How to implement an effective enterprise risk management program at your business Featured

8:00pm EDT September 25, 2010

The requirement for appropriate enterprise risk management (ERM) techniques continues to grow.

The recently passed Dodd-Frank law calls for a Risk Committee to be established by all public, nonbank financial companies, as well as larger public bank holding companies. Supervised by the Board of Governors of the Federal Reserve, the Risk Committee will be held responsible for enterprisewide risk management oversight and practices. Additionally, ERM is a central focus for many organizations outside of the financial sector looking to mitigate risks in today’s volatile economic climate.

“All organizations face uncertainty; the challenge for management is to determine how much uncertainty to accept,” says James P. Martin, CMA, CIA, CFE, managing director of Cendrowski Corporate Advisors LLC. “Uncertainty brings both risk and opportunity, with the potential to enhance or erode value. A robust ERM process helps the organization ready itself to make the most of the opportunity while appropriately managing the downside of relevant risky events.”

Smart Business spoke with Martin about how companies can establish effective ERM processes and the benefits of such processes to organizations.

How can an effective ERM process benefit an organization?

In short, effective ERM processes help the organization respond to the constantly changing business environment. More specifically, ERM helps organizations quickly perceive changes in their environments, analyze these changes, develop a plan for response and execute this plan. Through identification and planning, organizations will improve their resilience to changes in their environment by viewing the realization of risky events as opportunities for shareholder value creation rather than degradation: If an organization is able to successfully mitigate risky events and capitalize on opportunities presented by change, it will tend to be more successful than those organizations that are not prepared.

On what areas of risk should organizations focus?

Risk is really a continuum across the business environment, but for simplicity, there are generally four main areas that must be considered: strategic, operational, process and compliance risks. The latter element is a key thrust of the recently passed Dodd-Frank law.

In brief, strategic risks describe those associated with the organization’s plan to create shareholder value, including its chosen risk/reward appetite. Operational risks are those that relate to the design of processes intended to carry out the organization’s strategy; process risks are presented by the day-to-day operations of the organization; and lastly, compliance risks describe risks associated with an organization’s failure to comply with federal, state, and local laws and regulations.

Can you describe the differences among these four types of risks?

Strategic risks are high-level risks describing threats to the organization’s overarching goals. Strategic risks do not, for example, include risks associated with the manner in which a strategy is executed. Instead, they relate to risks associated with the strategy itself. Operational risks describe risks associated with the design of processes tasked with carrying out strategic goals; they do not relate to the execution of processes. This latter element is the domain of process risks. While we have explicitly defined each of the abovementioned risks, they are all highly related to one another and must be jointly assessed to ensure organizational objectives are successfully achieved.

Compliance risks pervade virtually all levels of an organization and thus are a foundational element of an organization’s strategy, operations and processes. However, due to their importance, the Dodd-Frank law has explicitly stated that organizations should place an intense focus on compliance risk and that compliance risks should be integrated with other areas of risk in the assessment process.

For a sample of selected strategic, operational, process and compliance risks, I would invite readers to review Step 3 of Cendrowski Corporate Advisors’ full-page handout included with this month’s magazine.

How should risks be identified and evaluated?

Risks should be identified and evaluated through the use of ERM workshops. These workshops bring together numerous subject matter experts, allowing them to collectively brainstorm risks faced by the organization in an open environment. Once identified, the impact and likelihood of risks should be estimated by subject matter experts. Those risks with both high impact and high likelihood should be prioritized for oversight and monitoring, as they can have the greatest potential effect on the organization’s objectives.

What types of individuals should participate in ERM workshops?

As described in this month’s insert, an ideal workshop participant is an open and honest communicator who embraces change rather than impedes it. Even though numerous individuals within an organization may have excellent ideas regarding organizational risk and how risk readiness can be improved, many may fail to share them due to their personality or because the organization has created obstacles to communication.

Additional characteristics of an ideal workshop participant will differ by the type of workshop being conducted. For instance, in conducting an operations-focused ERM workshop, an ideal participant is a creative thinker and a process visionary. With these traits, operational processes can be devised that maximize the organization’s rewards associated with its strategy while minimizing risk. In contrast, an ideal participant in a process-focused ERM workshop need not possess these traits but should have a profound understanding of the work flow within an organization. This knowledge will help ensure processes are implemented according to their operational design.

James P. Martin, CMA, CIA, CFE, is managing director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or jpm@cendsel.com.