However, making ERM sustainable requires embedding a risk mindset and risk mitigation practices into the very culture of an organization. Educational institutions and not-for-profit organizations are turning to ERM to build on existing risk management processes. They also are embracing the opportunity to create strategically aligned approaches to the challenges they face. This article, the second in a two-part series, addresses how to establish a sustainable ERM program in the public sector that makes ERM a part of an organization’s decision-making, culture, and mindset.
Establishing ERMOne of the underlying goals of an ERM program is to change how an organization views and responds to risk. An organization’s mindset indicates how decisions are made and determines whether training and collaboration can be used to create change. ERM can direct an organization to a new way of doing business by providing stakeholders with a clearer understanding of risk. An organization’s culture can begin to shift as the focus on managing risk becomes part of everyday practices. The components of a sustainable ERM program discussed in this article are not intended to be completed in sequence. Instead, many of these components need to be developed together in order to achieve the desired results.
One of the first steps in establishing ERM in an organization includes assembling an ERM team to identify existing risk management practices. Most organizations will be able to leverage the activities they already perform, although they might not have previously been identified as a risk management activity. For example, most organizations already have commonplace risk management activities such as standard operating procedures, management reviews, bank reconciliations, insurance policies, and codes of ethics. However, these activities have probably not been categorized in this manner. Many organizations manage risks on a case-by-case basis and without a formal program that identifies and addresses inherent and residual risks. ERM can assist an organization in integrating its various risk management practices with the goal of having a comprehensive, sustainable approach to risk. ERM practices promote the use of a common vocabulary for risk to promote a better understanding for both internal and external stakeholders.
For ERM to be successful, an organization must embed risk management principles and practices into its culture, strategy, and decision-making. There is no prescription for implementing a successful ERM program, but most successful programs complete the following steps:
- Define the organization’s risk appetite
- Establish common terminology and a communication flow pertaining to risk
- Identify risk owners and response mechanisms
- Link risk to the organization’s strategic planning and budgeting processes
- Establish administrative responsibilities and reporting processes for the ERM program
Defining a risk appetiteSetting expectations about the level of risk an organization might assume is a baseline step for establishing an ERM program. Defining the risk appetite for an organization can be complex, as each organization’s capacity and willingness to take on risk is unique and must align with its culture and operations.
A risk appetite statement is often used to define the consequences of risks facing an organization and the levels of risks that are deemed acceptable or unacceptable. The statement focuses on future operations and scenarios. It reflects what has been learned from past experiences and integrates current best practices for risk management and mitigation. A risk appetite statement enables organizations to reduce the number of surprises and unexpected losses, as well as to make risk-informed decisions on resources, controls, and consequences.
The risk appetite statement typically is:
- Actionable, real, and applicable to all the organization’s activities
- Integrated with the organization’s mission and strategies
- Proactive and forward-looking
- Clear on the types of risks the organization will or will not take
Establishing meaningful risk communicationsA risk communications program is an effective way to engage stakeholders in risk discussions and introduce the principles of ERM. It can help stakeholders better understand the magnitude of risks, both on a broad level and in the processes and activities in which an organization participates. Communication upward and downward, from the highest-ranking leader through the most junior team member, helps bring each member of an organization into the risk discussion. A risk communications program can facilitate the flow of discussion by establishing a shared vocabulary about risk among all stakeholders. It can also help the ERM team assess and catalogue the risks and embed the principles of ERM into the organization’s culture and mindset.
Identifying risk owners and responsesThe flow of risk communications can lead to a better understanding of the roles and responsibilities of stakeholders and employees in mitigating risks. Subject matter experts in each department or area are often the most knowledgeable resources for identifying risks, developing an appropriate response strategy, and measuring the effectiveness of risk response activities. A best practice is to assign risk ownership to an individual with the optimal balance of subject matter knowledge and position of influence in the organization. While this might be highly subjective, the goal is to place someone in that role who can use their expertise in a particular area to influence decisions.
Risk ownership is fundamental to establishing a repeatable, sustainable ERM process. Risk owners should have the authority and knowledge to implement risk management plans and report on them. The risk owner maintains and implements the risk response activity, which should be aligned to an organization’s risk appetite. The risk owner should monitor risk response implementation and report results to the risk management committee or similar oversight function.
Strategic planning and budgetingOne of the benefits of an effective ERM program is that it can provide a structured understanding of strategic opportunities and threats for better decision-making. ERM’s systematic and prioritized approach to addressing risk can help focus attention on an organization’s goals as well as the challenges it faces. ERM can help to align resources and budgets appropriately, monitor progress, and achieve compliance with applicable laws, regulations, and controls.
To become effective and sustainable, a risk management mindset must become part of highly impactful business cycles such as budgeting and strategic planning. The careful consideration of how to navigate risks can be informative in developing goals and tactical plans as well as in deciding how best to allocate the organization’s limited financial resources and staffing.
An effective way to establish an ERM framework and related risk management practices in an organization is to use the existing strategic planning cycle and to add a risk component to the process. By teaming with the strategic planning function, the ERM team can pair risks with the organization’s goals to define tolerable risk levels. The strategic planning process can benefit by incorporating plans for navigating challenges and risks and by setting parameters and milestones to define success. Incorporating risk management into the strategic planning process yields several benefits, including the following:
- ERM offers a fully integrated, prioritized, and forward-looking view of risk to drive strategy and business decisions and eliminate organizational barriers
- Transparency inherent in risk mitigation planning and processes supports informed decision-making at all levels of an organization
- ERM allows for the identification and assignment of clear roles and responsibilities for risk throughout an organization
- Risk response strategies help identify actions and priorities for inclusion in performance plans for individuals and the organization overall
Administration and reporting
The challenge for many organizations is how to make their risk management practices sustainable. To be effective, the ERM program should designate an appropriate team to provide administrative support to the program. The team should comprise members with relevant experience and an understanding of risk management. The size of the ERM team should reflect an organization’s risk management needs. The ERM team should meet periodically to collaborate and share information, and organizations should provide continuous training, tools, and resources.
Organizations should also consider having outside audits performed periodically on their risk management processes and controls. Independent assessments of the effectiveness of risk measures and controls can be performed as part of an organization’s internal audit processes.
Embedding ERM reporting into existing protocols can standardize risk management into the process of doing business and measuring progress. Monthly or quarterly reporting can help an organization share information on risks and the programs in place to address them. Adding an ERM component to financial reports, management reports, and performance reporting can inform leaders and stakeholders on progress achieved in addressing risk. ERM key performance indicators (KPIs) and key risk indicators (KRIs), dashboards, and other measures can be used to measure progress against strategic and tactical goals.
Many organizations use ERM software solutions to track progress and assist in reporting. These software programs can add value in terms of efficiency and accuracy for reporting purposes. Governance, risk, and compliance (GRC) platforms are often used to help administer ERM programs more efficiently and effectively, especially for more sophisticated and complex ERM initiatives. Some organizations opt to use ERM-specific software programs. When deciding whether to use an ERM software solution, the costs of the software should be viewed in relation to its perceived benefits. Exhibit 1 lists benefits and limitations of ERM software.
Exhibit 1: Benefits and limitations of ERM software