Enterprise risk management program
ERM is a strategic business discipline that allows an organization to manage risks and seize opportunities related to the achievement of its objectives. To accomplish this, standardized, repeatable processes must exist to allow relevant information to flow up, down, and across the organization in a timely manner. As is with strategy, an ERM discipline is unique to every entity and must be designed using the best practice (and sometimes a variety of them) to fit the distinctive capabilities, maturity, and personality of the organization. Program elements must fit well and complement existing processes, procedures, and management structures. Finally, the outputs of ERM must be shaped by and flow from strategy, with program accountability based on key performance indicators relevant to the industry. Now that we’ve defined the big picture, let’s drop back down to the fifty-foot level and talk about the foundational elements of a risk management program.
Risk is simply uncertainty. Not good or bad, just unknown in varying degrees.
Risk Management is the coordinated activities to identify, analyze, prioritize, and manage risk.
Enterprise Risk Management is a strategic business discipline that allows an organization to manage risks and seizes opportunities related to its overall objectives (think strategy).
The ultimate goal is to protect and enhance the value of the organization through a systematic approach to risk management – we accomplish this by creating a common understanding of how risk is defined, identified, prioritized, and managed with regard to its potential impact on the organization.
It is important to note, however, that even though they are not labeled as such, risk management activities are going on throughout the organization, in every function, and at every level of decision-making. To name a few, this includes contract review and administration, liquidity and credit balancing, asset maintenance and critical infrastructure upgrades, due diligence for mergers and acquisitions, business case development for new product or service lines, board presentations, marketing, and social media campaigns, and the list goes on and on. The very complexity of “risk” is that it is happing everywhere, and virtually everyone is involved in the management of risk in some way.
The ERM Program Recipe
To communicate the various processes and tasks that must happen inside of an organization, written documentation must be created. The larger the organization the greater the detail and number of documents we typically find, however regardless of complexity, even the smallest entities need some level of written documentation that captures how things are done. This set of documents is commonly referred to in general as policies and procedures, each describing the scope, context, and purpose of the thing discussed. As such, well we describe herein applies to all programs, not just risk management, and ERM. It is worth delving into this detail to understand how each of these documents are used and can be helpful in defining an ERM (or any) program, and how as a risk practitioner you can communicate effectively using these standard business articles.
In best practice ERM, we would expect to see that a policy exists adopting Enterprise Risk Management across the organization; this is the first element of “leadership commitment” that is referred to within ISO and COSO documentation. We would also expect to see either a program document or a set of procedures that describe the various processes of risk management analysis and reporting. When an organization is looking to establish ERM or mature its program, a Charter is a good place to start in addressing perceived gaps and the methodology proposed to create the program structure.
Policy A policy is a written statement regarding the rules or specific guidelines adopted by the organization that pertains to a specific topic. It generally contains the purpose, a statement regarding the position of leadership on the topic, to whom or what the policy applies (the scope), the ramifications for not complying with the policy, and other related policies or procedures. Policies are dated and periodically reviewed. Policies focus on compliance requirements and/or standards that are meaningful to the organization’s business. Typical company policies include Equal Employment Opportunity, Health & Safety, Anti-Harassment, Ethics, and so on.
Procedures A procedure (also called process) is a more detailed document that explains the steps to follow to either accomplish the work order to comply with the policy. Whereas a policy states the what and why a process document will generally explain the how. We typically find many more process and procedure documents than we will find policies, and they tend to be much lengthier. Process documents typically include a purpose statement, the governing policy (if any), the scope, instructions, roles, and responsibilities, and a review schedule.
In smaller organizations, it is common to see a combined P&P (Policy & Procedure) document that captures both components, and this makes sense where programs are not very complex and do not require significant documentation to describe and manage the program.
Charter A charter is a document used to describe the need, benefit, and proposed rollout of project implementation or other major change efforts within an organization. It is a useful document in articulating both the problem and a roadmap for the solution. Charters are best used when there is general agreement to move forward on an effort but buy-in and commitment of resources and project authorities are still needed. A well-designed charter serves as a core reference and communication document until the project or program is launched, at which point the program documentation takes its place. Charter documents include a problem statement, the proposed solution, resources required, authorities, timelines, and milestones.
Program A program document is the term we use to describe the various components required to implement a function in an intentional, systematic way within an organization. It includes guiding documents such as policy procedures required to execute the program, communication protocols and training materials to support adoption and compliance, and finally performance metrics and reporting. A good example of this would be an employee safety manual, or a business continuity program.
Within either the ERM Program Document or Procedures we expect to see the types and categories of risk that are relevant to the organization defined. There are many ways to define and categorize risk, and how the organization chooses to do it is as unique as the organization itself. There are some standards that can be found, and it is often a good exercise to review what other similarly situated organizations are using as their risk definition structure. However, there is no right or wrong way of doing this if it makes sense and can be easily communicated throughout the organization.
When we talk about risk there are some standard buckets that can be used that are well recognized in the business context. When we consider the type and category of risk we are talking about where the element of uncertainty is coming from, IE the risk. We must remember that the impact of most uncertainty is typically measured in financial terms, being that almost every activity, action, or reaction within an organization has a monetary influence. It is useful to have good organization in the way that we categorize and capture the various events and or circumstances that result in a risk to the organization, primarily because it allows us to identify the correct subject matter experts to engage when we for the mitigation or leverage of that risk. In this playbook we will talk about risk in five main categories:
Geo-Political - That risk which emanates from economic, social, or political events or circumstances that are national or global in nature.
Operational - That risk emanates from the day-to-day operations of the organization, specifically regarding people, tools, and systems. This is by far the largest category of risk and addresses things such as compliance, safety, and systems failure
Strategic - That risk which can either enhance or impair an organization's ability to achieve long-term sustainability by successfully delivering on its vision and mission, encompassing things such as consumer, technology, reputation, industry, and internal governance capabilities.
Financial - Again, recognizing that nearly all risks can be defined by financial impact when we speak of financial risk we're talking specifically about factors that affect the financial stability of the organization in terms of market fluctuation, liquidity, and credit risk.
Catastrophic - Risks that are of a natural, man-made, or pandemic nature and have the potential to significantly disrupt or overwhelm the organization in terms of its ability to operate.
Within a larger framework, these five could be considered main risk categories which can be further broken down into risk types to add additional detail and relevance to the organization. Below is a simple structure that we have designed to illustrate how these various types of risks can interplay. Geopolitical risks, as well as catastrophic risks, can come to bear with any one of the operational, strategic, or financial risk spectrums. It is important to note here that risks are rarely singular and independent, rather they typically cascade and influence and trigger other risks across the organization, good or bad, in a compounding manner.
Once risk categories and types are established, we must then define a method for measuring risk. Every person takes in, processes, analyzes, and comes to conclusions about risk issues differently than everyone else. This is based on varying degrees of experience, subject matter expertise, education, personal risk appetite, understanding, and so on. When we talk about alignment, it is this issue that we are trying to address, to create a common understanding so that when one when we say the risk is high it is understood the same regardless of who is involved in the discussion. This is the purpose of creating a structure that can clearly define it's the way that risk is measured.
When measuring risk, we typically consider both frequency and impact in the assessment, assigning a score to a range that encompasses a low medium, and high spectrum. Again, the more complex and organized, and mature data systems it has, the more finite risk measurement can become. At the core, however, frequency and impact are the minimal elements required. for our purposes here we will use the following basic definitions for risk measures, again these elements may be further refined, as the actual range of measures that relate to each one of them, based on the organization.
Frequency The rate at which something is anticipated to occur.
Impact The level of anticipated effect of an event on the organization.
Velocity The speed at which the impact or effect of the risk is expected to be realized.
We put these elements into a table and then determine a range of low, medium, and high impact for each one, often including a numerical score which can be used later in the process for risk scoring and tracking which we address further in Chapter Ten, Tools.
While frequency impact and velocity make up our basic risk measurement table, we cannot adequately develop a structure for true risk prioritization without the addition of broader measures of risk tolerance, capacity, and appetite. These components require significant input from senior leadership and work hand in hand with cumulative outputs of the risk analysis process to guide the overall program. It is important to recognize that while leadership direction is required to properly define these additional elements, as well as adopt all risk measure frameworks, it is up to the risk practitioner to set the stage for the conversation.
Once risk categories and types are established, we must then define a method for measuring risk. Every
Risk Tolerance The maximum amount of risk that the organization is willing to bear after the application of mitigation controls.
Risk Capacity The limits of financial resources available to handle a material impact to the organization of an unexpected risk. This relates to emergency reserves and risk transfer “safety nets” such as insurance.
Risk Appetite The amount and type of risk that an organization is willing to take to meet its objectives based on risk-reward trade-offs. We address this topic in greater detail later in this playbook.
Every ERM program needs a well-organized and documented process for completing risk analysis, including the following on elements of implementation, tracking, and reporting that come after the analysis is complete. As with all programs and systems, the basic formula for risk assessing includes iterative processes for identification, analysis, treatment and adjustment. The process we share here is one adapted for practical use, framed from a more action-oriented perspective with an emphasis on areas that we have found, through experience, to facilitate easier integration and collaboration within operations.
First, we define Context - the thing to be assessed which creates the boundaries of assumptions.
Second, we Investigate, learning all that we can based on available information.
Third, we Prioritize the findings of our investigation based on impact and relevance to the organization.
Fourth, we develop and implement a plan to Respond to the exposures identified and deemed critical to strategy and operations.
Weaving through every step is an interactive process of Collaboration and Observation, bringing in key stakeholders in every stage, and actively noting the results and impact in every step.
Risk Analysis is a skill and discipline that extends far beyond ERM, and exists even without a defined ERM program. Having the ability to understand and incorporate risk analysis is part of a critical thinking discipline that is essential for leaders at every stage of their careers. Read More about developing a risk analysis thought discipline.
Risk reporting is also a key component of the erm program and is an iterative cycle of pushing out information that has been handled by the risk assessment process so that it can be utilized in key decision-making processes throughout the organization. Risk reporting comes in many forms, each designed to be appropriate to the level of the audience in which it is shared with. An obvious complexity in risk reporting is the fact that risk happens across the organization and so there is a need for a systematic approach in how to take in, compile, and produce risk-related data in a way that will be useful to those who need to use it; the primary issue here is that not everyone needs all the information and thus it needs to be segregated according to the audience.
There are standard tools that are used for risk reporting including risk registers, which may be as simple as excel or in a database system, risk assessment reports which are specific to events, incidents, or circumstances, as well as ad hoc emerging risk reporting. Also critical to the process is the use of key performance indicators and key risk indicators which serve as monitoring and trigger mechanisms appropriate at all levels, but most importantly as tie-ins to strategic performance reporting.
Seizing Opportunities – the Up-Side of ERM
The emphasis with ERM is that it is strategic, allowing us to manage risks AND seize opportunities, but negative risk and how to manage it has really dominated the discussion thus far, and too often is where the understanding ends. However, ERM is just as much about seizing the opportunity as it is about managing risk. A natural byproduct of brainstorming and then deep-diving into risk issues is the uncovering of opportunities that may balance those risks. A more intentional process can be achieved by taking the framework above and replacing the word risk with opportunity. A quick summary here illustrates the point.
Context. Just as with risk, we cannot identify a universe of opportunities, we must first define the context. What are we trying to do?
Opportunity Identification. Here we are brainstorming all opportunities within the context defined.
Opportunity Analysis. This step involves an understanding of every element of the opportunity such as product or service need, industry maturity, market penetration, competition, etc. Then we look at how the opportunity will play out within the organization. For instance, does it fit within our core competencies, do we have the systems and resources to execute, what is the return on investment and profit margin, and can we differentiate from our competitors.
Collaborate & Observe. Review in this context is tied to project management, sales, and numerous other KPIs relevant to the opportunity. What we are looking for here is whether the opportunity pans out the way we expected it to, or did it bring more/less value than anticipated.
From an operational perspective, the intrinsic value of ERM is the synergy created when highly competent, effective, and efficient management systems exist, the organization spends less time managing crises and more time managing the operation. Putting out little fires here and there (or daily – don’t lie), with a bit of calamity thrown in every month or two may seem minor, but it eats away at the time available for strategic thinking and planning. Forget for a moment the value of efficiencies gained, and the improvements captured when smart people get creative at solving problems, and the bottom-line expense reduction due to better processes and fewer predicaments. When the organization is stable, it becomes proactive, nimble, and able to seize upon opportunities because i) it is looking for them, ii) it has the resources to pursue them, and iii) it knows it can execute successfully. This is the gold ring for organizational success, and an ERM discipline together with integrated strategy and resiliency competencies will get you there.
Best Practice ERM Program Design
The following ten core elements represent the framework we use when assessing ERM program design, viability, and efficiency. It is based on a tiered approach, each building on the one before and helping to illustrate the gradient between traditional risk management as a function and ERM as a discipline. Echoed in this approach is the core intent of the Risk Maturity Model and COSO Thought Leadership but structured in a way that we find more straightforward and practical in application. The goal is to build an ERM program that is lean, efficient, and adds value to the organization’s bottom line; to do this, it is critical to avoid overbuilding the framework and overcomplicating the process.
These first four are the foundation for saying that “we have a risk management program”.
Leadership Support, Policy & ERM Culture
Defined Process & Procedures that are Systematic & Repeatable
Standardized Risk Language & Measures that Include a Prioritization Mechanism
Tool for Capturing, Compiling, and Reporting Risk
With the next three, we begin to create the ERM business discipline.
Holistic Process for Vetting & Prioritizing Risk Portfolio
Inputs/Outputs Tied to Strategic & Business Planning with Related KRIs
Defined & Communicated Risk Appetite & Tolerance with defined Threshold Triggers
The final three are evidence that the discipline is persistent and supports good decision-making.
Bottom-up and Top-Down Risk Information Flow
KRIs and Risk Appetite Triggers Drive Reassessment together with KPIs
Iterative Processes for Training, Feedback & Program Improvement
Key Attributes and Organizational Value of ERM
While our focus here is on erm, the truth is that all programs, as we have defined the term, carry the same key attributes for success.
They are clearly defined in terms of what the program is intended to do and the benefit to the organization.
They are operationally feasible, meaning that the program must be designed to fit the unique culture, capacity, maturity, and complexity of the organization.
They include mechanisms for ongoing communication, reporting, and collaboration with key stakeholders, recognizing the essentials of change management in the process.
They are flexible, iterative, and created with evolution and change in mind.
They align with the vision, values, and contributions defined by the organization.
Strategies for Common Challenges
So, if my prior statement is correct (and it is!) then when why is ERM such an elusive goal? Why do we see implementation primarily within organizations where regulation absolutely requires it? There are many reasons, but the following usually hit the top of the charts.
ERM programs are complicated and expensive. Possibly…. but they don’t have to be. Overbuilding an ERM program (or building it too quickly) is not only a waste of resources, but it will very likely fail because it cannot be easily followed or managed. And, when people become frustrated with a process, they will either find an end-around or it will be abandoned altogether. Intentionally defining purpose, objectives and key performance indicators are the only way to track both Return on Investment and Return on Value for a maturing ERM program.
ERM programs slow down the business. This is sadly true in many cases – refer to issue number one above. Because identification and measurement of risk lends itself so easily to deep analytics, it is easy to build complex matrices and risk registers, madly compiling data until all have forgotten why it’s being done in the first place. A properly constructed ERM program integrates with other existing programs, practices, and procedures, leveraging, enhancing, and ultimately improving an organization’s internal mechanisms over time, resulting in more effective and efficient management systems.
ERM is only for “the big guys”. Nope, but good try. The “big guys” got big because they understood how to capture and utilize risk information to formulate and drive strategy. The ones that have been around for a while understood also that a successful organization requires identification of emerging risks and opportunities, nimble operations, and internal resiliency. Regardless of size, industry, or even profit/non-profit sector, sound management practice requires that the right people have the right information at the right time to make the best possible decision. This is the essence of ERM discipline! And while there are specific characteristics that are common to all ERM programs, the size, shape, color, and personality of any one program are not fixed and should not be presumed.