Regardless of our individual means, we’ve all experienced the dreaded ‘sticker-shock’ multiple times in our life.
Take an issue anyone living in Florida should be familiar with – a generator in the event the power goes out (most likely caused by a hurricane).
The preference for most, including myself, is to have a ‘whole-house’ backup generator that, as the name implies, can power pretty much the entire home without any effort from the homeowner.
Power goes out → generator kicks in automatically.
However, installing such a system is costly and out of reach for most, and for others, while affordable, is simply something they’re not willing to spend the money on.
Does this mean these homeowners have to just sit in the dark when the power goes out?
Absolutely not!
Thankfully, there are more budget-friendly options available, such as this nimble little Honda workhorse we bought for our house a few years ago.
It won’t power our air conditioner (unfortunately!) or water-well, but it will certainly get us by (e.g., refrigeration, some lights, fans, and coffee pot) until the power comes back on.
Similar to home generators, cars, vacations, and electronics on the personal side, companies can sometimes have sticker shock when it comes to investing in enterprise risk management.
But just like the sticker shock of a whole house generator, options are available for companies to gain some benefits and value from ERM without the heavy price tag.
I’ve seen it many times, especially as a consultant…
Company leaders learn how objective-centric ERM – as opposed to older compliance-focused ERM – can provide greater certainty that they will achieve their objectives and that they’re taking the proper amount of risk in pursuit of those objectives.
It all sounds appealing, but then scarcity mindset and misperceptions begin to creep in and no action is taken.
It doesn’t help that many resources out there, including formal standards like ISO 31000 and COSO, lend the impression that it is all in or nothing – full-time staff, expensive software systems, the works.
For smaller companies, this expense (which can add up quickly) is simply too much. Larger companies who may have the means can simply get sticker shock and decide it’s not worth it.
This stagnation or inaction is unfortunate because the fact is – companies who ‘go it alone’ as the saying goes are putting themselves at extreme risk (no pun intended) in today’s VUCA world.
Former British Prime Minister Winston Churchill is credited with saying:
It is better to do something than to do nothing while waiting to do everything.
In other words, just like our home generator example, a company doesn’t have to go for the deluxe edition to reap the benefits of objective-centric ERM.
Yes, your company can gain in-depth insights with the deluxe edition you learn about in so many places, whether online or at conferences.
But like the whole-house generator, it will be costly, especially depending on how hard, how fast, how deep you want to push over a short amount of time.
Fortunately, a company doesn’t have to throw up their hands and give up.
Modest investments can be made to help the company gain both critical insights for decision-making along with assurance that its goals can be met.
Simply producing a list of top risks can be done on the cheap, but as I’ve alluded to and explain more in-depth elsewhere, any risk the company identifies should directly link to an objective.
(How Ironic: your company could implement seemingly “top-level” ERM practices and technologies, but if leadership is not focused on managing the risks to objectives or the company’s top drivers of value, it will provide limited value for the investment!)
The outline or basic structure of objective-centric ERM is the same regardless of the level of practices the company pursues, which include:
- Mission and vision – what is the company’s foundational purpose? What is the longer-range goal for the company to strive to be/to do?
- Objectives that support this mission and vision, including metrics of success.
- Supporting processes (i.e. risk identification, assessment, analysis/prioritization, monitoring, and reporting) to address risks to objectives, including areas where additional risk can be taken. Remember, objective-centric ERM is not all about minimizing, mitigating, or avoiding risks, but taking informed risks in pursuit of success.
To an extent, each of these can be done at little to no cost since much of it simply involves bringing people together and using tools like Excel to aggregate, organize, and analyze information. Just asking some basic questions around a decision in real time can provide tremendous benefits for no financial investment at all!
While the skeleton or framework is roughly same regardless of budget, the difference will be the depth and breadth you can go, plus the speed at which you want to see results.
From here, the question becomes ‘how can the company have sufficient resources to do this and do it well in a manner that is right-sized?’
Below are a few different areas any company will need to consider when it comes to ERM and how they can be achieved in a budget-conscious way.
Area #1: People
Hiring or assigning someone to do ERM full-time is preferable, especially for larger and more complex organizations, but not required.
As an alternative, an individual who reports to the CFO, CRO, or CEO can be assigned to handle ERM part-time. While cheaper, the disadvantage is progress will be sllllllooowwww, and momentum can be lost.
Going outside the company, it is possible to hire a fractional ERM practitioner as a consultant or contractor. This can work because three things: one, the individual already has a deep knowledge and well of ERM experience from which to draw (minimizing learning curves), the individual knows how to become deeply immersed and well versed about the company in a short amount of time, and three, leaders tend to favor outside consultants over internal people.
In the end, the choice between full- vs. part-time and hiring from within vs. externally shouldn’t boil down to monetary costs alone but also whether the individual(s) possess certain attributes.
And just because you hire someone from the outside doesn’t mean you have to go with a big consulting firm. While they have a larger pool of talent, their solutions can oftentimes be costly, too formal, and use junior level people. In comparison, smaller ERM consulting firms can deliver tailored solutions with experienced people at potentially lower cost.
Area #2: Communication
This is one of those areas that doesn’t receive the attention it deserves. As mentioned earlier, it doesn’t cost anything for people to speak to each other.
Instead of money, it takes time and energy to network, build relationships, and understand the needs to specific business units and company leaders. Other budget-conscious actions include:
- Make sure any risk and strategy conversation has these 6 ingredients.
- Use terminology from the business for risk communication instead of the other way around.
- Tailor communication methods based on how people learn and interpret information.
These are just a few steps that can be taken to enhance risk-informed decision-making without incurring any expense.
Area #3: Technology
Many resources you encounter will maintain that an expensive ERM software system is a must have, but that simply isn’t true.
Thankfully, if you’re starting out small, tools like Excel can be harnessed to capture, organize, and track risk information.
PowerPoint, Word, or Excel can be used to create robust reports. The important thing to remember is that it is not all about the form of the report, but rather providing the information that the users of the report need.
There are well-known systems that claim to support multiple areas (e.g., risk and compliance), but most of these aren’t “best in class” for a specific area. Look around at smaller system companies that focus on being true “ERM software” but make sure it works for your company. Don’t let the system functionality determine your ERM-related practices.
There are also cases where tools that seem unrelated on the surface can be repurposed for ERM. Pulling double duty like this can yield tremendous savings for the organization.
Area #4: Information and Networking
In our digital age, especially with the growth of AI, accessing knowledge is easier, and cheaper, than ever.
Some great resources you can access for little to no cost include thought leaders like Norman Marks or Tim Leech to name a few. The top resources list I publish every New Year always has great suggestions on books and websites you can turn to.
Conferences are great for both information and networking, but they can be costly. Not only do you have to pay a registration fee, but travel is also expensive and time consuming. (And to be honest, most of them are still talking about ERM practices from 15-20 years ago.)
Instead of expensive conferences, leverage tools like LinkedIn to connect with both risk peers and experts in your industry. I can’t begin to overestimate the value of a robust network, which is something you can do today.
Overall, these are just a few suggestions of how ERM can be done on a budget.
Remember, it’s about setting and managing expectations, or the breadth, depth, and speed at which you operate.
Results can come quick, but they come at a price. With a little patience and diligent effort, a company can reap some benefits of ERM without a huge financial investment.
What tactics or tools has your company successfully used to practice ERM on a budget?
Feel free to share your thoughts – join the conversation on LinkedIn.
