I am always surprised when people tell me that they don't see the value in an Enterprise Risk Management (ERM) program. I shouldn't be because, to many people, it seems like just an exercise for regulators, another item they need to check off their list. There is a valid reason for this perception. The National Credit Union Administration (NCUA), in Supervisory Letter No. 13, defines ERM as "a comprehensive risk-optimization process that integrates risk management across an organization."[i] NCUA goes on to state that "implementing a formal ERM framework requires a significant investment in management, expertise, and systems." Finally, NCUA concludes the letter by stating that they "view the absence of an adequate risk management framework … as a failure in sound corporate governance …". Yikes!
COSO (you remember COSO from Sarbanes-Oxley, right?) defines ERM as "the culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value." [ii] I added the bold and underline because I believe that a sound ERM program will help companies achieve their strategic objectives.
An ERM program adds value to an organization in several ways. Fundamentally, an ERM program will help identify gaps or opportunities for efficiencies that you may not realize exist. Gaps might be as simple as missing a process step or as crucial as failing to design a control to mitigate a critical risk. The adage "you don't know what you don't know" has never been more true than in this situation. Unfortunately, you cannot rely upon people's gut feelings that risks are adequately controlled, controls are operating effectively, and there are no gaps.
Once a company has established a common language in terms of risk rankings and has developed a framework for documenting risks, I have seen effective risk management programs improve employees' critical thinking skills. Empowered employees are able to make decisions because they understand the direction of the company and the amount of risk they can or cannot make. Articulating and documenting the companies risk appetite or risk thresholds are the first step to making it easier for employees to make decisions.
I have also noticed that just the act of documenting a process will often break down silos in an organization and make that organization more efficient. I love the aha moment when folks realize that they can stop pulling a report or completing a reconciliation because the process before them is already doing that step. How else will we find out that five different areas were all performing the same reconciliation?
An effective ERM program will also focus management's attention on those risks that matter the most to achieving the company's strategic objectives. The ERM program will identify and highlight gaps, areas which do not have controls in place. Management is then able to make conscious decisions on whether to accept the risk or add in controls. Those gaps may not have even been identified before implementing an ERM program, potentially leaving the company vulnerable.
Is your company anticipating a new project? What is your change management procedure? Does it include a review of the existing controls and a roadmap for how those might change? An active ERM program makes it easier for the change management process to identify critical controls that will still need to operate once the new project is complete.
Does your company have some key person dependencies? A robust ERM program will identify the owners of the controls in place. When someone leaves or goes on vacation, it is a simple task to query the controls by person and make sure someone is still performing those critical tasks. Assignment of controls will also hold people accountable, which leads to higher achievement of the company's strategic objectives.
An ERM program should be as lean as the company. I like the COSO framework because it is scalable and applicable to small companies as it is to larger companies. Still not convinced? I welcome your comments. Reach out to me and let me know your thoughts. What is holding you back from implementing an ERM program at your company?
RTE and Company
Becky is a strategic risk management executive with years of demonstrated expertise in creating and maintaining value-added risk management departments. Currently, Becky is the founder of RTE and Company: a strategic consulting company focused on improving their client's success by helping them create and maintain enterprise risk management functions that add value to their organization. Her career included risk management roles at Freddie Mac and consulting opportunities partnered with PwC.
We help companies achieve their strategic objectives by identifying, understanding, and mitigating their risks. Let us add a fresh set of eyes to your current situation. We pride ourselves on being practical in all aspects of the engagement.