If you kicked off an enterprise risk management (ERM) initiative at your organization within the last few years, completed a risk assessment after herculean coordination of members of the board, senior management and other key personnel and have not touched the fabulous risk register that memorialized those efforts in a “few” months… you are not alone.
There are two principal reasons that many ERM initiatives stagnate after the assessment phase:
It is difficult to plan for the future when you are busy juggling the present. Many of these initiatives start when someone says, “We need to get more serious about risk management. I’m putting you in charge.” Often, the newly minted Risk Tsar has “a day job” and little experience with the subject. Getting through the risk assessment is a large time- and resource-intensive project, even for someone who is dedicated solely to that function. Taking it on as a “second job” may make it overwhelming. It is understandable why taking a break after completing the assessment is tempting.
Implementation is unique to each organization. Although there are numerous ways to conduct a risk assessment depending on the nature of an organization, the main features of the process are the same across the board: gather facts, identify risks and prioritize them. Generally, there is a coordinated effort to share information and brainstorm. However, life after the risk assessment is not as clear-cut. Because the process for successful ERM implementation is unique to each organization (in part, because of the need to leverage an organization’s existing infrastructure), the Risk Tsar must continuously gather information about the latest practices and then extrapolate a process that will work for his or her organization.
Unfortunately, having a completed and well-documented risk assessment without implementation (making incremental but continuous changes to appropriately address those identified risks) is a precarious place to be. Aside from providing members of the organization with a false sense of security that can lull them into complacency (a misplaced feeling that having a piece of paper that documents an organization’s risks means that the organization has an effective ERM program), an unimplemented risk assessment may become evidence of an identified but unaddressed problem in a legal or regulatory proceeding.
The action items below will help you to design initiatives to begin implementing your ERM program. The list is by no means exhaustive. Instead it is meant to help you kick start the next phase of your process by starting small and focusing on the “low hanging fruit.”
Establish Accountability. During a conversation at the Poole College’s last ERM Roundtable regarding the difficulties of effectively rolling out an enterprise risk management program, a participant suggested that the key to implementation is having “a neck to wring.” In other words, individuals need to know that they are accountable for ERM activities and responsible for disclosing their results in a transparent manner. Of course, this is easier said than done. Putting someone’s name in the “responsible party” column of a risk register will not do the trick. Rather, some individualized legwork is involved.
To start, suggest that risk owners add a risk piece to regular business and operations reporting. One of the common concerns that risk owners have is that focusing on ERM will increase their work exponentially for little gain. By inserting risk communication into the already existing reporting structure, it is integrated into the day-to-day information flow with a minimal amount of effort by the risk owners and the members of their teams. Something as simple as adding “risk management” as an agenda item to regular meetings can make a large impact.
In addition, it is important that you convince each risk owner that “buying in” to the process will ultimately make their job easier or their performance better. Do this by identifying what business, operational or strategic goals the individual risk owner has and how the initiatives you suggest will help them to achieve those goals. For example, the head of product development wants to innovate the best products as quickly as possible. Collecting information regarding the risk of losing key employees (e.g., project managers are stretched across too many products) or of competition in the market (e.g., a competitor is producing a more streamlined product) may help optimize the product planning and design process.
Also, engage in regular brainstorming sessions with the risk owners, either one-on-one or in small groups. Use inquiry-oriented dialogue (“Did you try this? Did you do that? How did that work?”) to help them integrate risk-thinking into their everyday decision making and show them that you are a resource to them.
More on Accountability. For some intriguing insights into accountability in business, read the Harvard Business Review’s What Ever Happened to Accountability?
Performance Measures. A significant aspect of effectively implementing risk management initiatives is changing corporate culture. One of the key contributors to an organization’s culture is the way in which individuals are recognized for their performance: which performance measures merit recognition in the form of promotion, compensation or other reward. Incorporating risk management into employee performance measures reinforces accountability and will go a long way to integrating ERM into the fabric of your organization.
Begin by speaking with the appropriate member of the human resources department about the company’s policies and procedures for drafting new job descriptions and setting performance measures. Armed with that knowledge, speak with risk owners about how they can tweak the written job responsibilities and goals of the people on their teams to incorporate risk management. Initially, risk-oriented job performance measures may be tied to non-compensatory recognition of performance (e.g., “Associate of the Month”) and, later, included as a qualitative, intangible measure of success. In the long term and as the ERM program matures at your organization, the goal would be to integrate risk management into performance-based compensation incentives, possibly using measures such as the Key Risk Indicators described below.
Link Between Risk and Compensation. One of the themes introduced in the aftermath of the 2008 financial crisis was the link between risk and compensation. In her April 2009 address to the Council of Institutional Investors, Mary Schapiro, Chair of the Securities and Exchange Commission (SEC), stated “I want to make sure that shareholders fully understand how compensation structures and practices drive an executive’s risk-taking.” As a part of this focus and as mandated by the Dodd-Frank Act, the SEC required public company disclosure regarding incentive-based compensation arrangements that encourage inappropriate risk-taking.
Develop Key Risk Indicators. Directors and senior management use various key metrics on a monthly, quarterly and annual basis to measure performance. For example, a retailer might have sales, customer satisfaction and point of purchase measures on a performance dashboard to help manage the business and confirm that it is operating in line with strategic goals. Equally important is the ability to continuously monitor the organization’s top risk exposures.
When your ERM program is more mature, the board, senior management and all risk owners should be able to utilize measures specific to their roles that illustrate the magnitude of pertinent risk exposures and the effectiveness of any plans put in place to address those exposures. Having access to these measures (called Key Risk Indicators, or KRIs) on a real-time basis will enhance their ability to incorporate risk-thinking into day-to-day decision making. Instead of having to rely on the results of an annual risk assessment, or to guess how effective certain risk mitigating initiatives are based on performance metrics, they will have tailored metrics that allow them to tweak risk oversight and management processes based on the story told by the KRIs.
To avoid biting off more than you can chew, start by working on KRIs for a risk that has recently gained higher-level attention at your organization or with a risk owner that you know “gets it.” Also, limit yourself to only a few KRIs for that risk and create a dashboard with the appropriate risk owner. Once the dashboard is up and running, you can use it to demonstrate the value of KRIs to other risk owners.
More on KRIs. For additional details regarding developing KRIs, read COSO’s Developing Key Risk Indicators to Strengthen Enterprise Risk Management.
Risk Messaging. In every communication about the risk management initiative, organization-wide or one-on-one, written or oral, large or small, appropriately convey that the goal is not to eliminate risk (taking risks is part of what companies must do to create profits and shareholder value), but rather to manage it. This messaging combats the misperception that ERM is a compliance function existing separately from the business and its operations to satisfy stakeholder expectations or that the Risk Tsar or risk owner is an impediment to viable business ventures. Rather, the Risk Tsar and individual risk owners should be seen as essential to strategy setting by enabling their colleagues to make better predictions about the future.
Risk Statements. See Determining Risk Appetite for a discussion of how to disseminate risk appetite statements across an organization.
The risk register produced by your organization’s risk assessment should be thought of as a living and breathing document. As risks facing your organization change, as KRIs are developed and monitored, as the initiatives established to address risks are effected and as the business and the individuals who drive it progress, the register should also evolve to reflect the current state of your ERM program. But beginning and maintaining the implementation process is not easy. The champion of the program must not be seen as a “Debbie Downer,” forecasting doom and gloom for the organization. Rather, the Risk Tsar must focus on winning key individuals at the organization to the cause by demonstrating the value of thoughtfully looking at the business from a risk point of view and leveraging small successes into larger successes.
“Many of the truths that we cling to depend on our point of view.” – Yoda