In our previous blog posts, we introduced Enterprise Risk Management (ERM) as a strategic discipline that affords a “portfolio view” of risk; outlined how to establish roles and context for ERM implementation; and how to establish a risk-aware culture and develop an ERM framework
We continue our ERM series by conveying the central principle of ERM: incorporating risk considerations into the pursuit of business goals. How does an organization begin to go about this? Risk considerations belong in each employee’s work: “everyone is a risk manager.” Thus, the success of ERM is dependent upon preparing the entire organization to embrace it. Effective ERM is dependent upon a carefully designed and executed rollout of preparatory messages, guidance and training.
Preparing Your Audience
For ERM to be successful, it is important to get the entire organization to understand that ERM is not a “check-the-box” process nor is it a standalone compliance program administrated by “others.” The organization has to recognize that ERM is risk management that is embedded in their business processes. There two important messages that get this concept across.
The first message is that of demonstrating executive support for ERM. The Committee of Sponsoring Organizations (COSO1) refers to this as “tone at the top.” The executive buy-in encourages the rest of the organization to join in the risk-aware culture. “Tone at the top” also highlights the intention to incorporate risk considerations into decision-making and goals.
The second important message is that of communicating the value of ERM. An organization’s employees will be more willing to invest time and effort into ERM if they understand that effective ERM improves profitability, sustainability and accountability.
It Starts With Guiding Risk Identification
An initial survey for the organization is often used to kick off organization-wide risk identification. The initial survey typically asks staff members to report two or three of the top risks to their respective goals, the likelihood of each occurring and the impact of each. The impact is often measured in dollar amounts, but other scales may apply. For example, a safety risk may have a potential impact of “injury requiring hospitalization.” The surveys will have built-in guidance on how to rate Likelihood and Impact. The Likelihood and Impact Model pictured shows a “five-by-five” rating system.
Surveys will get the risk identification process going, but they are not the sole means of risk identification. They are often accompanied by facilitated workshops, which offer the advantage of having trained personnel on hand to reinforce risk identification guidance. These workshops also offer an interactive experience where risk descriptions and Likelihood and Impact ratings can be refined. The most successful workshops balance a session of formal training with a session of practice in which the participants identify the top risks for a project, assess the risks and then create a risk response.
Risk identification guidance can also steer staff to mine special sources of risk information such as inspections and audits. Staff can also be guided into adapting techniques such as SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis and PESTLE (Political, Economic, Sociological, Technological, Legal, Environmental) analysis.
The most intensive training will be directed at the risk leaders: the members of the Risk Management Committee, the Workgroup and other key risk managers. These are the people who will be the authoritative resources of ERM for the rest of the organization. Their training will encompass the classification of risks, the identification of risk owners, the ratings system, materiality thresholds, Risk Appetite and Risk Tolerances. (It is no coincidence that these are precisely the elements that will be captured in the Risk Register – the central repository for all of the organization’s risk information.)
This level of training will entail the development and delivery of formal presentations. It will also entail the development of a manual to be used first during the training session and then as a reference thereafter. Formal group training is essential to form cohesion among these risk leaders, but e-training modules are particularly useful as a supplement. E-training accommodates the schedules of the individuals and they allow the individual to reinforce their training by viewing these sessions over again on demand.
Successfully introducing ERM requires the orchestration of a campaign. The campaign consists of carefully crafting the communications, workshops and training modules, and then timing the events for maximum reinforcement.
Contact us for help with your ERM rollout.
In our next post in this series, we’ll delve into looking at risk from a “big-picture” viewpoint – which includes identifying and prioritizing risks as well as uncovering opportunities.
1Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework, https://www.coso.org/Pages/erm.aspx