They day is coming when risk managers will no longer pull risks out of a hat and decide its fate with the organization. Instead, risk managers should begin shifting their focus on a more strategic approach--one where the goal is to get their entire organization to pursue long-term success by recognizing the link between risk and strategy. Enter: Enterprise Risk Management (ERM).
Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
Treating Symptoms Is Ineffective
If you take a look at recent corporate scandals resulting in financial and reputational damage to the organizations, the common thread is that risks were not identified and mitigated across the entire enterprise. Rather, symptoms of risks were addressed as they occurred (the old pull a risk out of a hat trick), and “treated” in silos. To properly identify root-cause risk, organization must employ an effective enterprise risk management program.
ERM isn’t a new concept. It’s existed dormantly all along, going undisturbed for a few reasons:
Those whose shoulders ERM falls on are often given a limited view of their organization’s mission, growth, and survival. Enterprise risk doesn’t always resonate with c-suite, but strategy does. Connecting with the CEO and understanding the organization’s strategy and mission will help with setting up an effective ERM program.
Organization traditionally address risk in silos. Breaking through this mold is a continuous process, but an imperative one as well. Linking risk management, business continuity, and strategic planning will get ERM on the table and allow it to grow to where it needs to be.
ERM is a sleeping GIANT. Often times the shear size of what the program must be, and the money, resources, and time involved in getting it there, is enough to end the conversation.
Get Strategic with Risk Management
The key to getting the ball rolling is by focusing on what is mission-critical to the organization when speaking with management and the board. If you can find out what is mission-critical and what impacts your organization is willing to tolerate from those exposures, you’ll find the lines between risk management, continuity planning, and strategic planning begin to blur.
Using this mission-critical lens makes ERM manageable and shows you how the once-silos are actually pieces of the same puzzle. Strategic planning is planning for growth, risk management allows you to remove vulnerabilities that can interrupt that growth, and continuity planning identifies and reduces potential threats to sustainability.
If a risk manager is able to successfully talk to management and the board about the organization’s definition of mission-critical, its impact, and its tolerances, they’ll have talked about ERM without management and the board even realizing it. They’ll have awakened the sleeping giant, and will finally be able to give it a name and a shape.