I’m going to do something a little different today…
Instead of going in-depth on one specific topic, the following article takes a more all-encompassing or birds-eye view of ERM.
Knowing companies tend to have a lot of ERM-related activities starting now, it seems like a good time to step back and think about how exactly ERM must, should, and could serve our specific organizations.
The end of summer is approaching, which brings homemade apple pie to mind. So, what better way to ask this question than to use an iconic dessert – apple pie – as an illustration. But never will I say that “ERM is as easy as apple pie!”
What must an apple pie have?
What should an apple pie have?
What could an apple have to make it even better?
See, I told you today’s article was going to be a little different. 😉
Like an apple pie, there are the must-haves, should-haves, and could-haves for ERM. I am going to talk about what those things are, plus give you a list of my resources that explore each of them more in-depth.
Every pie, be it apple or something else, must have a crust and a filling.
Whether it’s homemade, store bought, or from a restaurant, every apple pie must have a crust, because without one, all you will have is a bowl full of cooked apples.
Translating this into ERM – what are those things that must be done?
Must #1: Satisfy regulators. Certain companies, especially financial services and publicly-traded firms, are required to have ERM, document top risks, report these top risks and what’s being done about them, and possibly even conduct capital or scenario modeling.
The articles below dive into some more detail on different regulatory requirements and how they can be met without turning ERM into a strict documentation or bureaucratic exercise.
- Straightforward Answers about ORSA and What it Means for Insurance Companies’ ERM Initiatives
- How Regulators Perpetuate Enterprise “List” Management
- ERM Outputs Do Not Equal Reports
- Does ESG Expose Additional Risks and Opportunities?
- Preparing for Regulatory Oversight of Advanced Modelling and AI
Must #2: Satisfy credit rating agencies. As we discuss in the articles linked below, major ratings agencies like S&P and A.M. Best are examining how robust a company’s risk management capabilities are before issuing a rating. This rating can impact how much it costs a company to borrow money, if it can borrow any at all. The articles below provide a great summary, but it is likely that rating agencies are paying even closer attention to this than when this was first published.
- ERM Now Formally a Factor in Credit Ratings Issued by Top Agency
- A 5-Minute Primer on Factoring ERM into Credit Ratings for Insurance Companies
Must #3: Improve Board risk oversight. Boards are expected, from both a regulatory and general legal or liability perspective, to know, understand, and have an oversight role in risk management, and this expectation only continues to increase over time. In years past, a Board could claim they had no idea the company was engaging in unethical, negligent, or illegal conduct, but no more. In some cases, a Board member can be held personally liable! Check out the following to learn more.
- The Board’s Role in Risk Oversight and Why It’s Important
- 3 Factors to Consider Before Escalating Risk Issues to the Board
With the must-haves out of the way, we’re now ready to move on to the should-haves of ERM.
When it comes to apple pie, you should have a good filling made with fresh apples.
If you use canned-filling and a pre-made crust, your pie certainly won’t be the best, which is why you should use fresh, tree-ripened apples with made-from-scratch crust according to this guide. It’s even important which apple you choose as this can have huge impacts on the taste of your pie.
Translating this to ERM – there are dozens of things you should do to make your program a valuable partner in managing the company for success. Some of these “should-haves” include but are not limited to:
Should #1: Identifying risks to strategy and having direct involvement in the strategic planning process.
- Traditional vs. ERM – 3 Steps to Move from Loss Prevention to Focused on Organizational Success
- 6 Quick-Glance Resources for ERM to Support Strategic Planning
- 3 Simple Steps to Be Invited to Strategic Planning Sessions
- Enterprise Risk Management as a Strategic Tool for Companies
Should #2: Talking to the business using their language and not operating in a silo.
- Make Your Words Count: Translate Risk Terminology to Fit the Business
- The Importance of the First Five Minutes of any Risk and Strategy Conversation
Should #3: Providing information and results in a timely manner.
- Working in a Sprint Mentality to Provide Real Insights to the Business
- Harmonizing Operational, Enterprise, and Strategic Risk Management
Should #4: Using system(s) designed for tracking risk information rather than trying to patchwork using Excel or manual processes.
- The What, Why, and How of ERM Software: An Essential Buyer’s Guide
- How Can Your ERM Software Serve Both Risk Managers and Executives?
Should #5: Having a “seat at the table” to provide actionable information to the Board, Board committee(s) and executive leaders before a decision is made.
- A Well-Organized Meeting vs. A Strategic Conversation: What’s the Difference?
- Building a Risk Intelligence Network
- Decision Analysis: A Structured Process for Improving Business Decisions
Should #6: Taking more risks in an informed way rather than focusing solely on risk reduction and mitigation.
- Why Reactive Decision-Making Can Be Devastating and How to Improve It
- 3 Ways Over-Managing Risks Exposes your Company to Danger
- 5 Risk Response Strategies You Will Have to Consider After Assessing Risks
- Don’t Waste Time Managing Risks
There are a lot of things you should do when it comes to ERM, but there are SO many things you could do to make it even better.
As for what we could do with our apple pie, this can consist of any toppings like ice cream, Ready-whip, Cool-whip, caramel sauce, or other add-ons like a cherry or another topping.
These aren’t a must or even a should for having a delicious slice of pie but including them can transform a good slice of pie into an irresistible treat.
One interesting thing to point out when it comes to the “coulds” of ERM. In the previous section, there isn’t any mention of cornerstone concepts or formal processes, such as risk identification, assessment, and analysis or prioritization that are based on common risk management standards like ISO 31000 and COSO.
That’s because these are just one of several different ways you could do ERM.
Other informal approaches focusing on robust conversations and facilitating planning sessions, among other things, can provide the needed insights for helping company leaders make informed decisions.
Using data and models to assess risks and opportunities, or quantitative assessment, can provide extremely valuable insights when used properly. Monte Carlo simulation can help leaders understand the probability of reaching a certain goal and therefore have additional assurances that a decision is the right one.
Developing key risk indicators to help the company get ahead of risk(s) before they materialize is another “could” that makes ERM an even more valuable partner in the organization.
ERM could also be integrated into other areas like project and third-party risk management to better ensure goals are met and suppliers are the best fit for the company’s needs.
Below are some of my previous articles that explore these topics in-depth:
- 5 Effective Methods to Identify Risks in your Organization
- 3 Components of an Effective Risk Statement
- Enterprise Risk Assessment – Transforming Risk Information into Action
- Enterprise Risk Analysis – Prioritizing Risks for Maximum Benefit to the Organization
- ISO 31000 vs. COSO – Comparing and Contrasting the World’s Leading Risk Management Standards
- Practicing ERM Without a Formal ERM Program
- Why Following ERM Best Practices Can Do More Harm than Good
- Avoid the Gotcha Reputation with Executives by Using One Simple Step
- Quantitative Risk Analysis – What Companies Must Have in Place First
- Qualitative vs. Quantitative Risk Assessment – Can There Be a Middle Road?
- Using Monte Carlo Simulation to Support Decision-Making
- Why Organizations Struggle with Key Risk Indicators and How to Make Them Work
- One Fatal Error of KRIs and How to Avoid It
- 4 Ways ERM Can Add Value During the Project Lifecycle
- Taking ERM to the Next Level: Adding Value to Projects and Processes
- 7 Important Considerations for Addressing Supply Chain Bottlenecks
- Using an ERM Assessment Process to Understand Vendor Risks
- School Bus Fiasco Illustrates Importance of Robust Vendor Risk Management
As you can hopefully see in comparison to our apple pie, these must-haves, should-haves, and could-haves all build on each other. Your organization can have an ERM program that is simply there to comply with regulations but does nothing else OR a robust ERM program as a vital partner in managing the company for success.
I’m still not saying it’s as easy as apple pie, but just like apple pie, when ERM is done well, it’s very good!
If you’re trying to help executives, the Board, and business units realize more value from ERM, try considering the should-haves and could-haves you can build in to better support your company in the long run.
What other items would you add to our list of must, should, and could? How have you harnessed these to better serve your company?
To share your thoughts and any specific insights, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
Also, if your ERM program is struggling to move beyond the bare minimum “must-haves” to be a valuable partner in helping the company achieve its goals and build a competitive advantage, please feel free to reach out to me directly to discuss the current state of your program and options for helping you get it to a better place.