Enterprise risk management (ERM) programs succeed when they effectively manage strategic risks across an organization, enabling it to identify and manage emerging threats, evaluate trends, and drive meaningful enhancements to the business’ resiliency. But simply having a risk management program in place does not necessarily drive optimal value from ERM.
A mature ERM program is intrinsically connected to business strategy and can deliver a sustainable competitive advantage by enhancing decision making and intelligent risk taking. MNP has established an ERM Maturity Continuum to achieving and sustaining ERM maturity in a cost-effective manner. Most organizations achieve the first two levels without significant challenge:
- Level 1: Awareness and Understanding
- An ERM program is under development and pockets of formal risk management exist across the company.
- Level 2: Implementation Planned and In Progress
- An ERM framework (process, tools, training, etc.) has been developed and implementation is underway.
However, many enterprises struggle with the next three levels of maturity:
- Level 3: Implemented in All Key Areas
- ERM is fully embraced by key risk owners at all levels with a strategic risk register that anchors risk decisions for management and guides board-level discussions.
- Level 4: Embedded and Improving
- The culture has changed to fully incorporate ERM thinking in strategy.
- Level 5: Excellent Capability Established
- Clear strategic gains can be linked back to a leading practice ERM program.
In assessing ERM maturity on this five-point scale, we consider the following eight key components of a leading ERM program:
- Risk leadership, governance and culture
- Risk appetite and tolerance
- Risk policy and strategy
- People
- Framework and tools
- Risk management process
- Risk monitoring and reporting
- Performance and outcomes
The assessment must consider the organization’s culture, values and operations – recognizing that each ERM program must be truly customized to reflect the unique operations and business environment within which the organization operates. The evaluation focuses on whether the ERM program is truly driving improved results through enhanced corporate value and business resiliency; rather than how well documented or designed the ERM process and supporting tools are.
Hitting the Wall
Often organizations’ risk management programs plateau at ERM maturity level three, after all aspects of the ERM Program have been designed and implemented at a strategic, entity level. But to truly optimize value, ERM programs need to transition to the next level, where ERM is embedded and evolving throughout the organization. To do so often requires a substantial shift in the organization’s risk culture and awareness, both at board and executive level, while integrating risk management thinking throughout the organization.
A first step is to make risk management a core skill set and discipline for all members of the leadership team is to ensure they understand how ERM programs leverage strategic risk-based decision making to become a competitive advantage. This can be aided by building ERM roles and responsibilities into job descriptions and ERM metrics into executive compensation programs.
Rev Up Your ERM Program – Here’s How:
- Provide continuous training to your board and leadership on the ERM value equation and changing trends and evolution of the ERM program.
- Have an outside expert speak to your board and leadership on relevant strategic risks.
- Establish a strong ERM champion on the board and executive leadership team.
- Have the ERM lead regularly guide a round-table discussion on risk, risk environment and risk mitigation strategy amongst the broader management team, leveraging risk reporting to inform decision making.
- Integrate risk management into the strategic planning process by:
- Identifying existing risks and risk mitigations and leveraging them as an input into strategic planning.
- Once new strategic goals are established, updating the risk register with risks that would impede the organization from achieving those new objectives.
- Establishing or updating risk appetite statements based on strategic objectives, corporate risks and aligning your residual risk within the company’s risk appetite.
- Benchmark ERM maturity versus your biggest competitors.
- Invest in research on trends in relevant strategic risks to identify emerging risks and develop leading key risk indicators.
- Include risk mitigation effectiveness in executive compensation, including the ability to take prudent risks and capitalize on new opportunities within the company’s risk appetite.
- Regularly evaluating the strategic gains the company has achieved through the implementation of ERM and how to enhance the program to drive even better results.
Know Your Limits
Enterprises can miscalculate their risk appetite with potentially negative outcomes by failing to:
- Accurately assess risks.
- Embed risk management in key decision-making activities.
- Continuously enhance the company’s ERM program.
A global manufacturing company, that had a comprehensive ERM program took on more risk than it could support and this had a negative impact on the value of the company. Why? The executives did not fully embed risk management in all key decisions or consider risk appetite and tolerance in key decisions. Formalizing risk management establishes transparency and a common understanding of the risks and associated management strategies that will deliver better corporate performance.
At a level 4 ERM maturity, companies incorporate proactive risk-based decision making into all strategy discussions. Executives need to consider related risks when assessing every strategic opportunity and implement proactive risk mitigation strategies to avoid the impact of unmitigated risk.
Intelligent risk taking for the global manufacturing company would have seen its ERM program consciously build up scalable risk mitigation capability. The company originally took on only one new innovation project a year because it lacked confidence to manage more. A mature ERM program could determine if their risk mitigation strategies could be scaled to take on several new innovation projects at the same time, then manage the increased strategic risk effectively.
Gain a Competitive Edge
The ability to measure strategic risk and embed risk-based decision making in strategic planning and discussions grants an organization more assurance to innovate and take intelligent risk. This can lead to outperforming peers – and increasing your risk appetite over time.
Innovative companies take more well-calculated risks to create new products and services that the competition lack. Many use data analytics to study both opportunity and risk, so when the risk actually occur they already have an effective risk mitigation strategy in place. Highly advanced ERM programs are also using robotic process automation to continuously monitor key risk indicators. A level 4 ERM program in this case provides the confidence to be ready, move faster and be more agile than the competition.
Conclusion
It’s important to overcome the ERM Maturity level 3 plateau. An effective and mature ERM program will also help in gaining the support of your organization’s board and executive to embed a new way of thinking around ERM and implement new innovation at a faster pace and larger scale while delivering sustainable positive results.
ERM maturity is a high value discipline that is a long-term strategic journey for high performing organizations. The sooner you get started on the journey, the sooner you will experience the rewards.
Contact Richard Arthurs, Enterprise Risk Services, at 587.702.5978 or [email protected]