For those considering this mature, strategic view of risk management … how does an organization begin to implement ERM? The initial steps entail establishing the ERM roles, identifying the objectives for each role, and defining the risk management “context.”
A successful ERM program will depend upon establishing four main roles at the outset. A best practice is to define these roles in an ERM Charter.
The first role to establish is the “oversight” of the Board of Directors (Board). This responsibility can be retained by the Board at large, or it can be assigned to a risk committee or an audit committee. The Board needs to set and champion an overall risk management strategy and direct the treatment of the organization’s most critical risks. The Board should also ultimately decide on and approve the Risk Appetite for the organization.
A second role will be fulfilled by a committee made up of the key executives of the organization and, preferably, those responsible for operations and company performance. The “Risk Management Committee” (RMC) is the chief decision-making body for the ERM program. The objectives of the RMC will be the prioritization of risks and the allocation of the resources (budget and people) needed to respond to those risks. Specifically, the RMC will monitor risk profiles, and review guidelines, policies and processes for monitoring and mitigating risks. The RMC will also review the scope and adequacy of the company’s insurance and mitigation activity, and addresses any risks that exceed established thresholds that are aligned with the Risk Appetite. The Risk Appetite is a fundamental metric that governs the Risk Register and the all-too-familiar red/amber/green “heat map.”
We should note here that the RMC’s role is also one of influence throughout the enterprise. Because its members are at the top of the organizational chart, this team serves as a very visible marker of “tone at the top.” This is critical in conveying the importance of ERM and getting the entire organization to “buy in.”
The third role is a support group – a “working group” if you will, for each RMC member, who are drawn from the business units and operational support functions of the organization. These are the managers that embody detailed, day-to-day knowledge of the operations and risks of the organization. The objectives for the Workgroup are the identification and quantification of risks. The Workgroups take inventory of existing risks and past forecasting of likelihood and impact of those risks. To identify additional risks, the Workgroup members will work within their respective areas, interviewing individuals, taking surveys, conducting workshops and evaluating the operations to surface the major risks to business objectives.
Finally, a Risk Management Program Office has to be established to provide training and guidance to the RMC, the Workgroups and other members of the organization who will participate in risk management. The training and guidance will, among other things, aid in performing the objective-setting and context identification.
The “context” of the ERM program provides structure for identifying and analyzing risk. The context can be thought of as the risk environment. The context has both internal and external aspects. The internal context includes three major components:
The external context also has three major components:
Delineated roles, clear objectives and a defined context are the pillars of a successful ERM effort. Taking a portfolio view of risk helps organizations better understand certainty and awareness, avoid surprises, and make better decisions.
Contact us for information on how your organization could benefit from an ERM approach to risk.
In our next post in this series, we’ll talk about designing an ERM Framework, including the Risk Register and the "heat map."