As regulatory and business environments change, effective prioritization of risks requires sound judgment to anticipate both the potential likelihood and consequences of a specific event. The difficulty of this process is intensified by the need for companies to be increasingly adaptive and innovative. As a result, business leaders are turning to enterprise risk management (ERM) to help them proactively identify, analyze, and manage risks and opportunities that have the potential to impact their organization. Recently, the U.S. Office of Management and Budget mandated that federal executive departments and agencies move to evaluate risk holistically with ERM, stating that “an open and transparent culture results in the earlier identification of risk, allowing the opportunity to develop a collaborative response, ultimately leading to a more resilient government.”One significant ERM implementation challenge is determining where in the organization it can provide the most value. Originally, ERM was implemented only as a leadership function, conducted at the top of an organization to develop a strategic risk profile to inform senior executives and boards of directors. In today’s evolving organizations, ERM processes support decision-making at diverse levels in the organization.
ERM is a strategic review and can occur anywhere that requires strategic planning and has resources to allocate. Organizations can define “enterprise” to be as narrow or as broad as provides value. Defining the organizational scope of your ERM effort is a non-trivial activity but is worth the effort.
Some organizations have found it valuable to perform ERM assessments at regular intervals and at different levels of the organization. There is no one-size-fits-all approach, and organizations have to conduct risk assessments as defined within their specific enterprise.
Applying an ERM Program
In one example of adapting strategic ERM, an internal evaluation was conducted to determine gaps in managing organizational risks. The organization identified that it had neither a structured process for performing strategic ERM across its assets and operations, nor the required expertise and experience in house to develop and implement such a process. While personnel were aware of numerous potential drivers of risk to the organization that could circumvent operational and mission success, a systematic process was needed to help collate, assess and manage these risk drivers. A pilot program was launched to address the following needs:
- Development of an ERM maturity map and plan
- Engagement of management in ERM
- Building ERM expertise within the organization
- Understanding how to collate identified risk drivers
- Identification of top risk drivers
- Development of actions to address key risk drivers
- Implementation of ERM support software
- Systematic maturing of ERM as part of the overall enterprise management
- Tracking enterprise risk understanding and enterprise risk reduction
- Application of ERM results to improve enterprise management
Now in its third year of implementation, the holistic ERM program has progressed from the initial establishment of a strategic process to maturing the program to include guiding software implementation with additional targeted projects that provide immediate benefits toward achieving long-term, sustained mission success.
Toward a Holistic Approach
Leaders are entrusted to provide guidance to their organization, establishing strategies, overseeing operations, and managing risks while working collectively to succeed in its mission. Balancing these objectives while navigating an evolving business climate requires a comprehensive approach to risk management that considers a broad range of operational threats within an organization that could affect its near and long-term success.
Holistic ERM provides an approach that is vital to fulfilling and excelling in the leadership mandate. This approach involves scaling risk management programs to the purpose of the organization, which may require continuous development and management, rather than scaling risk assessments to fit their planning cycle. ERM supports leadership in making informed strategic decisions to set the agenda, allowing leaders to manage risks more appropriately, provide opportunities for their business and help eliminate surprises.