At RIMS, we define enterprise risk management (ERM) as a discipline, not in the sense of punishment, but as the mastery and continued maturation of risk competencies. Essentially, ERM is all about building risk management capabilities throughout the organization.
As risk professionals, we often focus on ERM as an end to itself rather than a means to support the organization's objectives. But to be useful, that is exactly what it must center around: providing value to the company.
Alas, there is no magic bullet to implement a program that will hit that target. But there are some key guidelines you can follow. With that in mind, the following 10 simple steps may help guide you as you begin planning your journey.
1. Define what value your organization will gain from ERM
Because it is so difficult to demonstrate ERM value through traditional investment metrics (return on investment, return on equity, return on assets, or risk-adjusted return on capital), many companies make the business case. This looks at ERM in four categories: shareholder value, risk mitigation, process consolidation and silo elimination.
While these are worthy goals, they can be difficult not only to measure but to articulate to management and the board. Since leadership is always focused on value creation, the link between ERM and the organization's strategy is often weak at best.
So how does ERM actually contribute to the organization's value? How can that be demonstrated and measured in terms that are meaningful?
You first have to discover what value your organization is trying to create, as well as protect. Is it simply increased share price? Or is it reducing volatility to enable a more efficient use of capital? Or perhaps, for non-profits, is it delivering more services to a broader constituency?
Whether value is expressed as market share, profit, service provision, donor levels, social impact or some other benefit, how do the enterprise risk management competencies advance the organization's mission and related objectives? In other words, what business need will be met through a structured ERM approach?
2. Research and understand different standards and frameworks
Advocates of certain risk management standards and frameworks may encourage you to believe that there is one, and only one, "right" way to define and manage risk. If you operate in a regulated environment, you indeed may need to comply with specific risk management standards. But risk management practices tend to be universal and evolve over time, whereas standards (and regulations, for that matter) may not keep up with more current, innovative practices.
Even so, learning about each of the major standards can generate ideas. A 2011 RIMS executive report, "An Overview of Widely Used Risk Management Standards and Guidelines," analyzed six frameworks, and nearly all were found to be similar in certain ways. For example, each requires, among other aspects, the adoption of an enterprise approach with executive-level sponsorship; structured process steps, oversight and reporting of the identified risks; a risk appetite definition with acceptable tolerance boundaries; and monitored treatment plans.
Although we uncovered a number of common elements in our research, certain success factors were either missing or underdeveloped, most notably root-cause analysis and risk appetite management. Moreover, we found that 44% of North American risk practitioners choose to adapt their practices from a number of standards rather than adopt any one standard. Learning as much as you can will give you a solid foundation to decide what elements are the most vital to your ERM initiative.
3. Inventory what your organization is already doing
Many organizations already have controls in place for widely understood risks, such as business disruption, environmental liability or worker injuries. …