Organizations are under increasing pressure to adopt enterprise risk management (ERM) frameworks, but is this really necessary? Many experts believe that you don’t need a comprehensive ERM program in place in order to be successful – a more targeted approach may be all that’s required. In this post, we discuss the benefits of an ERM strategy and provide tips on where to focus your efforts.
Enterprise Risk Management is typically defined as the methods and processes used to manage risk and seize opportunities related to the achievement of an organization’s key objectives. ERM is a framework with standards set by COSO, ISO and RIMS that pulls the risk assessment process across all entity functions encapsulated in operations, reporting, compliance and strategy.
Enterprise Risk Management Frameworks
ERM frameworks are intended to support the achievement of an organization’s strategic and operational objectives, typically in four categories:
- Strategic – high-level goals, aligned with and supporting its mission
- Operations – effective and efficient use of its resources
- Reporting – reliability of reporting
- Compliance – compliance with applicable laws and regulations
A well-designed ERM framework can help an organization proactively manage risk, protect against potential losses, and capitalize on opportunities.
ERM frameworks are designed to be flexible and can be customized to fit the specific needs of an organization.
Implementing an ERM framework can help an organization improve its overall risk management practices and make more informed decisions about how to manage risk.
The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. Enterprise risk management encompasses:
- Enhancing risk response decisions
- Reducing operational surprises and losses
- Identifying and managing multiple and cross-enterprise risks
- Seizing opportunities
- Improving deployment of capital
- Aligning risk appetite and strategy
The fact of the matter is that ERM is as much about strategy as it is risk management and can be a game-changer easily within the grasp of the even the most modestly sized operations.
Do You Really Need ERM?
The short answer is - it depends. Let's drill down a bit.
If you are a US financial institution, ERM is Federally mandated.
If you are a publicly-traded company, then you need ERM – the Securities & Exchange Commission require key elements of the program and the S&P uses it as part of their rating structure.
If you are a government agency or a contractor supporting the federal government, then you likely need ERM – OMB Circular No. A-123 sets this expectation.
If you are in health services and looking to attain or renew CARF accreditation, then you need ERM (although they don’t call it that in the standards, the connection to strategy and enterprise-wide scope are there).
If you are a private entity not falling under one of the descriptions above, you may not be compelled to implement ERM, but it is certainly best practice especially if you have a large, complex operation.
ERM programs are notoriously difficult to justify, design and implement because they reach outside of operational safety, environmental, and hazard loss to touch every functional area of an organization.
The difficulty in doing ERM right is similar to that in strategic planning – both are often considered to be a function versus the broad discipline that they really require.
ERM and Strategic Planning are often housed and developed separately, so we often find significant disconnects that weaken both capabilities where there should be strength and synergy between the two.
Understanding the importance of connecting strategy, risk and resilience, we will show you how to integrate key elements of these programs, so they work together as intended.
A disconnect between your organization's risk and strategic planning can be costly.
Erin can help you integrate key elements of these programs, so they work together as intended. This will create a more cohesive strategy that is less susceptible to risk.
By integrating ERM and Strategic Planning, your company can become stronger and more resilient to outside factors. Allow me to show you how this can be done in a way that is tailored specifically for your organization.
Request a consultation with Erin today. As a Master Strategist, Erin can help you create a more successful organization.