Having worked for a combined 35 years in and around the finance offices of major Midwest state and local governments both as clients and advisors, we can appreciate the skepticism with which finance officers must approach enterprise risk management. Yet beyond the hype and hyperbole, ERM embodies a quiet evolution in the ongoing effort to improve government performance--an evolution in scope, focus, and purpose.
Governments have employed a myriad of techniques and tools to improve their performance, including activity-based costing, performance budgeting, business process redesign, enterprise resource planning, customer relationship management, and e-commerce to name just a few. In many cases, however, the potential benefits of such efforts have proven elusive. Too often, these initiatives fail to deliver because of their own implementation issues. They may also fall short of their goals because they are viewed as standalone projects and not as an integral part of an ongoing management framework.
Although definitions of ERM vary widely by industry and among organizations, ERM is quite simply a top-down approach that aligns strategy, processes, people, technology, and knowledge to manage and optimize the risks of highest importance to the organization. It moves beyond the tradition of risk mitigation toward risk optimization, which involves determining an organization's risk appetite and capacity, seizing opportunities within those parameters, and capitalizing on the rewards thereof. As a result, risk management is beginning to be perceived as a new means of strategic management that links strategy to day-to-day risks. (1)
From Assessment to Management
Risk management has steadily evolved from simple internal control reviews to risk-based control reviews to comprehensive business risk assessments to enterprise-wide business risk assessments. Many organizations have embraced the concept of risk as a means of prioritizing management actions, identifying and measuring financial risks, business risks, process risks, and other types of risk. Traditionally, an outside entity assessed organizational risks and rendered a judgment thereon. ERM turns this notion inside our by embedding risk management in the organization as a key operating process. It transforms risk management from a tool used to focus attention into a process used to manage performance.
Integrated Service Delivery
ERM addresses the complete cycle of risk management by integrating the four phases of risk shown in Exhibit 1. First, ERM assesses the risk universe and prioritizes the risks in relation to their significance to accomplishing an organization's mission. Second, ERM maps risks to treatment options. Management can address risk in several ways, including risk termination, risk reduction, risk acceptance, and risk transfer (Exhibit 2). Third, ERM implements the selected treatment plans that optimize risk. Finally, ERM establishes a monitoring process to identify changes in the risk elements and to monitor progress in risk management. Upon completion of this phase, the cycle begins a new with a re-assessment.
Not Just a Solution in Search of a Problem
City Council or Board members will be among the first to demand that finance officers demonstrate the impact of ERM on the bottom line. Although each of the components of ERM can provide tangible benefits, the intangible benefits often are the most rewarding. Combined, they can drive still greater stakeholder value.
Risk Assessment Benefits. Risk assessment is the identification of an organization's risk universe and the prioritization of those risks. This process accomplishes two purposes. First, it identifies gaps or mismatches in the control structure. At a high level, the assessment can call out those risks that are under-controlled as well as those that are over-controlled. An over-controlled risk may represent an opportunity to reduce costs. …