Whatever the situation, especially if it’s uncharted territory, our natural tendency is to use ‘best practices’ as a starting point. This is totally logical, and in most cases, will work just fine.
There are a few exceptions to this general principle though, especially when there has been research showing that leaders continue to not see strategic value in the “best practice” way of doing things.
The success of a Project Management Office (PMO), meant to ensure successful execution of strategy via solid project management practices, was lackluster all the way back in 2013, when research by the Project Management Institute (PMI) determined that 73% of PMOs fail within 3 years of creation.
Luckily, the PMI has researched the cause for the failures and recently published 4 elements that strongly predict whether a project will be successful. And Miguel Edwards, CEO of FiveM, LLC (a technology consulting firm for the insurance industry), has developed a successful alternative to the PMO—the Performance Strategy Office.
As discussed in a previous article, following ERM best practices can end up doing more harm than good. Copying and pasting what others are doing, or relying solely on standards like ISO 31000 and COSO, or otherwise treating ERM as a separate activity from running the business are some of the main reasons why organizations find little to no value in it.
As practitioners across industries have learned over the years, many practices currently labeled as ERM best practices are simply not adequate for meeting the needs of today’s business.
It’s therefore easy to advise you to shun best practices, but today, I want to dig a little deeper into this topic, highlighting certain practices and why they should either be avoided or dramatically altered.
Many of the following have only been called best practices because practitioners in ERM’s early days didn’t know what else to do. Tying together silos and examining risks to objectives only burst onto the scene in the last 25 years or so. Before then, any risk management was generally isolated and focused on minimizing loss through insurance and mitigations.
Just because a specific way of doing things has been around a long time doesn’t mean it’s the right or best thing to do.
Below are 4 examples of this concept as it relates to ERM.
- Establishing governance structure as a first step – If all you do is read this article on setting up an ERM program, you will come away with the impression that your company must have this oversight structure and processes in place before any actual ERM “work” takes place. In my years as both a practitioner and a consultant, I’ve come to learn that companies must understand what practices will work for their specific culture and needs and then build any formal program or governance. This may seem counterintuitive on the surface, but it will save you lots of wasted time and frustration, not to mention add value for leaders immediately.
- Establishing risk rating criteria before starting a risk assessment – It should be obvious that you can’t assess and analyze risks before you even know what the risks are. Like the first example though, one best practice that has shown to cause bigger challenges, especially on the time horizon, is trying to establish rating criteria before starting any risk identification activities. (Make sure risks being identified are directly linked to a specific objective!) I have seen companies literally take a year to “finalize” their risk rating criteria before starting any value-add risk conversations with the business. Remember that progress is better than perfection, so having insightful conversations will get you further and gain more buy-in than simply talking about how to assess the risks.
- Conducting assessments on an annual (or less frequent) basis – Many companies will think that performing an annual risk assessment means they know all they need to know about risks to the business, but as our uncertain world shows us more with each passing day, the internal and external operating environment is constantly changing. What was a major risk one day could be minor the next, and vice versa, especially when action plans are put into place or decisions are made by leadership. This is yet another reason why risks should be connected to objectives, rather than standing alone.
- Using heatmaps to communicate about risks – In spite of their inherent (no pun intended!) flaws, heatmaps have remained an ERM best practice over the years. Perhaps it’s the simplicity of a red, yellow, green rating that many find appealing. As the years continue, it’s become clear this way of communicating about risk is inadequate at best since many leaders have the desire to manage every risk to green and that heatmaps tell company leaders nothing else about the risk. Another article explains this deficiency in-depth and other ways heatmaps come up short, plus a couple of limited circumstances where they may be useful.
ERM best practices like these and others were developed when the discipline as a whole was still very risk- instead of objective-centric. While updates to the ISO and COSO standards have added some emphasis to objectives, many practitioners give surface reference to strategy or goals without actually changing the conversation with the business. And don’t forget that true ERM best practices go beyond the “technical” skills to include soft skills like emotional intelligence, possessing a growth mindset, and otherwise being open to any approach that fits the culture and needs of the organization, even if it isn’t labeled as “ERM.”
What other legacy ERM best practices would you add to this list?
Jump into the LinkedIn conversation to share your thoughts.
