How to take ERM beyond risk identification and assessment

Social, technological and political changes, a global business environment and evolving regulatory demands have put increased emphasis on organizations to proactively identify and treat risks that impact their performance and even their survival. Yet efforts to initiate enterprise risk management (ERM) programs often result only in frustration.
“In many cases, ERM has consisted of creating a list of risks, prioritizing those risks and developing loose plans to mitigate them. The problem is that managers and executives often observe that the risks ‘identified’ had been known and adequately addressed,” says Marc I. Dominus, ERM Solutions leader at Crowe Horwath.
Smart Business spoke with Dominus and Jim E. Stempak, a principal at Crowe Horwath, about moving past identifying risks to implement an ERM program that produces results.
How is ERM defined?
One definition is from the Committee of Sponsoring Organizations of the Treadway Commission: ‘Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.’ The basic elements of ERM programs include:

  • Understanding risk and developing a repeatable process to establish acceptable levels of strategic risk; identifying, analyzing and prioritizing risks that are critical to achieving business objectives; and communicating the guidance necessary to allow management of risks that fall within accepted parameters.
  • A governance structure that aligns responsibility for oversight with responsibility for escalation.
  • Information systems to support decisions, monitoring and communication.
  • Recognition of how an organization’s culture affects its risk profile.

Why is an ERM program important?
A well-constructed program provides collective responsibility for risk management and produces a resilient organization protected from negative consequences of unexpected events. Timely and meaningful risk intelligence also allows leaders to make impactful strategic decisions that incorporate intentionally taking risk to achieve rewards.
Where do organizations fail in terms of implementation?
They generally start off well, identifying and prioritizing risks, but the executives and boards responsible for the programs may not provide clear guidance to the organization regarding how to apply the results. There’s no clear path toward implementation, and there may not be adequate initiative to support the culture shift necessary to sustain an effective process. The keys to successful ERM transformation include:

  • Confirm and refresh risk assessment results. Executive and management team members need to agree on the results, the definition of each risk and the criteria being applied to assess the risks. The risk inventory must be continuously updated.
  • Develop and monitor consistent risk treatment plans and processes. For each high-priority risk, uncover the root cause; establish a management strategy, such as to avoid, reduce or share the risk; and create a treatment plan.
  • Establish an enterprise risk policy, which articulates the program’s value and outlines the responsibilities, reporting requirements, methodologies and risk governance criteria.
  • Establish risk governance practices and structure, which guide how risk is prioritized and resources are allocated, based on risk culture, appetite and tolerance, and management capabilities.
  • Communicate and report information. Management, process owners and employees need to regularly receive ERM risk information to help oversee administration. Transparency is essential.

Once in place, an ERM program needs to evolve continuously with experience and experimentation. Today’s business conditions require flexibility and adaptability. A fully developed program provides a competitive advantage by allowing organizations to improve and protect their performance by confronting, exploiting and managing risk.
Social media: To learn more about Crowe Horwath’s risk services, find us on Twitter: @Crowe_Risk.
Insights Accounting is brought to you by Crowe Horwath LLP