized companies typically do not have defined ERM initiatives. Reasons include cost constraints, fewer dedicated risk professionals, limited resources, fewer employees often serving multiple roles relative to larger companies. But small to medium sized companies can benefit significantly from ERM, without it being costly, complicated or time-consuming.
Why would a small to medium sized organization want to implement ERM? In some cases, ERM is regulatory driven. Examples include Sarbanes-Oxley requirements for publicly traded companies and industry-based regulations such as financial institutions and utilities. Effective ERM reduces financial variability, and also identifies and prioritizes risks to achieving strategic objectives, breaking the traditional siloed risk approach of managing risk solely by function or business unit. Successful ERM efforts develop actionable risk mitigation plans to reduce risk and drive performance, while gaining C-suite consensus on critical risks and mitigation efforts. ERM improves resource deployment and effectiveness and creates a competitive advantage.
Board member or C-suite
support and an ERM leader are necessary to launch ERM. The CFO is an ideal
champion to lead the effort and provide the requisite senior leadership
support. To start and avoid pitfalls, keep it simple and demonstrate value
early. ERM does not have to be complicated to be effective. Simplicity and a
positive return on investment for senior leadership, board members and
stakeholders significantly increases buy-in, participation and ultimate ERM
Start with a risk assessment and mitigation planning directly linked to strategic objectives, strategic planning and strategy execution. The most valuable and simple assessment scope is “assess the risks to achieving strategic objectives” with a prospective time horizon, typically three years.
Risk identification and prioritization needs to capture a thorough risk description, impact, likelihood, and current controls for each risk. The assessment process should include one or more of the following methods: workshop(s), interviews and surveys. Surveys alone do not provide the depth necessary to thoroughly define risks, and a workshop is best for thorough risk articulation, C-suite consensus and education.
The second part of the
process is developing risk mitigation plans. For each of the top risks, workshop
participants create mitigation plans with specific mitigation actions, success measures,
action owners, target dates and overall risk owners. Mitigation plans serve as
the blueprint for implementation by risk owners and action owners to reduce
risk, drive performance and increase the likelihood of achieving strategic
documenting the risk assessment and mitigation planning processes produces critical
communication and reporting tools including a risk register, a risk map and
risk mitigation plans. Outside the workshop, the ERM leader should also develop
a strategic objectives risk linkage chart to indicate the specific risks to
each strategic objective. This document reinforces the direct linkage of ERM
risks to strategic objectives and helps reprioritize resources related to
mitigation plans for critical risks. These ERM deliverables are valuable in the
organization’s strategic planning process.
At this point, take a
pause. Let senior leadership digest and realize the value created, as they utilize
the risk information and implement risk mitigation plans. Do not try to boil
the ocean all at once.
Expand the Team
One person does not
have to shoulder the entire ERM effort. Most small to mid-sized businesses have
limited resources that are usually stretched quite thin, and most CFOs do not
have the time to go it alone. Ask for support from other senior risk silo
owners, including VP of audit, general counsel, VP of strategic planning, chief
information officer and treasurer. The group size and composition will vary by
company, but a two to four-person team is a good start. Next, define roles and
responsibilities for each team member and allow the team to work together for
at least a quarter tracking risk mitigation plan implementation, monitoring
risk profile changes (i.e., risk reductions, increases or emerging risks), and
reporting results to senior leadership.
Develop a Risk Appetite
A risk appetite
statement is a written statement defining the levels and types of risk an
organization is willing to take in pursuit of its strategic objectives. The statement
should be developed through discussions with selected members of senior leadership
and ultimately be approved by the leadership team and the board.
Document and Formalize
the ERM Process
After clearly demonstrating
ERM’s value, document ERM activities and the roles and responsibilities of
those involved. Documentation should include risk assessment process and
timing; risk mitigation plan implementation, monitoring and reporting;
monitoring and reporting of changes in risk profile and emerging risks; risk
appetite statement and risk escalation process; senior leadership and board
reporting process and timing; and roles/responsibilities of the ERM team, leadership
and the board.
It is surprising how
many organizations take the initial steps with a risk assessment and even mitigation
planning and then let the process die on the vine. Demonstrating value,
building the team and documenting the process will help ensure sustainability.
The ultimate goal is
creating a risk-aware culture, requiring a change in the organization’s mindset
to consider risk in daily activities, planning and decision making. The
incremental steps described here will create an uncomplicated, pragmatic ERM
program focused on achieving strategic objectives. However, the cultural change
to a risk-aware organization will take more than the six months needed to
initially develop an ERM program.
When simply, practically
and incrementally built, ERM for small to medium-sized companies can be
accomplished at negligible cost, without new hires, and with minimal drain on
senior leadership time, producing substantial benefits and demonstrating that
ERM is not solely for large companies.