The emphasis with ERM is that it is strategic, allowing us to manage risks AND seize opportunities, but negative risk and how to manage it has really dominated the discussion thus far, and too often is where the understanding ends. However, ERM is just as much about seizing opportunity as it is about managing risk. A natural by-product of brain storming and then deep-diving on risk issues is the uncovering of opportunities that may balance those risks.
A more intention process can be achieved by taking the framework above, and replacing the word risk with opportunity. I will discuss opportunity development more in a future strategic planning whitepaper, but a quick summary here illustrates the point.
Context. Just as with risk, we cannot identify a universe of opportunities, we must first define the context. What are we trying to do?
Opportunity Identification. Here we are brainstorming all opportunities within the context defined.
Opportunity Analysis. This step involves an understanding every element of the opportunity such as product or service need, industry maturity, market penetration, competition, etc.
Opportunity Evaluation. Then we look at how the opportunity will play out within the organization. For instance, does it fit within our core competencies, do we have the systems and resources to execute, what is the return on investment and profit margin, and can we differentiate from our competitors.
Monitoring & Review. Review in this context is tied to project management, sales, and numerous other KPIs relevant to the opportunity.
From an operational perspective, the intrinsic value of ERM is the synergy created when highly competent, effective and efficient management systems exist, the organization spends less time managing crises and more time managing the operation. Putting out little fires here and there (or daily – don’t lie), with a bit of calamity thrown in every month or two may seem minor, but in realty it eats away at the time available for strategic thinking and planning. Forget for a moment the value of efficiencies gained, and the improvements captured when smart people get creative at solving problems, and the bottom-line expense reduction due to better process and fewer predicaments. When the organization is stable, it becomes proactive, nimble and able to seize upon opportunities because:
i) it is looking for them,
ii) it has the resources to pursue them, and
iii) it knows it can execute successfully.
This is the gold ring for organizational success, and an ERM discipline together with integrated strategy and resiliency competencies will get you there.
Getting Started With ERM
Many of the tools and concepts discussed in this white paper are intentionally written for the executive level. While traditional risk management may function for your organization as an operational silo, achieving ERM competency requires an enterprise-wide approach that not only considers but actively integrates with strategic planning and business resiliency programs.
This is a significant paradigm shift for most organizations and will not be successfully achieved from the middle. Thus, getting started means first and foremost a candid discussion at the executive (and possibly board level) of the problems the organization is experiencing and how they can be addressed with an ERM competency. This is where a project charter comes in handy, to capture the initial intent, purpose and objectives of the leadership team and to provide clarity to the staff assigned to do the heavy lifting.
Once a decision is made to pursue best practice capabilities, the next step is an internal scan. Chances are that your organization has some level of risk management, resilience and strategic planning practices in place. Take stock of how they function to map out a preliminary concept for how you envision the three will come together. This initial conceptualization work will help prevent re-work and redundancy later on.
Next the discussion turns to more tactical matters of project plans, priorities, resources, budget, timelines and milestones. Remember, the most successful programs contain best practice elements, but the size, shape and color of your program will be very specific to your organization. Whenever possible, existing processes should be used – change for no reason is wasteful and undermines other legitimate improvements that can be made. Further, disruptive change is counter-productive and can easily result in delays (or worse, failure) than if the roll-out was thoughtful, measured and subtle.
Key Success Factor: Be Realistic – change takes time.
The time it takes for an organization to reach ERM maturity (and thus resilience and strategy maturity) can range from one to five years, or even longer depending on entity size, program complexity and desired outcomes. Plan to build an internal multi-disciplinary team whose positions include, or will include, responsibility for program development and management.
Utilizing consultants can help with things like program design, facilitation of risk appetite and tolerance discussions, and periodic audit and maturity assessments, but ultimately the competency should be internal to the organization.
Recall Lesson One: Organizations = People.
Your people are the first, best resource to accomplish ERM, and the key to ultimately realizing success according to whatever definition applies to your organization!