When I started my consulting firm in August 2016, I knew I wanted to help organizations perform better by using enterprise risk management (ERM) instead of just traditional risk management. After all, I know how well ERM can work when done right and how much the organization can benefit from it.
But as a start-up, I had more time than money, so I was focused on seeing what I could do for the least amount of money. I used the free versions of software (and still use several of them!), asked my husband to build my website, and spent hours each day creating the foundation for my business.
Just like a start-up company has a lean operating budget, so do many organizations when it comes to ERM. You may feel like you squeeze every dollar for value, and you are wondering how in the world you will be able to have ERM.
When you search for ERM information online, most of what you will read talks about the full-blown version, with formal governance structure, a dedicated ERM team, a formalized process, etc. And having these things can be extremely beneficial…and sometimes required, especially for a regulated industry like healthcare, banking, or insurance.
But what if you don’t have money for those things? Or you want to dip your toe in the ERM water to see if it is right for your organization?
Well, it is definitely possible to have “ERM on a budget!”
Let’s walk through each part…
1. Governance – is it necessary?
My response to this question is with the caveat that this information does not apply to those industries required to have a formal ERM program or show audit any governance documents…
Is a formal ERM program governance structure critical to an organization reaping the benefits of ERM? No.
Can governance be helpful? Yes. Because it sets up the foundation of what, who, why, how, and when ERM will be conducted, so that everyone is on the same page.
Many organizations struggle to get it right on their own, so they call on a big consulting firm to help them. Unfortunately for them, they are handed a “standard” ERM framework that ends up not working.
As I have mentioned before, ERM has to be tailored to the organization, and a standard framework isn’t going to do that. I know that “tailored” sounds like it will be expensive, but you don’t have to spend a lot of money to get what you need.
(This type of governance is not to be confused with basic corporate governance an organization needs to have in order for ERM to be effective. To learn more, visit Building a Performance-Focused Risk Management Process Requires a Strong Foundation.)
2. What about a dedicated ERM team?
I am a true believer in having at least one person doing ERM full-time, simply because of the amount of work that is needed to demonstrate the value that ERM brings to the organization. However, some organizations just can’t afford it and have to sacrifice the speed of making progress in exchange for the money.
If your organization cannot afford a full-time person, then you can look for someone with certain qualities rather than strictly focusing on skill sets. Don’t get me wrong – specific skill sets are very helpful, but not the only requirement due to the role that ERM plays within the organization.
A negative consequence to having a part-time ERM person means that momentum may be difficult to sustain. Say a great workshop was held with a business unit. But now the ERM person cannot have the next conversation for a few weeks due to other priorities. This means that most likely, those who participated in the first conversation will have to be reminded of the content and conclusions in order for the second conversation to take place.
Essentially, the timeframe for getting things accomplished will be extended. In some circumstances, this extended timeframe can be good, as it demonstrates that it is not being pushed onto unwilling people. The flip side is that it can be harder to convince people of the benefits of ERM because it takes so long to realize value and outcomes.
But if the organization is willing to manage the timing, then the part-time route may be doable.
3. Is a formalized ERM process necessary?
Actually, this answer will apply regardless of industry or size of the organization. I will say that ERM should have a blend of both formal and informal processes.
On the formal process side, risk identification should not be haphazard, which I discuss in my free eBook 5 Effective Methods of Risk Identification for Your Organization. And assessing risks should be thoughtful and consistent across the organization. So designing this process should be done with the end in mind, not focused on whether it is “formal” or not.
But a key aspect of ERM is the perspective being provided in various conversations across the organization. Whether ERM is engaged in planning discussions or working closely with project management, there is a unique point of view from the risk and opportunity angle. But luckily, these conversations do not have to be structured or formalized.
All the other Aspects of ERM
With the idea that you are willing to invest more time than money, these four things can be done inexpensively:
4. Communicate!
- Focus on getting buy-in from executives and management. This doesn’t take money, but it takes time and energy to build those relationships and understand what they need, so ERM can provide that value.
- Use different types of mediums for communications. Remember that people learn differently, so vary it up between written (emails, documents), videos, and face-to-face conversations. And it doesn’t have to be fancy or formal; it may be appreciated to have a quick video that is recorded on your phone or laptop.
5. Be Creative with the Technology You Have
- Have people spread out in different locations? Instead of traveling to them, use video conferencing tools like Skype or Zoom to talk “face-to-face” without the travel expense.
- You don’t have to buy fancy GRC or ERM software.
- Use Excel and/or Access (or similar tools) to capture and track risk information. Using Excel can cause some headaches when it comes to tracking historical information, so make sure to spend time thinking about what you need over a period of time and designing the spreadsheet accordingly. An Access database can also be a simple solution to capturing risk information, especially as it allows for historical versions of information and can be a good way to ensure data quality. Look for someone within your organization who can give you advice on setting up a simple relational database. (Or I can help you with it!)
- Reports for the executives and the board don’t have to be boring. Use PowerPoint or Word to create meaningful ways of communicating risk and opportunity information. Charts in Excel can be pretty neat and provide some great insights without needing special software.
6. Skip the Expensive Conferences and Events
- Tons of information exists online both on my website and through thought leaders like NC State University, RIMS, Norman Marks and others. Having more time than money means you can spend time sorting through the theory and advice to figure out what you can do to overcome a challenge, while still working within your tight budget. In fact, I recently compiled some of my favorite risk management resources.
- Develop a professional network of peers. Use LinkedIn to the fullest to find fellow risk professionals and start having meaningful conversations. Join LinkedIn groups for both ERM and your industry to find helpful information. If you find people in your area, schedule a face-to-face meeting to talk in more detail.
- Some organizations will post summaries of the presentations after the event. Use this as a way of seeing what challenges and solutions others are talking about.
7. Find Alternatives to the Big Consulting Firms
- Sometimes you just need some support to address a specific problem, but you know the big firms will not be the right fit. Smaller, boutique ERM consulting firms exist (like mine!) and can be more flexible with solutions to fit your budget. It never hurts to reach out and talk to see what they have to offer and if they will fit your needs.
While it may feel like a struggle or uphill battle, it is possible and doable to get all the value of ERM without spending a ton of money.
What are ways that you have been able to succeed having ERM on a budget in your organization?
I would love to hear from you. Please comment below or join the conversation in LinkedIn.
And if you are one of those organizations who needs a little support to get moving in the right direction without spending a ton of money? Feel free to contact me to discuss your specific situation.