Enterprise Risk Management
ERM: Moving beyond assessment
Software company's White Paper details ways to use ISO31000 standards
By Michael J. Moody, MBA, ARM
For the most part, the practice of risk management has been changed over the past few years. While enterprise risk management (ERM) was little more than a concept 10 or 12 years ago, today's corporations around the world are beginning to take a more enlightened, holistic approach with their risk management programs. While there continues to be a lag in the implementation of ERM, many boards of directors have ERM on their agendas in some fashion for 2012 and beyond.
The lack of a single framework and universal language has not helped the take-up rate for ERM. However, progress in the last couple of years has been occurring and, in some cases, significant movement in specific areas has been taking place. An excellent example of this progress is in the risk assessment phase of ERM.
Important first step
A number of recent studies that have provided observations into the status of the current state of risk management have shared some important points. The Marsh ERM study, the Aon ERM study and RIMS's State of ERM Report all noted that companies have universally made significant progress with their risk assessment activities. It appears that many organizations are, in fact, beginning to take an enterprise view regarding risk assessment. Many have begun the process of building consensus via discussion groups that include operation management from all parts of the company.
Additionally, the discussion groups have started to accept the fact that they need to concern themselves with the top 10 or 12 major risks rather than several hundred smaller risks. Many of the organizations also have quickly accepted the concept of risk mapping as a method of graphically displaying the results of the assessment. Consequently, most of the survey participants in the above noted surveys have graded as high their firm's efforts in the risk assessment area.
Moving beyond assessment
Without question, there is positive value to developing an enterprise view of an organization's risk profile. However, as the above noted surveys attest, there is almost the same universal response to the remaining ERM implementation sections, thus accounting for the lagging results. Many companies are still having issues with moving past the assessment segment of ERM, and thus are depriving themselves of the true value of ERM. Cura Software, a software company that specializes in ERM solutions, has provided some guidance for companies that are trying to progress past the assessment phase. They have provided this assistance in the form of a White Paper titled Bridgework: An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management Using ISO31000.
The paper first notes that ISO31000 risk standards are outlined into some key attributes that identify excellence in risk management that include:
1. "A pronounced emphasis on continual improvement in risk management through the setting of organizational performance goals, measurement, review and the subsequent modification of processes, systems, resources, capabilities and skills."
2. "Comprehensive, fully defined and fully accepted accountability for risks, risk controls and risk treatment tasks. Designated individuals fully accept, are appropriately skilled, and have adequate resources to check risk controls, monitor risks, improve risk controls and communicate effectively about risks and their management to internal and external stakeholders."
3. "All decision-making within the organization, whatever the level of importance and significance, involves the explicit consideration of risks and the application of risk management to some appropriate degree."
4. "Continual communications with highly visible, comprehensive and frequent internal and external reporting of risk management performance to all stakeholders as part of a governance process."
5. "Risk management is viewed as central to the organization's management processes so that risks are considered in terms of effect of uncertainty on objectives. The organization's governance structure and process are founded on the management of risk. Effective risk management is regarded by managers as essential for the achievement of the organization's objectives."
From this starting point, Cura has translated the ISO31000 attributes of excellence in risk management described above into five tactical themes that include tools, techniques, reports and methodologies which form the foundation of their firm's ERM software solutions and management platform:
Tactical Theme 1: Enforce Accountability
"Appoint risk champions who will facilitate the risk management process within a business unit region or other significant entity. The role of the risk champion is not to do the risk assessment, nor should the risk champion define or execute the risk treatment and action plans. Schedule regular workshops for all the significant entities of the organization where risk officers from each significant functional area or key organizational driver should participate. It is important that participants understand the need for transparency and accountability and that they accept responsibility for issues that arise."
Tactical Theme 2: Embed Risk Management
"A regular, defined reporting period helps to engage the risk officers and to gain traction. Ideally, the deadlines for the rollout of the ERM process should coincide with the reporting period for the first 2-3 periods. Managers use the information that is reported at the risk management meetings to manage their own activities. Those activities may be delegated to, or closely involve input from, persons close to the impact or root cause of the risk event. Risk management should be embedded in the business processes throughout the organizational hierarchy of accountability."
Tactical Theme 3: Link Risk Management to Strategic Decision Making
"The risk assessment and management process should be invoked whenever decisions need to be taken on significant investments, capital projects, strategic plans, legal or regulatory changes, new initiatives, organizational drivers or any other uncertainty that the organization encounters. It is important to set the context for risk management in the organization up front. Whether it is to improve efficiency, reducing incidents, establishing a healthy and safe work environment, protecting shareholder value, the environment or the employees, drive strategic product development or maximizing opportunity in uncertain times, the information collected during the risk management process can be used to measure the objectives that the organization has defined."
Tactical Theme 4: Communicate Risk Management Widely
"All risk management, risk treatment and action plans deserve wide communication and organizational involvement. This communication includes the context of risk management, risk framework and intentions, as well as the risk management plan. Every risk, control and action item in the system must have an owner who is both accountable and empowered to manage that risk."
Tactical Theme 5: Measure Performance in Risk Management
"Because the management of risk directly affects organizational objectives, business units and individuals are held accountable for timely risk treatment and action plans. This helps to drive accountability and ensures that risk exposure is managed within the risk appetite of the organization. Action items are implemented according to established schedules and monitored regularly to ensure that the risk management process is effectively maximizing opportunities and reducing the impact or probability of loss as well as protect and increase shareholder value.
"Risk management is thus tied to organizational performance and governance."
At this point, it is commonly agreed that in order to advance ERM to the next level, corporations must be willing to move past risk assessment. While most realize that risk assessment can provide a mechanism for identifying which risks represent opportunities and which represent pitfalls, this in and of itself is not sufficient. Done correctly, risk assessment can provide a clear view of an organization's exposures, but it should be used only as a foundation for developing further risk responses.
Cura indicates that the Five Tactics "represent essential underpinnings of a transformative ERM program that is within the reach of any size organization, in any industry." In working with more than "250 broad deployments," the company states that "the principles contained within these Five Tactics is a sound step toward bridging the gap between risk assessment and attaining greater benefits from an ERM program."
Risk professionals that are having a problem getting their companies past the risk assessment phase may want to consider utilizing the Five Tactics noted above. After all, the ISO standards are recognized worldwide and may ultimately become the most universally accepted of the available ERM standards. Regardless of the approach, risk managers must find creative ways to move their ERM programs forward.
It is also important that agents and brokers that have customers who have been unable to successfully deploy an ERM strategy may find value in investigating this new software. Helping your clients to move to a more holistic approach to risk management can provide long-term dividends. A review of the intellectual capital that large, international brokers have invested will provide an indication of where they think ERM is headed.
Michael J. Moody, MBA, ARM, retired as the managing director of Strategic Risk Financing, Inc. (SuRF), a firm that had been established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.