Each instance of successful ERM implementation is unique, and really depends on interpreting principles, not a fixed format. However, a sample risk management plan is typically a copy of the process steps from a standard, or a list showing the formal elements:
- Communicate and promote the program;
- Select an appropriate standard;
- Define the governance structure;
- Create policy to apply risk management steps to the business;
- Establish tools, resources and a training plan.
Although those steps come to mind, I don’t take a bureaucratic approach when I work with clients. I find people have often done their homework on the formalities, and instead need help to get the program started. Proving the risk process at the front end is a low-risk way to proceed. Let’s look at a particular case.
ERM Case Study: Camosun College
When Camosun College first called me, they were bound to implement ERM following instructions from the Board, had a project manager engaged to lead the effort, and had studied the ERM framework.
They asked: where do we start? I asked in turn: where are the most pressing challenges in your planning and operations? I wanted to identify a pilot group with whom we could try risk identification and assessment – whether at the department (operational) level or executive (strategic) level.
The project lead set up a session with the college president and the senior executive, and I facilitated the identification and assessment of risk for the college’s multi-year strategic plan. Our aim was to demonstrate the risk methodology to the executive group, and see what kind of results it would give.
We prepared the session with a fairly short, but carefully defined context paper. We reviewed the templates and criteria we would use. The project lead explained to me: ‘Edward, we like your templates, but we have changed some of the terminology to “Camosunize” them.’ I was glad, because this meant the risk management team was adapting the method to their own working culture.
The session was a team building exercise, because controversial matters found resolution, not arbitrarily, but based on their own criteria, such as strategic direction and professional values. It resulted in a comprehensive risk profile and an agreed risk mitigation blueprint, involving plans to build up certain programs, attenuate others, and take other pro-active administrative steps.
At that point, executive had no problem in mandating a roll-out to other administrative and academic departments, one-by-one, to test and improve the process gradually.
Camosun set up an exemplary Enterprise Risk Management regime within18 months. They liked the results and presented them to the Canadian Association of Community Colleges. The CFO Peter Lockie tells me he regularly gets calls to speak about Camosun’s ERM experience and share materials.
Principles of ERM Implementation
I started out by saying that successful ERM implementation depends on principles. Here are important tenets of program implementation that Camosun paid attention to:
- Gain senior executive support; not through lip service, but through active participation;
- Gain staff and participant support through encouraging ownership and adaptation of tools and language to suit the organizational culture;
- Demonstrate value: work with participants to prove how the new management practice (i.e., risk ID and assessment) solves critical business dilemmas, builds consensus and helps them get their jobs done;
- Resource the project adequately in order to support a phased implementation;
- Proceed incrementally, with a low-tech approach, and allow feedback and improvement – avoid a monolithic and wholesale imposition of new system;
- Integrate the new practice into existing planning and management regime as an improvement, not as an administrative burden.
Check a similar case involving the Alberta Urban Municipalities Association (AUMA-AMSC).
Tags: erm case study, risk framework, risk management plan example, risk methodology, risk process, sample risk management plan