The two primary benefits of enterprise risk management (ERM) are reducing financial and operational surprises and improving performance to increase probability of achieving strategic objectives. Any size organization would profit from these benefits, but many small to medium-sized companies typically do not have defined ERM initiatives. Reasons include cost constraints, fewer dedicated risk professionals, limited resources, fewer employees often serving multiple roles relative to larger companies. But small to medium sized companies can benefit significantly from ERM, without it being costly, complicated or time-consuming.
Why would a small to medium sized organization want to implement ERM? In some cases, ERM is regulatory driven. Examples include Sarbanes-Oxley requirements for publicly traded companies and industry-based regulations such as financial institutions and utilities. Effective ERM reduces financial variability, and also identifies and prioritizes risks to achieving strategic objectives, breaking the traditional siloed risk approach of managing risk solely by function or business unit. Successful ERM efforts develop actionable risk mitigation plans to reduce risk and drive performance, while gaining C-suite consensus on critical risks and mitigation efforts. ERM improves resource deployment and effectiveness and creates a competitive advantage.
Board member or C-suite support and an ERM leader are necessary to launch ERM. The CFO is an ideal champion to lead the effort and provide the requisite senior leadership support. To start and avoid pitfalls, keep it simple and demonstrate value early. ERM does not have to be complicated to be effective. Simplicity and a positive return on investment for senior leadership, board members and stakeholders significantly increases buy-in, participation and ultimate ERM success.
Getting Started
Start with a risk assessment and mitigation planning directly linked to strategic objectives, strategic planning and strategy execution. The most valuable and simple assessment scope is “assess the risks to achieving strategic objectives” with a prospective time horizon, typically three years.
Risk identification and prioritization needs to capture a thorough risk description, impact, likelihood, and current controls for each risk. The assessment process should include one or more of the following methods: workshop(s), interviews and surveys. Surveys alone do not provide the depth necessary to thoroughly define risks, and a workshop is best for thorough risk articulation, C-suite consensus and education.
The second part of the process is developing risk mitigation plans. For each of the top risks, workshop participants create mitigation plans with specific mitigation actions, success measures, action owners, target dates and overall risk owners. Mitigation plans serve as the blueprint for implementation by risk owners and action owners to reduce risk, drive performance and increase the likelihood of achieving strategic objectives.
Capturing and documenting the risk assessment and mitigation planning processes produces critical communication and reporting tools including a risk register, a risk map and risk mitigation plans. Outside the workshop, the ERM leader should also develop a strategic objectives risk linkage chart to indicate the specific risks to each strategic objective. This document reinforces the direct linkage of ERM risks to strategic objectives and helps reprioritize resources related to mitigation plans for critical risks. These ERM deliverables are valuable in the organization’s strategic planning process.
At this point, take a pause. Let senior leadership digest and realize the value created, as they utilize the risk information and implement risk mitigation plans. Do not try to boil the ocean all at once.
Expand the Team
One person does not have to shoulder the entire ERM effort. Most small to mid-sized businesses have limited resources that are usually stretched quite thin, and most CFOs do not have the time to go it alone. Ask for support from other senior risk silo owners, including VP of audit, general counsel, VP of strategic planning, chief information officer and treasurer. The group size and composition will vary by company, but a two to four-person team is a good start. Next, define roles and responsibilities for each team member and allow the team to work together for at least a quarter tracking risk mitigation plan implementation, monitoring risk profile changes (i.e., risk reductions, increases or emerging risks), and reporting results to senior leadership.
Develop a Risk Appetite Statement
A risk appetite statement is a written statement defining the levels and types of risk an organization is willing to take in pursuit of its strategic objectives. The statement should be developed through discussions with selected members of senior leadership and ultimately be approved by the leadership team and the board.
Document and Formalize the ERM Process
After clearly demonstrating ERM’s value, document ERM activities and the roles and responsibilities of those involved. Documentation should include risk assessment process and timing; risk mitigation plan implementation, monitoring and reporting; monitoring and reporting of changes in risk profile and emerging risks; risk appetite statement and risk escalation process; senior leadership and board reporting process and timing; and roles/responsibilities of the ERM team, leadership and the board.
Ensure Sustainability
It is surprising how many organizations take the initial steps with a risk assessment and even mitigation planning and then let the process die on the vine. Demonstrating value, building the team and documenting the process will help ensure sustainability.
The ultimate goal is creating a risk-aware culture, requiring a change in the organization’s mindset to consider risk in daily activities, planning and decision making. The incremental steps described here will create an uncomplicated, pragmatic ERM program focused on achieving strategic objectives. However, the cultural change to a risk-aware organization will take more than the six months needed to initially develop an ERM program.
When simply, practically and incrementally built, ERM for small to medium-sized companies can be accomplished at negligible cost, without new hires, and with minimal drain on senior leadership time, producing substantial benefits and demonstrating that ERM is not solely for large companies.