Even though more organizations and industries have gradually been adopting enterprise risk management (ERM) programs since the height of the financial crisis in 2009, many businesses are still hesitant to embrace full fledged ERM programs—fearing a substantial investment with little return.
However, with the right resources and tools, organizations implementing ERM can avoid many of the pitfalls that result in failed initiatives … or at least a disappointing gap between what ERM promises and actually produces.
ERM initiatives expand, improve
Recent studies indicate more companies have adopted ERM since the last time they were surveyed a few years ago, and, in addition, their ERM programs are becoming increasingly robust and effective.
According to the report, “2018 The State of Risk Oversight: An Overview of Risk Management Practices,” 31 percent of organizations (48 percent of large organizations) have complete ERM processes in place. The survey of 474 business executives across a number of industries was co-published by North Carolina State’s ERM Initiative and the American Institute of CPAs.
According to the 2017 ERM Benchmark Survey, the most recent ERM survey published by RIMS, 24 percent of respondents indicated their organizations have fully integrated ERM programs in place. The results stemmed from a survey of 397 respondents from more than 14 different industries.
Regardless of progress, both studies indicated that ERM program uptake and success rates lag behind where they should, especially considering the proven benefits organizations have experienced after truly integrating ERM into their business.
Common missteps with ERM initiatives
But with success, also comes failure … or, maybe, just not enough success. Less than fruitful ERM initiatives often stem from the following three missteps:
1. Lack of convincing and actionable data: Risk managers often struggle to uncover and deliver risk-related information from across the entire organization. This is often because relevant data is tied up in multiple, manually-based systems that are a challenge to pull together. As such, data is not timely, transparent or standardized. This makes it exceedingly difficult to demonstrate the total cost of risk and the ROI of enterprise risk management — in other words, the value of preventing risks that never came to fruition or the value of taking risks that resulted in revenue generation.
2. Lack of organizational support: Lack of sound and timely data often translates into a lack of organizational support for enterprise risk management. The top often won’t buy in because—without hard-dollar proof of the value of preventing or taking risks—it can’t comprehend why ERM matters any more than all the other initiatives on its plate. Further, those employees on the lower rungs of the organizational ladder often won’t buy in because they presume the data intake and input associated with ERM is going to impede them from doing their actual jobs.
3. Lack of strategy and tactics: When inadequate data is married to inadequate organizational support, you can bet risk management won’t be a strategic endeavor. Such a scenario makes it extremely difficult for a risk manager to earn a seat at the decision-making table. On the flip side, organizations that do have actionable risk management data and strategies in place also need to be able to execute on tactics. Without tactical execution, strategy can’t move forward. However, organizations often struggle to fulfill the many risk management tasks spread across a multitude of departments and countless employees.
How To Prevent ERM Failure
The good news is Integrated Risk Management technology can help organizations avoid many of these missteps by giving users the ability to easily assess and manage up-to-date risk-related elements from a single source of truth.
First, it surfaces relevant ERM information from wherever it’s hiding in your organization; connects it with other internal and external data; and then normalizes it with data processing tools to ensure consistency among the data you’re comparing. Because the technology operates in the cloud, data is automatically collected and updated in real time.
As such, it’s easy to access and analyze up-to-the second risk management data from across the entire organization with just a few clicks instead of cobbling together a bunch of spreadsheets into a mega spreadsheet, or meshing together data from other antiquated systems into a document or report that will essentially be out of date once it’s time to report.
Next, the right Integrated Risk Management technology will automate processes—from incident intake and reporting to This alleviates the challenges that come with employees feeling overburdened with data intake and input, as well as embedding processes.
Next, the right risk management technology also automates workflows—giving directions to the right individuals in the right departments at the right times. Rather than rely on manual phone calls and emails to other departments to propel work forward, the system can automatically trigger notifications, next steps and reminders—as well as track follow through and escalate issues not being addressed. All this encourages collaboration and accountability, and keeps risk management initiatives moving forward.
Finally, the right Integrated Risk Management technology can be specifically tailored for managing your organization’s unique ERM program—providing a whole suite of applications to improve efficiency and consistency of all business processes and decisions (including those tied to corporate governance, risk and compliance; vendor management; health and safety management; business continuity management; and more).
Ultimately, Integrated Risk Management technology can simplify and automate your ERM program—allowing you to implement, tailor, extend and scale your risk management capabilities. As a result, organizations are better able to avoid the missteps that hinder a high performing ERM program and experience true success.