LAURIE CHAMPION, a director in Aon Global Risk Consulting's ERM Practice, and TOM WIMBERLY, vice president of business development in Aon's eSolutions group
Enterprise risk management provides a framework for delivering cross-functional understanding and management of risk using proven tools and processes to achieve results that "fit" with each organization's culture and existing practices.
An effective ERM framework includes established risk management goals and oversight, consistent understanding of existing risk management processes, effective risk identification and prioritization, appropriate tools to assess and quantify significant risks, an effective approach for identifying and evaluating risk response solutions, successful implementation and performance measurement of risk response solutions, and appropriate risk governance, culture and disclosure.
After establishing an ERM framework, organizations often develop a need for improved tools to support efficient integration of ERM into existing management processes. At this stage, ERM technology typically tops the list of tools that can provide immediate value in return for the investment of time and cost to implement.
To select the right ERM software solution, an organization needs to match its existing technology sophistication with its level of ERM maturity.
Maturity Level: Initial/Lacking
Risk management activities are limited in scope and may be implemented on an ad-hoc basis.
Technology Solution: Ad-hoc (e.g., Microsoft Excel spreadsheets) including specialized survey software.
Maturity Level: Basic
Limited capabilities to identify, assess, manage and monitor risks; informal consideration of risk and risk management in management decisions.
Technology Solution: Basic risk register solution.
Maturity Level: Defined
Sufficient capabilities to identify, measure, manage, report and monitor major risks; effective controls for major risks, but still may be a siloed consideration and management of risk.
Technology Solution: Enhanced risk register solution with tracking of controls.
Maturity Level: Operational
Enterprise view of risks, with consistent ability to identify, measure, manage, report and monitor risks.
Technology Solution: Transitional between risk register and full blown ERM tools.
Maturity Level: Advanced
Well-developed ability to identify, measure, manage and monitor risks across organization; dynamic risk-based decision-making.
Technology Solution: Full blown ERM tools with modeling and simulations.
Given the complexities of an ERM project, taking on software that is too complex for the current ERM maturity level can divert resources and time from the overall ERM development plan and result in an overinvestment. The right ERM software should enable the ERM process to meet objectives in the simplest manner possible.
TECHNOLOGY TO DRIVE ERM
When looking for a tool to help manage risk at the enterprise and operating levels, there are a number of features to look for:
-- The ability to support the organization's unique hierarchy so that risks can be mapped to a distinct physical location, product line, project or other area of responsibility.
-- The ability to support multiple categorizations of risks, including those based on standard risk categorizations or categorizations specific to the organization's business. For example, financial, human capital, operational and strategic risk categorizations should contain further descriptions unique to each organization, such as "brand and image" or "delivery channel" risks.
-- The ability to assess the impact of the risk from a probability and severity basis, using assessment scales unique to each organization, with the ability to support additional risk assessment scoring as needed. This risk scoring capability supports ongoing monitoring and reporting of risk, including tracking improvement or deterioration in the risk over time.
-- The ability to track each change in the database transactionally--an easy way to see who made what change and when--to monitor the impact of these changes as the ERM framework process matures.
-- The ability to identify the risk controls in place and those that should be implemented for each risk. For more comprehensive treatments, the system can allow each control to be documented, including the benefits and costs of implementing the controls, to help establish implementation priority.
THE BOTTOM LINE
Technology can provide a structured environment for risk surveys, risk registers, risk actions and risk controls. It can assist organizations to understand the possible impact and management of these risks. However, technology does not replace the expertise and experience of management teams and their knowledge of the unique risks that face their organization and industry.
The secret to efficient technology is to ensure it does not drive the process but facilitates it. Using ERM technology to gather useful information in a normalized fashion, establish a plan to address the risks that have been gathered, operationalize the information so behaviors are in place to reduce the impact of these risks and monitor both actions and results are essential parts of a successful ERM framework.
Technology must deliver the ability to tell the organization's complete ERM story through credible risk information and practical reporting tools. Reports should reflect the likelihood and impact of the population of risks, they should facilitate analysis of the top risks, and they should support risk-based decision making focused on actions to improve risk and the movement of risks over time.
These reports take many different forms--from risk and heat maps, to risk plots to graphs, to charts and simulations--and a successful ERM framework requires tools to ensure that, from the first moment you analyze the possible impact of technology on your ERM program, the end result will tell your ERM story as eloquently as you can.
Beginning in the formalized stage, an ERM system fundamentally involves the same steps as classic risk management: identification, assessment, evaluation, reporting, treatment/control, reporting on residual risk and monitoring risks for the organization. Technology solutions should allow for risk information to be collected, reviewed and managed in a consistent fashion in line with the ERM process. Utilizing technology in this manner can make an organization's ERM program more transparent, traceable, efficient and effective.
A well-designed and well-implemented ERM framework overall can help organizations to achieve maximum value from their ERM investment. Getting value from ERM investment depends on how well management understands critical risks--both existing and emerging--and the potential impact of these risks on financial performance and organizational health. Risk-based decision-making enhances strategic planning and business planning. It improves resource allocation and operational efficiency as organizations focus on and effectively manage the most critical risks. The results include improved predictability of financial performance through better risk taking, improved corporate governance, and increased transparency about risk for internal and external stakeholders, including the board of directors, investors, creditors, regulators and ratings agencies.
December 1, 2009
Copyright 2009© LRP Publications