Enterprise Risk Management (ERM): The Definitive Guide
Everything you need to know about ERM to help you decide if it’s the right move for your organization.
Enterprise Risk Management – ERM – is a frequent topic of discussion these days in boardrooms around the globe. But what exactly is ERM? Is it just another buzzword – or is it really a new way to manage risk? And the most important question: Will ERM give you more visibility into your risks so you can better protect your enterprise?
This guide will answer all of those questions and more. You’ll learn what ERM is, why it’s worthwhile, and how to begin managing risks and opportunities holistically.
Why all the talk about ERM?
The spectrum of potential risks faced by organizations today has expanded beyond those covered by traditional insurance. Getting a handle on the potential costs and likelihood of occurrence of something like a cyberattack or environmental disaster, however, is a challenge to say the least. Yet these are real threats with real costs that need to be recognized – and a growing number of companies are turning to Enterprise Risk Management to do just that.
ERM collectively looks at all risks, how they relate to each other, and the cumulative impact on the enterprise. Advances in technology are making it easier than ever to manage risks at an enterprise level. But technology alone is not the answer. To be successful, the ERM mindset must be embedded into the very fabric of the organization. With ERM, risk management is everyone’s responsibility.
Despite some signs of greater ERM maturity for organizations, a recent study found that many executive teams and boards are now, unfortunately, realizing the implications of being ill-prepared to manage the multitude of enterprise-wide risks triggered by such a large-scale root cause event of the magnitude of the COVID-19 crisis.
What Is ERM?
ERM is a structured, proactive, and continuous process that is applied across the enterprise to better understand all risks, how they relate to each other, and the cumulative impact on the organization. It looks to increase an organization’s value by both minimizing losses and maximizing opportunities for growth. While traditional risk management generally focuses only on those risks that are insurable, ERM goes a step further and includes risks that are best managed in other ways.
A company’s reputation, for instance, can’t be directly insured. But you can reduce the risk of damage by proactively identifying and managing potential threats.
Think of ERM as the natural extension to traditional risk management. The question isn’t one of EITHER traditional risk management OR enterprise risk management; rather, those are two ends of the risk management spectrum.
How well will your current approach to risk management hold up in a crisis?
Take this two-minute assessment to find out.
– Bob Bowman, Senior Director of Risk Management
The Wendy’s Company
What are the Advantages of an ERM Program?
The idea of managing risk on an enterprise-wide basis may seem daunting. But migrating toward ERM can be well worth the effort when you consider all that could be gained.
More than 50% of organizations recently surveyed said felt their ERM program is integrated well with other assurance functions and the company as a whole. Half of those surveyed also indicated that they have been able to achieve a more holistic view of enterprise risk by improving the engagement of assurance functions.
How to Get Started with an ERM Program
Implementing ERM does not mean you must rip out your current risk management program by the roots. Indeed, processes that are working well can often be rolled out across the enterprise. The best place to start your ERM journey is to examine your current processes, people, and technology to determine what is working and what could use improvement – then evaluate that in terms of extending risk management across the enterprise. What do you need to add, change, or expand to get you where you want – and need – to be? Here are six questions to get you started:
Identify your risks and the potential impact on the company.
What is your strategy for responding to risk – and how will ERM help create and protect value? And what is your risk appetite? Defining your risk appetite sets the stage for your response.
Leverage what your organization is already doing to manage risk.
Apply current practices and strategies for managing well-understood risks – like worker injuries – to other risks. This also may be a good opportunity to re-examine your risk management process to ensure your operational risks align with strategy.
Enlist the support of all stakeholders – operations, sales, accounting, legal, and more. And designate a leader – preferably from the C-suite – to champion the ERM cause.
Break it down.
The idea of managing all risks can be overwhelming at first, so start with the risks that have the biggest impact on the company’s success and build from there.
Designate responsibility for each risk to whoever is most closely associated with that risk.
Report on progress.
How has ERM added value to the enterprise?
How Technology Can Help Execute an ERM Program
Managing risk at an enterprise level is virtually impossible with spreadsheets, which is why many organizations struggle with executing a proper Enterprise Risk Management program. It takes the power of today’s cloud-based technology to successfully manage high-level risks on such a broad scale.
ERM software gathers all risk-related information into one source – which alone adds value to the organization by increasing efficiency in the process, as well as accuracy and consistency in the data. ERM software also can:
Why Culture is a Critical Component of Enterprise Risk Management
For ERM to be successful, risk management must be a part of every critical decision throughout the organization. That means cultivating a risk culture. People at all levels and functions must not only understand the organization’s approach to risk, but take personal responsibility for managing risk in their everyday work.
Making that happen requires top-level buy-in. If the C-suite incorporates risk into their decisions, others will follow. Add to that by communicating widely, clearly, and continuously about expectations. Assign responsibility for managing specific risks – and hold people accountable.
ERM doesn’t eliminate risk – of course – but it will minimize surprises. And if something unexpected does happen, you’ll have the knowledge, tools, and culture to turn those challenges into opportunities for success.
How’s Your View?