When first speaking to an organization about ERM, executives know they have a problem, but they usually don’t know what it is, much less how to fix it. All they know is ERM is a possible solution. But before jumping in, I often find trouble spots that need to be addressed first.
If they are not, the house of cards of will ultimately fall.
This reason is why one of the first things I ask about is what governance and internal policies they currently have in place.
In a presentation at the Fall 2019 ERM Roundtable at NC State, Sam Chari, Global Head of Risk Management at Experian, explains how a “…strong governance framework” is one of the top 5 components of a successful ERM endeavor.
At a high level, corporate governance can be defined as:
…the system of rules, practices, and process by which a firm is directed and controlled.
In one of my first articles on the blog, I discuss governance in the context of launching an ERM program and how not having a clear framework will make it impossible to translate top risks at the enterprise level into strategy and day-to-day operations.
Before reaching the point to have ERM, organizations must first have the appropriate corporate policies and procedures in place…
To support an ERM framework and realize success in your efforts, there must first be a structure in place to ensure processes are managed appropriately and are efficient and effective…there must be good corporate governance without it being too stifling or bureaucratic.
For example, in a recent conversation with an organization experiencing rapid growth, I was astounded to learn they only had a few policies around human resources in place. There were no policies for how employees are reimbursed for expenses, no vendor management policies, and most striking, no strategic plan or even a budget. If executives wanted to know who they were paying for a particular service, they only way to find out was to ask the accounting department!
This company has a vague idea of the things it wants to do in the years ahead and that ERM can help.
When the company was smaller with only a handful of employees, it could get away with not having formal governance processes in place. However, with its explosive growth in the last couple of years, it is getting much harder to manage things on a case-by-case basis.
All of these things combined into the pain points that they are experiencing.
Now, I am glad that they want to have ERM and see the value of it. So to get them to that point, my first engagement with this company is helping them develop the foundation that we can then build on to have a successful ERM program.
Why ERM will fail if governance issues are not addressed.
If your organization jumps right into ERM without laying this foundation, the effort will ultimately fail for a variety of reasons. Some of these include:
- If there is no strategic plan, it will be impossible to know how risks are affecting the success of the organization because there will be no objectives to link the risks to.
- If roles and responsibilities are not clearly defined, there will be no way to hold executives and managers accountable.
- If there is no clear communication method between different areas and layers within the organization, information will be siloed, and it will be impossible to know how risk and opportunities fit into the bigger picture. This silo effect is a key difference between traditional risk management and ERM.
If you’ve been reading my blog for any length of time, you should hopefully understand the ultimate purpose of ERM isn’t to minimize risk but to ensure the organization is taking the right amount of risks in pursuit of its strategic objectives.
Or as thought leaders like Norman Marks explains in his book Risk Management in Plain English: A Guide for Executives, successful ERM is not about avoiding harm or satisfying regulators, but rather:
…about understanding what might happen and acting to increase the extent and likelihood of success.
But if you don’t have objectives and policies and procedures in place to guide the pursuit of these objectives, how can you assess risks to achieving them? How can you do scenario analysis, modeling, or a Monte Carlo simulation?
Although materials you read here or elsewhere discuss these and similar techniques and concepts, the truth is there are much more rudimentary things that must be in place before your organization is ready to embark on this journey.
Have you attempted to have an ERM program without a strong governance framework in place?
It seems this topic doesn’t receive the attention it deserves. The idea for today’s article is based on some of my experience as an ERM consultant – many of the companies I work with, including the one referenced above, have several foundational issues to address before moving into true ERM.
To share your perspective and experience, please leave a comment below or join the conversation on LinkedIn.
And if your organization is unsure about the source of your challenges and would like an outside perspective, contact me today to discuss your situation and discover what foundational pieces may need addressing to ensure a successful ERM endeavor.