Risk Insider: Grace Crickette

The Art of War and ERM – Energy (Part 4)

By: | January 7, 2016

Grace Crickette, a leader in enterprise risk management, is special administrator, Finance and Administration for San Francisco State University. She can be reached at [email protected].

Topics: ERM | Risk Insider

This is the eighth chapter in Grace Crickette’s series of posts focused on how to gracefully bring together traditional risk management, change management techniques and enterprise risk management concepts by using phrases and tactics to develop strategies devised by Sun Tzu, a Chinese military general, strategist and philosopher.

Make ERM, Not Warrainbow peace sign copy

Art of War Key Principal: Opportunistic Flexibility In Adapting Strategies And Tactics To Situation

The way to capitalize on the endless opportunities created by ever-changing conditions is to become engaged as a part of a well-thought-out plan and be flexible in adapting tactics to those ever-changing conditions within the context of each pre-determined strategy.

The Art of War’s fifth chapter focuses us in on moving to the Creative or Energy mode, wherein the greatest amount of preparation and on-going effort takes place in implementing Enterprise Risk Management.

In the prior post, we looked at the second element on our menu of common elements of an ERM program: performing a gap analysis.

Let’s move on to the third element …

Integrate Existing Activities Under the Umbrella of ERM

We left off with creating a document or “White Paper” that provides us with our current state which included steps to get our organization thinking about risk management activities in a more holistic way. We aggregated the information currently collected by various groups and identified the risk management activities already in place.

Having completed our paper, we are positioned to begin to understand and coordinate risk management across the enterprise. Caution: Coordination does not mean a “land grab” or a change in who conducts risk management activities.

I advocate for independence between departments that perform risk management activities, while still creating a high level of collaboration and sharing of information between departments and groups. As I pointed out in the prior post, there are many other departments within organizations that engage in risk management and they need to be included in the  ERM program.

As there continues to be ongoing dialogue and opinions about how risk management, audit and compliance work together, it is worth spending some time to understand their roles. The following outlines a basic understanding of the roles of these functions, but is not meant to be comprehensive. You should do homework on the professional standards for each function and develop your own understanding.

  • Audit programs exist primarily to provide independent and reasonable assurance to the organization that management’s controls over its key processes are functioning as designed and are effective.
  • Compliance programs exist primarily to support the organization’s efforts to comply with applicable laws and regulations, including those set by external bodies such as the government, or internal bodies such as the organization’s board of directors. When required, compliance offices also help set organizational policy to adapt to new and evolving risks and influence the ethical culture of the organization.
  • Risk management programs function as a part of management, rather than in an oversight capacity like audit and compliance, and works to implement best practices and support everyday decision making. As part of these responsibilities, in consultation with the board and executive management communicates the risk appetite for the organization and is responsible for developing and implementing risk management processes.

Working together, these three programs create a system of internal controls that support the effective and efficient operations of the organization. Though there may be some overlap in the areas of risk that are covered by each program, the purpose, focus and activities driven by these different programs varies.

Just because these programs occasionally give focus to the same risks or operational areas, this does not mean that the process is redundant. In fact, having overlapping risks provides some assurance that we are focusing on the right risks that are most important to the organization.

To illustrate how these three activities work together, a common approach is to have the compliance department determine what the policy needs to be in place to address a particular risk in an operational area.

Risk management advises and supports compliance on this process as needed, and is responsible for helping management to implement the specific practices required to bring the organization into compliance (e.g. – training, hiring of additional personnel, etc.). Audit is responsible to ensure that management has implemented these practices and they are functioning as designed.

In this example, audit, risk and compliance work together to improve assurance that the risk concern is appropriately addressed by the organization, and appropriate controls are in place to reduce future risk, with each activity contributing in different but important ways.

The ERM program can become the framework that brings the various activities together and provides the forum to create integration and collaboration. As we continue we will focus in on ways that you might create your ERM umbrella.

Key Takeaway: Implementing ERM takes Energy and Creativity, understanding the mission of various departments and the importance of independence to fulfill their duties and uphold their professional standards is critical. The Art of ERM is not about “land grabs” that restructure organizations, rather our tactic is to win the war on unwanted risk through collaboration and sharing of information. This strategy optimizes our organizations understanding and management of risk and supports having independent and strong armies that can fight on multiple battle fields.

Remember — it’s not Risk Management, it’s Change Management!

Read all of Grace Crickette’s Risk Insider articles.

More from Risk & Insurance