A Practical Approach to ERM
Author: Charlie Wright
There’s been a tremendous amount of confusion about what enterprise risk management (ERM) is and how it adds value to an organization. Some executives have strongly embraced the concept while others have reluctantly agreed to ERM initiatives because of pressure from stakeholders. This confusion is partially the result of organizational complexity, but is primarily because executives believe their organizations already manage risks. Consequently, a legitimate question executives commonly ask is, “If we already manage risks, what’s the value proposition of ERM?”
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published its updated ERM framework, Enterprise Risk Management—Integrating with Strategy and Performance, on September 6, 2017. Take a look at BKD’s framework summary, “Five Takeaways from COSO’s Updated ERM Framework,” which also covers what you need to know about the release.
The updated framework defines ERM as “the culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value.”
This is a very broad definition, but there are two crucial concepts embedded in the definition that are important to understand: the focus on integrating risk management processes with strategy and the focus on value. The framework strongly encourages the organization to integrate risk decisions in a way that aligns with the organization’s strategy. It also suggests properly executed ERM can help the organization create, preserve and realize value. The updated framework highlights five components and 20 principles necessary for an effective ERM program. While the framework does an excellent job of describing what should be done, it’s still not clear about how to implement ERM.
BKD’s Implementation Approach
BKD helps organizations understand how an effective ERM program can be implemented. Our approach also highlights the value of an effective ERM program using four important concepts. First, every organization should have a good understanding of its risks, and those risks should be documented in an easy-to-understand format. Second, those risks should be periodically analyzed and prioritized in a way that allows the organization to compare risks across multiple departments and disciplines, as well as year-over-year. Third, the organization needs a dynamic ongoing process to identify changes and emerging risks. Finally, there needs to be some oversight and open communication regarding the ERM process. These four simple components can help position an organization to strengthen risk management across its enterprise.
The first step in managing risks from an enterprise perspective is to develop an inventory of the most important risks that might affect the organization’s goals and objectives. However, simply creating an inventory isn’t enough. Each risk should be documented in a manner that promotes a consistent understanding of why it’s on the list and how it’s being managed and mitigated.
BKD uses a standardized one-page template to help gather and organize the relevant risk information. The template includes:
- Risk name
- Owner – Who has specific responsibility to manage this risk
- Definition – Should be succinct and kept to one sentence
- Scope – The part of the business this issue includes or excludes
- Contributing factors – Themes, trends, issues or drivers that make this a risk
- Risk management activities – How these risks are being managed or mitigated
- Opportunities for improvement – Issues that need management’s attention
- Risk management plans – Initiatives already underway that are key to managing this risk
This information should be simplified and distilled into bullet points. By obtaining input from subject matter professionals and risk owners across multiple departments and disciplines, awareness and consensus can be created and the organization can develop a holistic understanding of each risk.
Analysis & Prioritization
Once consensus has been reached about the key risks and the organization has a solid understanding of them, it’s important to analyze and prioritize the risks. There are four critical metrics most relevant to analyzing risks in any organization: financial effect, likelihood, preparedness and velocity. Financial effect and likelihood have long been used for risk assessment analysis. They form an important foundation for understanding potential risk. In addition to those two common metrics, BKD recommends management should understand how prepared an organization is for a particular risk. Preparedness allows the survey respondents to consider areas that have a high level of internal control focus, or perhaps areas with minimal controls, thus exposing the organization to a higher level of inherent risk. The fourth metric is velocity. There’s a huge difference in a legislative risk that may take months or years to affect an organization compared to a cyber risk that can damage an organization in seconds. All four metrics, when assigned a value as part of a traditional scale and considered together, provide an excellent picture of how an organization may be affected by a particular risk.
The quantifiable nature of these metrics provides the ability to prioritize the data. For example, the following bar chart shows a prioritized list of risks and compares them to the prior year. This allows management to see how risks are changing from one year to the next.
BKD surveys each organization’s board, executive team, line management team and specific subject matter experts to gain an understanding of perspectives from different parts of the organization. By stratifying the survey results into these groups, important information can be gleaned from the survey. Many senior executives find it very useful to understand how their views align with those of the board or line managers of their organizations. Of course, it’s also very informative to know how the subject matter expert in an area feels about the risk environment. As shown in the chart below, it’s easy to identify risks where the various parties are not aligned.
Through these metrics and the inquiry and comparison of all relevant parties, the organization can identify important areas that require more focus and attention.
BKD’s Enterprise Risk Solutions practice has collaborated with BKD Big Data & Analytics professionals to help streamline the process and enhance the deliverables. The cooperative solution is two-fold. The first step includes development and deployment of a straightforward survey, and the second step includes analyzing and visualizing the results. The result is a clean, concise set of analytical charts and graphs presented in an easily digestible manner. This presentation includes three distinct views of the results.
First, a high-level look at overall scores for each risk allows for quick prioritization.
Second, drill-downs into each critical metric help provide an understanding of what’s driving each risk’s overall score.
Finally, a risk map allows for easy comparison of all four critical metrics for identified risks.
This approach allows an organization to not only quickly and easily identify its greatest risks, but also understand what makes the risks so significant.
An Ongoing Process
While risk management should occur at all levels of an organization day in, day out, the activities mentioned above are often performed annually. To help ERM become a dynamic, integrated and ongoing process rather than a one-time initiative, management must establish activities that facilitate periodic organizational focus on certain enterprisewide risks. BKD recommends quarterly risk workshops that rotate through the organization’s most important risks. When they’re well-proctored and efficient, these workshops can be limited to approximately two hours.
By gathering a few executives and select subject matter experts to discuss two or three similar risks, a number of goals can be achieved. The status of current risks can be assessed and new or emerging risks can be discussed. A crossfunctional group of risk owners can gain valuable insight and perspective by periodically discussing risks in this type of forum. Attendees can gain a level of comfort about how well risks are being managed or determine additional action is needed to improve management of certain risks. Finally, an important aspect of these quarterly risk workshops is that they help develop risk awareness throughout the organization.
Governance & Communication
It’s important to establish governance and oversight for an effective ERM process. Some organizations have created a committee consisting of risk owners and subject matter experts, while other organizations use their current executive leadership teams to oversee the process. At the board level, some organizations have a board subcommittee dedicated to risk management, others may use their audit committee for that purpose and many use their full board to oversee ERM.
By establishing effective governance at the board and executive levels, organizations can send a strong message about the importance of risk management. Tone at the top has proven to be a meaningful indicator of an organization’s ERM program’s success. Other tactical decisions, such as frequency and content of board and executive updates, resource allocation and effect of certain risks on the organization’s strategy and goals, are issues the risk oversight committee should oversee. BKD recommends the risk oversight committee should meet quarterly or at least semiannually to assess whether the organization’s ERM process continues to add value.
Bringing It All Together
BKD’s approach helps provide a path to implementing ERM. By understanding and analyzing risks, management can align risk management with organizational strategy and add value. With proper oversight, ERM can improve risk management capabilities, create a more risk-aware culture and improve decision making across the enterprise.
If you’d like to learn more about how to implement an effective ERM program, contact Charlie.