The second initiation into enterprise risk management is more unpleasant. That's when, after the 200th article, the risk manager begins to believe that in order to create an enterprise risk management methodology, he or she must identify every risk in the company. Then the poor soul must turn this Herculean list into a coherent presentation to the CEO and the board. For many, this causes a sense of hopelessness and nausea.
These introductions into enterprise risk management are the result of the "Big Bang" school. Proponents of the Big Bang school suggest the enterprise risk management method should be rolled out all at once, across the entire organization, capturing every risk.
But this method usually involves a massive campaign to ferret out every risk by conducting hours of interviews with people at multiple levels across every business unit. After months of gathering information, a risk management plan is drawn up. For many a risk manager, implementing an enterprise risk management program using the Big Bang method is an overwhelming proposition.
This method has its place. Creating projects using the Big Bang is useful in some cases--creation of the universe comes to mind. But even in successful cases, there are downsides. Chief among them is that it takes too long for anything meaningful to get accomplished. After all, don't forget that it took billions of years for planets to form, and billions more before we came up with the invention called the iPod.
Creating an enterprise risk management program is smaller in scale than the universe, I'll grant you that. But CEOs and boards, burning through $1 million a year in consulting fees, have far less patience than the forces that created the universe.
An alternative is what risk manager Jim Blair of Teletech calls the "Five Smart People in a Room" approach.
The concept is simple. Five smart people who know the company's business can usually identify the top risks facing it. Jim suggests holding a one-hour hour meeting with execs from sales, human resources, legal, finance, operations and IT.
Its focus should be answering one question: What are the top five things that could bring the company to its knees? By the end of the meeting, the truly material risks will have come to light.
Using this approach, the firm's problems need not all be solved at once. If the top five risks are identified, measured, monitored and treated, then the framework of enterprise risk management has been created. Other risks can be added to this framework later.
This is a more organic approach than the Big Bang. If the top risks get addressed properly, then the enterprise risk management framework will likely grow.
"Enterprise" should not give the impression that every risk has to be treated. Rather, it should indicate that risks from any part of the company can be included in the risk management function. It is the ability to address risks across silos that puts the "E" in ERM, or enterprise risk management.
ERM does not have to be massive or awe-inspiring, and it does not have to rival a mission to Mars.
It should, however, never induce narcolepsy.
BEAUMONT VANCE manages risk for Sun Microsystems Inc.
May 1, 2005
Copyright 2005© LRP Publications