The Trouble with ERM
Photo by Kaitlyn Baker
Originally Posted On: https://www.blackfoxstrategy.com/post/the-trouble-with-erm
Enterprise Risk Management. A not-so-sexy turn of phrase too often bandied-about the upper echelons of management with little appreciation for the true meaning of the term, and quite frankly, little desire to pursue any comprehension beyond the ability to say “Yes! We do ERM!”
While I’ve enjoyed many a Dilbert© cartoon on the subject, the fact of the matter is that ERM is as much about strategy as it is risk management, and can be a game-changer easily within the grasp of the even the most modest operations. The secret is understanding that ERM is a discipline – not a function – and that it requires integration across strategy, risk, and resilience programs traditionally built and operated in silos.
Unfortunately, while most best-practice models, standards and frameworks point to this interoperability, none of them spell out how to efficiently (and successfully) make it happen. And that, my friend, is the trouble with ERM.
When I first entered the world of risk management, I was incredibly frustrated at the lack of clarity in the voluminous materials that existed on the subject. Being a typical corporate manager pressed with too much work and not enough resources, I was looking for step-by-step manual (stop, drop and roll). I was, of course, naïve, and I came to learn that along with the science, there is an art to designing, implementing and sustaining any broad organizational program such as risk management, strategic planning and business continuity.
Integrating said programs is yet another basket of worms, primarily because different departments are comfortable in their own silos. However, if you look at the entity as a whole and consider the type and timeliness of information its leaders need to create success, you will see clearly the foundation for building integrated programs that cross functional silos and allow a vertical flow of information.
If you aggregate this data in a meaningful way and add C-Suite expertise and experience, you will have an environment for strategy development, balanced risk-taking, and leveraged opportunities.
This scenario, which would give the organization an incredible advantage over their competitors, cannot be accomplished with a traditional risk management program – it requires an ERM discipline.
Organizations seeking to establish and/or mature into a true ERM capability can find the process daunting. There is a myriad of frameworks, theories and best practice standards based on industry, business model and public/private/non-profit sector. The risk management process itself is straightforward – identify, evaluate, assess and treat risk. What is not so clear is how to successfully operationalize such a program in a way that creates synergy across the organization.
I know what you’re thinking….
“We need to be selling/building/designing & serving customers! That’s where the value is! That’s what keeps us in business!”
You are right, until your controller unwittingly sends a half-million dollars to a cyber thief posing as your CFO with valid email credentials and various other identification sources because the pesky security upgrade project was just not a capital priority. Or consider the unflattering news story which caused massive reputation and civil damages because leadership failed to consider the full spectrum of adverse impact in their initial public response. Certainly, we realize the impacts of such actions with the latest occurrence with United Airlines.
Certainly, in the scenarios above, there were people discussing risk and strategies. However, when the elements of risk are evaluated in isolation, the results can be devastating. Effective and timely risk management is a necessary management capability at all levels. Therefore, why not create a critical information pathway to the C-Suite to improve decision-making and strategy?
Why not make it streamlined and efficient, focusing on what really matters? Why not let it be a competitive differentiator?
Why not ERM?
Traditional risk management typically deals with safety, insurance, contracts and claims. ERM, by contrast, is a business discipline – a set of practices put into place to help an entity succeed – and is specific to the identification and management of broad organizational risk. Thus, ERM allows an organization to broadly manage risks and seize opportunities related to the achievement of its strategic business objectives. This enables leaders to create strategically aligned processes supporting appropriate levels of risk assessment and communication.
Seems better, doesn’t it? It certainly is better, but it isn’t easy. The hurdles faced in achieving effective ERM are similar to those encountered during the implementation of any kind of broad program requiring systemic change. Budget, timelines, competing projects and finite resources are the typical challenges, but others are more elusive. Let me break it down with some lessons from the trenches:
Lesson One: Organizations = People.
If you want to make real change, you must anticipate the impact that any modification of process, practice, or methodology will have on your people. Recognize that people must be motivated to change, and that change for no reason (real or perceived) will simply be rejected.
Lesson Two: The program must functionally fit the organization.
If a system, method or process cannot be accomplished with available resources, it will, at best, be ignored and, at worst, be sabotaged. You must design the program with consideration of the day-to-day work that occurs and the culture that it occurs within.
Lesson Three: Value drives sustainability.
This may be a bit obvious, but it is important enough to call out. Tangible value must be articulated for every process. People are more easily persuaded to adopt change when they perceive a personal value to following a new routine. The value does not have to be substantial; it simply needs to be something that drives or motivates increased participation and acceptance.
Lesson Four: Sustainability requires persistence.
ERM program designers must recognize and plan for staff turnover, complacency and change in business practice. While implementation of an ERM program is a large hurdle, regular maintenance of the program is required. New employees must be trained, program KPIs (key performance indicators) must be tracked and reported, and failsafe measures must be built-in for those occasional ornery employees who simply refuse to follow the rules.
In summary, designing and implementing ERM may seem like a hassle, but it is worth it. The intrinsic value of an ERM discipline is the enablement of an organization to spend less time dealing with crises and more time managing the business. Putting out daily micro fires with a bit of calamity thrown in every now and then may seem like a worthwhile investment at the time, but it eats away at the time available for strategic thinking and planning; moreover, this ensures instability.
On the other hand, stable organizations are proactive and nimble; they seize upon growth or quality opportunities because they have the time to look for them, they have the resources to pursue them, and they know how to execute their plans successfully. Evolving to this stability requires an understanding that risk/opportunity management applies to every facet of the organization, and the outputs of the process are intended to feed critical decision-making and strategic planning endeavors.
A thoughtful and holistic approach to the design of an ERM program will eliminate silos, inefficiencies and communication gaps.
Done right, an ERM program can enhance your organization and result in tangible, bottom-line improvement and success.