ERM Implementation – Platitudes?


/ June 22nd, 2010/ Posted in How to Implement ERM / No Comments »

ERM Process Misconceptions

If you have been charged with implementing Enterprise Risk Management, I’m sure that you are familiar with promotions and pronouncements that run along these lines:

  • We want to embed ERM in the organization and get everyone to think about risk.
  • Employees must be risk-optimizing in their business decisions.
  • All employees are risk owners.
  • The focus of ERM is our assets and resources, and their exposures to risk.
  • The key to successful ERM is a robust communications plan.
  • The ERM program will reduce uncertainty and reduce volatility, improve our credit standing, and demonstrate compliance to the Board. This will translate into shareholder value.

Do these statements sound familiar? On the face of it, they sound like a wonderful plan for a mature risk culture. The trouble is, they don’t tell us how to achieve these benefits.

First, a caution. One of the statements reads:

>>The focus of ERM is our assets and resources, and their exposures to risk.

No. The focus of your ERM program is your organization’s goals and objectives – which flow from the strategic direction and values. The enterprise risk management definition is based on the concept of risk as the “effect of uncertainty on objectives” (ISO) or “the chance of something happening that will have an impact on objectives” (AS/NZS 4360).

In the order of things, mission, vision, and strategic direction are actually paramount. Furthermore, behavioural guidelines for public agencies or private companies – code of ethics, business rules, professional creeds, etc. – are elements of the organization that have economic value. They are definitely at risk, susceptible to analysis, and require risk mitigation. They are merely supported by assets and resources, which are of secondary consideration.

ERM Methodology: Focus on Bureaucracy or Value?

How to actually achieve ERM benefits is probably what concerns you most if you are in charge of implementing ERM. What is your approach?

I believe that all programs and initiatives, in any field, whether in a private sector firm or government, have their bureaucratic or formalistic side, and the practical value side.

The bureaucratic side consists of the promotional pronouncements like the ones above, describing the virtues, promises and supposed benefits of the new program. It is also in the policy. If this side is relied on too much – that is, if there is no genuine substance to the new program – then what you will see is mere lip service and avoidance; or compliance with pro forma templates and check-lists. It ultimately fails.

I recommend putting the practical value side first. Focus on a minimalist approach to enterprise risk management implementation: seek practical value; prove the core ERM methodology – that is, effective risk ID and assessment. This is at the heart of the organizational change you are seeking.

You might say: you can’t lead with the technical side: if you create a brilliant solution, but fail to communicate it, it’s a failed program. But I would much rather err on the side of unadvertised value than on the side of promoted fluff.  It’s much better – and less risk – to build incrementally upon a firm foundation. A risk ID and assessment method that solves business problems sells itself.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Tags: , , , , , , , ,

Leave a Reply

Name required

Mail (will not be published) required

Website