Setting up an enterprise risk management (ERM) program is just the beginning of a continuous process to help your organization achieve strategic and operational objectives.
Like many things in life, this is easier said than done…
Companies will establish an ERM program for a variety of reasons – perhaps a simple question from a board member or senior management will prompt action. In some situations, a data request from a regulator or new reporting requirements (…as in the case of ORSA and U.S. insurance companies) will be the catalyst. Companies across a variety of industries are facing increasing pressure to ensure proper alignment of goals, risk appetites, and strategy.
Regardless of its reasons for coming into existence, an organization’s successful ERM program over the long term needs to, among other things:
- Deliver timely, comprehensive and actionable risk information to decision makers;
- Establish a consistent (but not burdensome!) process and common risk language throughout the organization;
- Foster discussion between different business units on major risks;
- Integrate risk into planning, compliance, and strategy; and
- Hold risk owners accountable for their area(s) of responsibility.
Despite these goals, the progression or trajectory of ERM programs at many companies prevents them from realizing tangible benefits from establishing the program in the first place. The following four trajectories were outlined in an article published by PWC entitled How ERM Programs Evolve and are based on several years of observing programs in a wide variety of organizations and industries.
Continue reading for a brief breakdown of each of these four trajectories…
Start and stop – This course is characterized as failing to go beyond the assessment phase of the ERM process. As time goes on, senior and mid-level management will lose interest in the program and begin questioning its value. Rather than risk becoming ingrained in the company’s day-to-day operations, interest and attention in ERM will wax and wane based on when risk assessments are scheduled for an update. Organizations that fit this description will start out with quarterly assessments but soon push them out to once a year or even bi-annually as interest in the program declines. Management will come to view ERM as a one-time exercise of little value or a complete failure.
Start and stagnate – In many cases, as time goes on, interest in new initiatives begins to level off. In the case of an ERM program, interest will peak during the initial assessment and action plan(s) phases. Periodic meetings will keep the interest going, but the program isn’t adding any new capabilities, which leads many to mistakenly believe that the assessment is the entire ERM program when it is in fact just a single process within a larger framework. As a result, management and risk owners will come to see these activities as a “check-the-box” exercise for the board of directors or a regulatory requirement rather than an ongoing process that can add value to the organization.
Start slow, react, and atrophy – Maybe the organization has started an ERM program but it is moving slowly – then some big event comes along and motivates management to update strategies, objectives and capabilities in response. Events like going public, integrating an acquisition, a large-scale product failure, or expansion into a different business, product or location are just a few examples of these trigger events. However, if there isn’t a sustainable process behind it or if the integration of new capabilities into decision-making is weak, interest in the program will decline.
Evolve steadily and consistently – The fourth and final possible trajectory of an ERM program is the most desirable, but sadly, the least common according to PWC. This trajectory involves the ongoing introduction and integration of new capabilities, which of course helps maintain interest in the program from the highest levels of management all the way down the chain. Programs that are steadily growing will be carefully planned, but flexible. Objectives of the program and steps for improving capabilities are clearly understood throughout the organization. Also, ERM programs that are constantly evolving will have a clear mission and value proposition.
ERM programs can start/stop, start/stagnate or start slow, react and then drop off again for a variety of reasons, including change in leadership, poor communication, distractions, low budget and staffing, and lack of proven value creation. To learn more, check out Questions for Gauging the Value of your Organization’s Risk and Performance Management.
Check back again as I explore some methods organizations can employ to maintain interest and growth in its ERM program. See here and here.
If you feel your company’s ERM program is stuck in a rut and in need of a shakeup, an outside voice can be very helpful in getting things back on track.
Feel free to contact me today to discuss your company’s ERM program today.
Has your organization’s ERM program stalled or stopped altogether?
If not, what tactics has your company used to keep your program on track and steadily growing in capabilities?
Let us know in the comments below, or join the discussion on LinkedIn.