Do these 10 things to build a World Class ERM System

As the saying goes, Rome was not built in a day. The same is true for a lasting Enterprise Risk Management system.

Sometimes, progress for organizations, come with one step forward, followed by two steps back. So celebrating even the smallest of victories, is critical for successful ERM implementation

A Mature ERM system takes years in the making. However, it is entirely possible to shorten the learning curve by observing what has worked for institutions that have been doing great on their ERM journey; adopting proven tactics and avoiding any mistakes identified.

This article is based on my presentation at the ERM Forum 2022. The features of world class ERM systems highlighted in this article are proven by research and based on my knowledge of successful ERM systems.

Tailor ERM to fit your organization.
Link ERM to strategy.
Establish clear risk ownership and roles and responsibilities for risk.
Effective communication.
Simplify and standardize.
Have ERM champions.
Focus on key major risks.
Consult an ERM expert and provide ERM training.
Enhance the process overtime.
Allocate sufficient resources to ERM and gain support from the top.

1. Tailor ERM to fit your Organization

There is no one size fits all standard when it comes to ERM. The most widely used and comprehensive ERM standard is the ISO 31000:2018. However, ISO 31000:2018 cannot be used for certification purposes and ISO 31000:2018 urges organizations to use it as a guideline.

As ISO provide guidelines, principles, a framework and a process for managing risk, it is highly recommended to tailor ERM to suit the needs of that particular organization.

It is also important to look into other guidelines such as the COSO ERM Cube and the IRM Standards which can offer additional guidance. Although some standards are better recognized than others, organizations should select the approach that is most relevant to their particular circumstances.

For example, a highly regulated company will likely adopt a structured and quantitatively focused ERM process while an organization operating in a less regulated environment may have less structure and may approach ERM more qualitatively.

2. Link ERM to Strategy

The organizations which have very successful ERM systems are those that have fully embedded the risk management activities into the core business processes and strategy. ERM is as much about understanding the implications from the strategy and the possibility of strategy not aligning, as it is about managing risks to a set of objectives.

When ERM is linked to the strategy of the organization, it ensures firstly that the correct strategy is chosen, secondly it ensures that the strategy aligns with the vision, mission and values of the organization and thirdly it ensures the identification of all the risks that may hinder the achievement of organizational objectives.

3. Establish clear ownership, roles and responsibilities for risk

Risks are owned at the operational level. As risks exists at the operational level, and are required to be managed by the operational level It is important not to confuse risk ownership with responsibility for risk management. The responsibility for establishing risk management functions and ensuring that risks are managed at the operational level are the responsibilities of the board.

As there is a lot of confusion as to who owns the risks, the organizations which have world class ERM systems are those who have cleared this confusion and have concisely stated who owns specific risks and have distinctly established responsibilities for risk management.

The three lines of defense model, developed by the Institute of Internal Auditors, is a great model for clarifying essential roles and responsibilities regarding risk management, internal control and governance.

The roles and responsibilities need to be clearly written down in the Risk Management Policy and integrated into the mandates and job descriptions of related employees. Organizations which have clear lines of responsibility as to who owns the risks are much more likely to have a world class ERM system compared to those organizations who do not.

4. Effective communication

Communication is key in everything we do and ERM is no different. Communicating the right risks, to the right people at the right time is vital.

Ideally risk information should be flowing freely and regularly between employees, management, senior management and the board. As ERM relies on employees sharing risk insights openly, a safe environment is necessary to facilitate communication.

Business unit managers are more likely to proactively share risk information and communicate openly if they believe the ERM team’s goal is centered on improving risk management, rather than distributing blame.

One way to build this trust between the ERM team and individual business units can be through word of mouth referrals. If one business unit leader has a positive experience while sharing risks with the ERM team, he or she is inclined to describe the experience to other leaders. The ERM team must understand this communication flow and strive to assist business units in any way possible.

5. Simplify and standardize

Using complex concepts makes ERM more difficult to understand. It is important to keep the ERM process itself, as well as the terminology used simple.

For example, when starting out it will be more effective to include only simple assessment criteria in the risk assessments such as impact and likelihood. As the ERM process matures, the organization can include criteria such as velocity.

Another way to simplify the risk management process is to give a standard definition for each risk. When this is done, employees are able to develop a common knowledge for each risk and provide sufficient input when risks are discussed in workshops and during risk surveys.

One more way to do this is to standardize the annual risk report. A standardized format will present top risks using a nearly identical template year-over-year allowing the recipients of the risk to quickly find the desired information. Simple, direct reports are better understood and promote readability at the board level. This way board members can also spend more time analyzing the information rather than attempting to understand the reporting format.

It should be noted that while a less complex process is easier to implement and gain initial traction, it does not have to remain simple perpetually. Maturity models can be used to map out the process to bring the organization up the ERM maturity curve. The point is that the organization must be ready before moving to a more sophisticated process.

6. Have ERM Champions

Having risk champions is crucial in building the risk culture. An ERM Champion is a vocal advocate and leader of ERM within an organization. An ERM Champion can be an individual or a group.

The Champion serves as a “cheerleader” emphasizing the important contribution ERM makes to the organization. This is especially important during the implementation phase of ERM, when initial pushback may be experienced.

The biggest ERM champion needs to be the CRO of an organization. Apart from the CRO, there needs to be other risk champions across the organization who do not have risk management as their primary role, but rather, have the responsibility of supporting their own department with identifying and reporting risks.

7. Focus on major key risks

The critical success factor in designing a world class ERM system is to focus attention on a manageable number of key risks and then apply the lessons learned to identifying and managing additional critical risks across the enterprise.

This focused approach keeps the development of the Enterprise Risk Management processes simple and lends itself to subsequent incremental steps to expand the risk universe and Enterprise Risk Management processes.

If organizations devote too much time to less significant risks, there is potential to overlook major risks. This inevitably minimizes the discussion of the top risks that should command the most attention.

8. Consult an ERM expert and provide ERM training

Engaging an ERM expert could be valuable during the initial launch of ERM and in sustaining the program over time. The value created is the independent and unique perspective on the ERM process that comes from someone with diverse experience in risk management.

This knowledge can be used to provide the company with solutions tailored to its industry and operating characteristics. An expert can minimize the trial and error phase of ERM process implementation for institutions embarking on an ERM journey. Likewise an expert can provide guidance for continual improvement of an established ERM process.

Another very important thing is to provide sufficient training. The staff in the Risk Unit and also across the organization including the risk champions need to be trained on ERM. This means that employees across the organization understand and appreciate the value of ERM which is something that is crucial to sustaining the ERM process.

In addition, the ERM function needs to ensure that each risk committee member receives the appropriate training to carry out their roles and explains the process to members of the committee, which provides the basic information necessary to perform ERM duties.

9. Enhance the process over time

The organization should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated. As relevant gaps or improvement opportunities are identified, the organization should develop plans and tasks and assign them to those accountable for implementation.

An example of enhancement can be adding another concept like black swans to the risk management process. Benchmarking can be another process enhancement where one organization can benchmark its progress ERM process of other organizations.

It is important to properly pace the ERM evolution. While adding new elements to the ERM process is helpful, too many changes in a short amount of time can disrupt the process.

10. Allocate sufficient resources and support from the top

As ERM is enterprise-wide, it is virtually impossible to begin, much less sustain, an effective ERM process without support at the top level of an organization.

This responsibility primarily rests with the board of directors and senior management. That support should be exemplified both in words and actions, with those at the top of the organization not only communicating the importance of ERM, but also demonstrating their commitment by engaging in key ERM activities.

There can be different ways to show support from the top. ERM can begin and continue from a request and continued engagement by the board of directors. Also, the board and senior management can tailor the system so that regular reports are received regularly and engage in discussions regarding the status of the top risks faced by the organization and the effectiveness of the risk management process.

In order to operate effectively, ERM should be allocated appropriate resources. Expectations for ERM should be appropriately balanced with the resources committed to the function. As ERM grows, increased resources should be available to expand the ERM department. Additional staff and enhanced risk management software are two examples of common resource allocations for organizations growing an ERM process.

Even if we take on all the elements discussed, it won’t create a world class ERM system until we get the foundation for risk management, the risk architecture solid. This means that we need to have a risk management policy, risk management framework and have the risk management committee established with the risk management charter and reporting lines.

If you require help in implementing ERM in your organization, let the expert consultants at Achievia guide you through the process and provide you with all the necessary tools, techniques and expertise to develop a robust ERM system. We are very passionate about what we do, have experience in implementing ERM systems and are committed to helping Maldivian Institutions and businesses to reach world class in their risk management capabilities.

About the author:

Aminath Shaeera, CPA, IRM Cert.
CEO & Co-founder of Achievia Consultancy.

An Enterprise Risk Management expert passionate with a vision to take organizations up the ERM maturity curve. Concluding a decade of experience in Maldives Monetary Authority as the Head of the Risk & Compliance Unit, she is a certified ERM professional as well as being a Certified Practising Accountant. Since moving to the private sector, she has contributed to the strategic development of numerous organizations.