3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you.

I don’t say that to scare you but to provide a small dose of reality.

Building, launching, and refining an ERM program that is more than a tool for satisfying regulators and ratings agencies and avoiding negative risks will take time and a bit of trial and error.

That much hasn’t changed a whole lot since the original version of this article was published in the fall of 2016. However, one thing (…out of many) that has changed is the importance of informed and measured risk-taking in pursuit of strategic goals and objectives.

This statement is true regardless of industry, sector, or geographic location(s).

Although many organizations implicitly understand this point, very few are actually successful in building an ERM program that helps the company create a strategic advantage. According to the latest State of Risk Oversight report from NC State, only 12% of respondents felt their program helped their company build a strategic advantage over competitors. This statistic makes me extremely sad and yet more determined to get organizations to think about and approach ERM differently.

The fact remains that it can be difficult to know where to start, even with the plethora of resources out there. While the original version of this article provides a step-by-step process, much has changed based on general trends and my experience as both consultant and practitioner.

The process outlined below is broken down into different buckets or phases that build on each other. Like manufacturing a product, this process will involve trial and error, so don’t be discouraged if something doesn’t seem to be working out the first (or even the second) time. As one of my favorite singers, “Princess of R&B” Aaliyah, says in one of her hit songs – “If at first you don’t succeed, dust yourself off and try again.”

With that said, let’s dive into the first phase of this process. You will notice this section consists of the ground work that must be done before you even begin designing the actual ERM program.

Phase #1: Forming a Solid Foundation – Governance, Culture, and Why your Company Wants ERM

This first bucket or phase represents those things that must absolutely be done first. Without these, the entire house of cards will come crashing down at the first signs of difficulty.

Like so many other resources on the subject of setting up an ERM program, the first iteration of this article jumped right into developing a framework as the first step. After speaking with many organizations through the interceding years though, it became clear that companies needed to address foundational matters before moving forward.

When I speak to any company about ERM these days, one of my first questions asks what governance, including decision-making processes, they have in place. At first, I was stunned at how many would say “not much.”

It may seem mundane, but I cannot overstate the importance of having a solid corporate governance structure in place to ensure processes are efficient, effective, and managed appropriately. By corporate governance, I’m talking about mission, vision, values, strategic plan, board oversight, internal management oversight committees, escalation process, corporate policies (even just the basics like HR and information security), and so on.

Now a small company may be able to get away with not having these in place, but without a mission, vision, strategic plan, what does your company have to assess risks against? Who validates what risk is acceptable and what needs to be escalated? Without clear communication between different areas, information is siloed, making it impossible to know how risks and opportunities fit into the bigger picture.

This shouldn’t be surprising considering that the origins of the COSO standard lie in compliance and corporate governance.

Beyond this, another equally important foundational matter is cultivating the right culture.

We’ve all heard the saying “culture eats strategy for breakfast.” Well, I can tell you for a fact, this is equally true when it comes to an ERM program.

Risk culture is quite simply the attitude of everyone in the company from the bottom all the way to the C-suite toward risk, opportunity, and strategy. Tone at the top, communications, and accountability are just a few elements of a positive risk culture.

Cultivating this culture requires persistence and concerted effort to change rather than strictly relying on top-down directives, which will only create animosity and frustrate progress.

And for the last foundational piece before developing a framework – you need to know the driving reasons for company leaders to want ERM in the first place, along with their expectations.

What is the current situation and how can ERM help?

What do they want to get out of ERM in the long-term?

Are they responding to regulations like ORSA? Or have they heard that ERM is a way to ensure goals are met and the company operates more smoothly?

Without understanding executives’ motivation for ERM and where they want the company as a whole to go means you won’t be able to determine the risks that need attention. Nor will you be able to advise which risks the company should be taking. In this situation, it’s highly probable you will need to scrap everything and start over, which is something you should want to avoid for a variety of reasons.

The following articles here on the blog dive into more detail on each of these foundational elements of building and launching an ERM program.

Once these foundational areas have been addressed, you’ll be ready to move into…

Phase #2: Developing your ERM Framework

The “framework” of an ERM program is essentially its own governance document and high-level overview for guiding the processes you will develop in the next phase. This framework document will be shared with executives and the Board.

That being the case, it’s important the framework is kept high level. Since adaptability is of utmost concern, you don’t want to be constantly updating this document for two reasons. One is the level of scrutiny it will get from executives and the Board, and two, if/when ERM is audited, the framework will be the first document auditors will examine. The document will automatically be outdated as you modify policies and procedures, so it could lead to trouble if the information it contains doesn’t match what the company is doing in practice.

Instead, the framework should refer out to other documents that don’t have to go through the same level of scrutiny.

This doesn’t mean the framework document should contain nothing of substance whatsoever. One of the most important elements of the framework is clearly stating roles and responsibilities for the ERM program, including:

  1. Where in the corporate organizational structure will ERM reside?

Since ERM should be working closely with senior management, it’s important for it to have a high-profile position in the company. Programs merged with audit or stuffed lower down the rungs of the company ladder tend to not receive the attention necessary for more than a surface-level impact.

  1. Who will ultimately be responsible for ERM?

Somewhat similar to #1 but deserving of its own section, mid-sized and larger companies with ERM will often appoint a Chief Risk Officer (CRO) that reports directly to the CEO. Many feel that this role is needed to give ERM the visibility needed to put words into action, or as explained in the 2022 State of Risk Oversight Report from NC State:

While an organization might designate an individual to be the risk leader for their organization, if that individual is too far removed from the senior leadership of the organization, the ERM process is less likely to get visibility and focus from those at the enterprise level.”

One approach to increase ERM engagement is to have management-level risk committee(s). This group(s) typically include representatives from multiple business units, so it has the positive effect of ensuring information is not stuck in siloes.

  1. How will the Board oversee ERM?

Also, depending on your company, the framework should include the composition of any Board oversight. For some, this is a legal requirement, but robust Board oversight is increasingly becoming an expectation across-the-board these days. The Board may conduct its oversight on its own, or there could be a separate Board committee that could better focus its efforts.

When it comes to standardized frameworks, there are several out there, with the most notable ones being ISO 31000 and COSO. These standards can be helpful guides and starting point, but as Frank Martens and Carmen Rossiter explain in the book Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives:

While generally accepted frameworks are a useful starting point, they are generic by their inherent nature. Organizations that incur the effort to develop their own tailored framework see the greatest influence from their respective frameworks.”

Also, as Norman Marks explains at several points in his articles and books, the best risk practices are well ahead of these standards.

A word of caution – don’t try to force a certain standard onto your organization!!

The overarching goal of any framework is to support decision-making by helping the company identify and assess risks and opportunities to achieving strategic objectives. This will work differently for every company, even ones in the same industry, so while it is tempting to copy/paste from others, doing so rarely works out.

To learn more about each of these elements of an ERM framework and governance document, I invite you to check out these other resources here on the blog:

With these elements of a framework hand, you will be ready to move into…

Phase #3: Developing Processes

Once a framework is put together to guide the ERM program, you’re now ready to begin developing the various processes that will help executives understand risks and opportunities and thus inform their decision-making.

This is where you will plan out the methods your company will use. Will one-on-one interviews work better or will surveys provide the insights your company needs? What about a combination of those methods?

This will be, by far, the most iterative part of your ERM journey. In one sense, it will never be final as the conditions and needs of the company are constantly changing. Therefore, you’ll always be refining processes as you go along, which is why you shouldn’t include this type of information in your framework.

Companies tend to get hung up here as they compare themselves to what others are doing rather than focusing on what works for them. It’s also why you should not be discouraged if a particular method isn’t working.

Rather than rolling out a particular approach to the whole company, work with one or two business units to “pilot” the processes. This way you can refine what works without running the risk of others getting upset and abandoning ERM altogether. For the sake of brevity here, I’m not going to get into too much detail on the various processes.

The following articles will provide a thorough explanation of each process plus how to best harness them for your needs.

If you compare this version of this article to the previous one, you should notice the differences. Beginning with the end in mind and taking steps to understand why your company wants ERM is so critical to a successful endeavor.

The original article also included risk appetite and tolerance as one of the steps. While these are important in their own right, many companies find it difficult to develop and implement them immediately.

To be successful, it’s important to start slow. Rome wasn’t built in a day, so there needs to be the expectation that this will take time.

Where are you in your ERM journey? What roadblocks have you experienced in the past when you were setting up an ERM program?

I’m interested in hearing your thoughts on this extensive subject. Please don’t hesitate to leave a comment below or join the conversation on LinkedIn.

This article briefly explains this complicated subject, it’s still quite possible you could still get stuck. If you find yourself in this situation and are ready to move forward, please feel free to reach out to me through email or my online scheduler today to begin discussing your specific issue and possible ways forward!

Sign Up For Our Newsletter

Sign Up For Our Newsletter

SDS-Logo
about-sidebar-v2

Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More