BY TRISH SAMMER JOHNSTON
The phrase "critical mass" can certainly imply dramatic overtones. However, many risk managers were less than shocked that enterprise risk management (ERM) was shown to have finally reached critical mass, or an acceptance rate of more than 60 percent, according to the 2013 Risk and Insurance Management Society's ERM Survey.
Why the lack of drama? It seems that during the past 10 years, risk managers have seen that ERM consistently proves its value.
"A decade ago, people were trying to understand what ERM was and how to do it," said RIMS board director and risk professional Nowell R. Seaman. "Now, we're in a current state where there are really effective approaches and methods formed around ERM.
"There's a more consistent understanding of what it can do if used well," he said. "It's not surprising that so many organizations are adopting it."
Carol Fox, director of RIMS' Strategic and Enterprise Risk Practice and one of the study's authors, attributes ERM's increasing adoption rate to two factors. "ERM continues to be a board directive. When you consider that 80 percent of the risks that affect organizational outcomes are strategic and operational, ERM has high visibility.
"In addition, risk professionals are taking a leadership role," she said. "They're showing it's not about ERM, it's about producing more certainty around expected outcomes. To the extent that some organizations may still be on the fence, now is the perfect time to move forward with it."
So how can risk managers most effectively implement ERM? Starting with realistic goals is crucial, said Fox.
"You can't plop ERM into the middle of an organization and say 'go forth and multiply.' ERM is very much a journey. Start where you are and you begin to make better decisions through a very disciplined way of approaching risk.
"The greatest pitfall is not making ERM seamless with the organization's practices. If you're trying to bolt something on to something else, you're going to meet resistance from the perspective of sustaining it," she said.
An executive champion is also important, said Seaman.
"If the C-suite accepts the idea that they want to do ERM, it makes buy-in around the organization easier," he said. "If upper management is uncertain or unsupportive, I don't think you're going to get very far."
Both Fox and Seaman said risk managers should approach other departments from a standpoint of inquiring about their goals and then discussing how ERM can help.
For example, syncing up departmental planning cycles can be key to aligning ERM with strategic goals. Coordinating objectives within departments ? especially when the same terminology is used across the board ? can help ensure collaboration and sustainability.
Even though risk managers may still need to promote ERM within their organizations to some extent, the increasing adoption of ERM means there's more information to work with. In addition to ISO 31000, there are several other standards and frameworks available that can provide a basis for a solid ERM program. However, the survey shows that more than a quarter of the respondents don't adhere to any one specific standard or framework.
Fox sanctioned that approach. "I always tell people, 'Learn everything you can about as many standards and practices as there are out there and then figure out what works best for you,' " she said.
She also advised risk managers to engage in professional networking to find out what similar companies are doing.
Despite all the potential that ERM brings, Seaman cautioned risk managers to "be careful what you ask for."
"Taking accountability for developing and implementing ERM represents significant work," he said. "ERM is extremely rewarding and has high potential for return, but you have to be mindful of the resources required and the additional or requisite skills you need."
Risk managers are up to the challenge, he said.
"I think risk managers are very well suited to lead or be part of the leadership of ERM because they have considerable experience with the risk management process. Most of them have facilitation skills, a strong knowledge of all aspects of the company, as well as risk analysis and risk assessment, so they bring a lot to the table," Seaman said. "But you can't underestimate the work that it takes to achieve real progress in this area."
ERM is an initiative with an extensive shelf life. Long-term value, or lack thereof, is largely determined by how ERM evolves within a company. "It's about maturing capabilities," said Fox.
"Even though you think you have ERM, it's really understanding how mature those practices are, how deep they are and if they're continually improving," she said. "Everything changes so quickly. Something that worked in the past might not be a fit for what's coming. ERM is constantly changing and we have to be on our toes to make sure our deliverables are still relevant.
Trish Sammer Johnston is a freelance journalist based in Philadelphia who writes about financial issues.
September 23, 2013
Copyright 2013© LRP Publications