Enterprise risk management is being touted as a highly complex and expensive program. This is truly a shame because effective ERM programs are actually very simple and elegant. But simple and elegant solutions don't generate $3 million in consulting invoices. In order to generate that kind of a bill, ERM has to be almost unfathomable in breadth and complexity. So that is how it is being portrayed, often by the very people who purport to be ERM champions. But the complex model is killing far more ERM programs than it is creating.
It need not be so difficult. If you need to find a simple working model of ERM, you can find one in the internal audit literature. Working in internal audit this year, I found that they had addressed the main framework of ERM. Their simple and elegant approach is called ORCA, which stands for objective, risk, control, assessment.
By going systematically through it, one can fulfill the main objectives of ERM: identifying the big risks, finding out who owns them, analyzing what is being done to address the risks, identifying gaps and communicating this information to the top decision-makers. That is the heart and soul of ERM, and ORCA aptly meets those objectives in a four-step process:
Objective: Your board and senior management had better have clear goals and objectives. If they do not, you have much bigger problems to solve than ERM. The top goals might be increasing profit by developing a new product, improving customer retention or cutting costs. It doesn't matter what the goals are, as long as they are clearly defined.
Risk: What are the events and forces that could stop your organization from obtaining its goals and objectives? You can find out by interviewing senior-level management and asking that question. This process is straightforward and has been successfully completed by many companies. You might find that audit already has a good enterprise risk-assessment process. Choose the top five risks that demand immediate attention and move on to the next step.
Control: This is the step where many get stalled. ERM teams often fall into the trap of thinking they have to solve or treat the risks that have been identified. They do not. All that is required is to identify what controls exist to assure that the top risks are addressed, managed, monitored and mitigated by the groups that are responsible for them.
Assessment: This produces real value for the strategic level of management. The ERM team can look at the organization and provide a clear view of the major risks across all of the silos of the company. Furthermore, it provides executive management and the board a concise view of what risks are already being managed and where there are vulnerabilities.
One can argue that a best practice ERM program should have more functional elements but not everyone wants or needs this level of sophistication.
Taking a page from internal audit, you can deliver value and complete the core elements of ERM without a huge budget or teams of outside help. Don't listen to anyone who tries to tell you otherwise. The more you can see the simplicity at the heart of ERM, the easier you will find its implementation. The more expensive, complex and unfathomable ERM is made, the greater the risk that it will look to senior management like another corporate boondoggle.
BEAUMONT VANCE, senior risk manager for Sun Microsystems Inc., is a columnist for Risk & Insurance®.
July 1, 2006
Copyright 2006© LRP Publications