It’s hard to believe that we’re nearing the end of 2021!
Whether it’s improving health, changing eating habits, or some other goal, the New Year always represents a great opportunity for a fresh start.
A company’s ERM processes are no different…
The end of the year represents an ideal time to take a step back to evaluate risk identification, assessment, and other ERM processes and determine where adjustments need to be made.
Results from the year’s Global State of Enterprise Risk Oversight survey from NC State confirm that a large proportion of companies have a lot of room for improvement…only 40% of U.S.-based respondents indicated their ERM processes as “systematic, robust, and repeatable with regular reporting to the Board.”
And while more companies do factor risk exposures when considering strategic objectives, only a paltry 11% believed their ERM processes provided the company with any sort of unique competitive advantage.
Boards and senior executives are also clamoring for improved risk processes. This is confirmed in a survey from E&Y from earlier this year where 79% of respondents indicate that “…improved risk management will be critical in enabling their organizations to protect and build value in the next five years.”
Yes, you read that correctly – 4 out of 5 feel that improved risk management will be critical to their future success.
These statistics, coupled with the rise in the volume and complexity of risks and general uncertainty, mean there is no time like the present to adjust and improve ERM processes.
Changes in business objectives, compliance requirements, and the general operating environment are nothing new…in fact, they’re going to continue and get even more chaotic in the years ahead. These changes often necessitate adjustments in ERM processes, systems, and tools.
For example, the company’s strategic goals or day-to-day operations could feel the result of compounded negative impacts if there is a significant delay in identifying changes in risk levels due to a breakdown in the process.
Although methods for gathering and analyzing information may work [just] okay, they could always work better irrespective of how advanced the processes are.
In a previous article on this topic from early 2018 entitled ERM Maturity Assessments: Are We Assessing the Right Thing?, I relayed an experience from when I was a director of ERM for a sizable property insurance company. We had hired a big consulting firm to assess the maturity of the program.
While executives seem to really love the comparison of our processes to other organizations, I eventually came to understand that the real value of this exercise was assessing the effectiveness of our program, not necessarily how well it stacked up against what others were doing.
To couch it in slightly different terms, the purpose of this type of assessment is not about checking all of the boxes on some sort of list but about the effectiveness of your ERM processes relative to your company’s needs. As Norman Marks explains in a recent article on his blog:
Risk management should ensure people have the necessary information to make informed and intelligent decisions necessary for success, knowing which risks and opportunities to take if they are to achieve their business objectives.”
Below are a few questions you can be asking the Board, senior executives, and relevant business area leaders to ascertain whether your company’s ERM processes are fulfilling this purpose:
- Is ERM providing you with information and insights you did not already have? One of the biggest complaints about ERM by executives is that it simply rehashes what the executives already know.
- Is this information easy to use? If it takes too long for someone to read the materials or if they have to ask a bunch of questions to know what they are reading, they will set it aside and not use it, rendering all of your work wasted.
- What’s working well? Understand what executives and leaders like about your current ERM processes. Assessments are not all about the bad – celebrate the wins, and identify areas where you can capitalize on the positives.
- What could go better? Sometimes the best ideas or recommendations can come from non “risk” people. New perspectives are always helpful when trying to improve your processes, especially from people who aren’t neck-deep in the work all the time.
- If we knew then what we know now, what could we have done differently? A nice spin on a retrospective or lessons learned. While ERM is not a “project” (there should never be an end date for ERM!), we can always stand to learn how to do better. Another term for this approach is conducting a counterfactual.
This is just a starting point as there will be questions specific to your company’s size, industry, and other unique circumstances that you could ask. You should be asking questions like these on a recurring basis since…
ERM processes are iterative in nature, so they will therefore always need refinement to ensure they are meeting the company’s needs.
As many risk thought leaders explain in books, articles, and webinars, the best risk management practices are well ahead of even the most current versions of ISO 31000 or COSO.
Also, it can take some time for a company to find out what works best for its unique culture and needs. Many expect to be able to implement a standard and begin seeing results immediately. While this may work for project management or other standards, ERM is a bit different and therefore requires some (sometimes much!) trial and error to find out what works.
The questions listed above are a great place to begin understanding where adjustments need to be made.
How do you identify ways to improve your company’s ERM processes? When during the year do you conduct a process assessment?
Assessing the effectiveness of ERM processes often gets pushed to the back burner in our haste to understand risks and opportunities to achieving strategic objectives. To share your thoughts and experiences on this important topic, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
Last but not least, if your company is struggling to understand how it can improve its ERM processes to deliver better value, reach out to discuss your specific situation and potential options to consider.