You may be shocked to hear me say this…
Not every organization needs enterprise risk management (ERM).
Of course, before you can know if your organization needs ERM, you have to make sure you understand the differences between ERM and traditional risk management.
Then you can start the next step in the process:
Step 1: Is ERM suitable for the organization?
This step is all about determining the appropriateness of ERM for your organization. Does it make sense to dedicate the resources – both time and money – to a formal ERM program?
Please note that I am not saying that an organization shouldn’t have risk management. No way! All organizations should have risk management, but there are two main factors to knowing if ERM is appropriate: 1) the way your organization is structured and 2) the kind of business the organization is conducting.
Here are guidelines to know if a formal ERM program is right for your organization.
You may NOT need ERM if:
- You have a small company with few employees and no board of directors;
- Your organization has a standard product or service that introduces little risk;
- Your company’s product or service introduces low-probability risks that are easily shared through insurance or similar options; or
- The organization is not subject to fines or other severe actions by governing bodies.
You DO need ERM if:
- Your company is publicly traded or has regulatory requirements for formal risk management (check out this post regarding credit ratings and ERM and this post on ORSA for insurance companies);
- Company operations are complex, such as having multiple locations under different jurisdictions;
- The company’s products or services introduce risks that are not fully insurable;
- The company operates in a volatile industry, such as energy or pharmaceuticals; or
- Your organization has a history of legal sanctions, regulatory fines, negative public perception, or financial issues.
By the way, a non-profit may need ERM as well. Check out this post on the topic.
Step 2: Does the organization need ERM?
All businesses conduct informal risk management in some form or another. It’s important to determine if those existing processes are sufficient to meet the organization’s needs and goals.
Perhaps the risk efforts of the strategic planning, project management, and vendor management teams adequately identify risks to the organization and provides this information to leadership for decision-making. If leadership believes those risks are being managed appropriately, then it may be better to strengthen those processes or expand upon them without creating a formal ERM Program.
However, it should be noted that without an ERM Program, there is no unit responsible for identifying and managing risks to the entire organization, outside of the business unit siloes.
As I mentioned previously, having dedicated resources for risk management processes are a best practice to ensure that risks are being proactively identified and managed on an ongoing basis. Sometimes having one person responsible for coordinating and facilitating is the most effective way of managing risks.
Perhaps no serious risk issues have occurred to date, but without that high-level view, and a team responsible for facilitating risk identification on an ongoing basis, risks could occur at any time. Leadership should be made aware of this potential and should knowingly accept the risk if they choose to forego a formal ERM Program.
Making the case for ERM
Based on the outcome, this assessment should help you make the case for ERM at your organization. As you can tell, I didn’t go into the benefits of ERM, which I have discussed in previous posts like this one.
What outcome is right for your organization?
I would love to hear from you in the comments below or in the LinkedIn discussion.
If your organization needs ERM but is having difficulties taking the next step, read my posts about designing and launching an ERM program. Or you can contact me to begin discussing your organization’s needs today!
Featured image courtesy of “gianco941” via FreeDigitalPhotos.net
Image courtesy of “fantasista” via FreeDigitalPhotos.net
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More