In many cases, a standard framework like the Project Management Book of Knowledge (PMBOK), JAVA for developing computer- and web-based applications, or some other business framework is the correct and best approach to take.
When organizations embark on the ERM journey, one of the first (…and biggest) mistakes they make is to simply cut and paste one of the common risk management standards or frameworks and think it will meet their needs. Companies will often say “this one looks good, let’s go with it” and hope the framework will provide the value the company needs and expects. (Hope is not a strategy, remember?)
It’s understandable – after all, there’s a strong temptation to get ERM up and running as a quickly as possible for a variety of reasons. As Richard Anderson and Dr. Mark Frigo explain in this eBook on implementing ERM:
Boards and management are constantly faced with decisions ranging from strategy decisions to day-to-day decisions. An ERM process provides additional risk information related to the strategies to enable them to make better informed decisions to create and protect value.”
However, an ERM framework is not one-size-fits-all.
The two most common frameworks companies will look at for risk management needs are ISO 31000 and COSO. The ISO standard defines terms while COSO gets into more of the details on execution.
Since COSO goes a fit farther as a “how-to” framework, many will choose it to get started in my experience. Regardless of which one your company ultimately chooses though…
Implementing any “standard” ERM framework by cut/paste or any sort of “done-for-you” fashion will end up in failure.
This is a lesson I had to learn personally early on in my career as an ERM practitioner…
There are an infinite number of possibilities why an ERM initiative fails, but when it comes to implementing standards in this sort of haphazard way, there are a few important points a company is neglecting to consider, including:
- Why was a particular standard created in the first place (see the ISO and COSO articles linked below).
- Culture, structure, and other elements are different for every company.
- What the company’s needs are and what do executives want to get out of ERM. Is it due to regulatory demands or are executives or the Board clamoring for better risk management?
Instead of expanding on each of these important points to choosing a framework here, I strongly recommend checking out my previous articles discussing the background of ISO 31000 and COSO and other pieces I link to in the bulleted list above.
Only once this is understood can risk managers begin examining each framework piece-by-piece to see how it can meet the company’s needs.
Again, it’s tempting to rush headfirst into implementing a framework but doing so can lead to failure.
Therefore, carefully comparing what a framework says is needed with what that would look like in practical terms for your company has to be the next step. Will the standard mesh well with your company?
Okay, I’m going to kind of show my age for a moment.
If you’re over the age of 30-35, you may remember overhead projectors like the one pictured below, especially from your days in high school and college. These devices use light to magnify information on a clear sheet and “project” onto a screen on the wall. This is definitely in the days before PowerPoint and computer integration in classrooms and conference rooms.
You don’t need to literally do the following – it’s simply an analogy or concept for determining how well a framework will mesh with your company.
Let’s say the bottom sheet is your company and you begin to “overlay” components of the process in the form of additional sheets. By doing this in a figurative way, you should be able to see what parts of an ERM framework will need modification to make it work for your company. Since every company is different, it’s challenging to provide a specific list, but some common examples can include:
- Changing terminology to reflect how the business communicates.
- Changing executive titles in the framework to reflect how roles and responsibilities are handled in your company.
- Changing who will be the owner of both the ERM function itself as well as individual risks and opportunities. This will drive who you will talk to.
- Setting up a sort of governance and/or oversight.
Once this “overlay” process is complete and modifications have been made to the particular framework you are using, you are not quite ready for a big roll out.
Like other new processes or physical items, there needs to be a trial or introductory phase where you have a “pilot” of your framework in one or two departments. This allows you to work out the kinks that inevitably occur as you move from the development to implementation phase.
One thing I learned early on in my career as an ERM practitioner…copying and pasting a particular framework may work in some circumstances, but when it comes to ERM, it can lead to wasted resources, costly delays, and a loss of confidence from executives.
Therefore, save yourself the trouble, and don’t try to make a square peg fit into a round hole!
Has your company tried to implement an ERM standard or generic framework as is? How soon did it become apparent that it wouldn’t work?
To share your thoughts and experiences, please feel free to leave a comment below, join the conversation on LinkedIn, or email me directly and privately at email@example.com.
And if your company is struggling to understand how to customize a framework to fit your company’s culture and needs, please don’t hesitate to reach out to me directly or schedule a meeting to discuss ways to get things unstuck and moving forward again.
Sign Up For Our Newsletter
Sign Up For Our Newsletter
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.
Most Recent Posts
Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…Read More
As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…Read More
Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…Read More
Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…Read More
On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…Read More
Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…Read More
Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…Read More
One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…Read More
It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…Read More
If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…Read More