In the vast arsenal of materials discussing enterprise risk management, words are thrown around that may be unclear to novice risk professionals or executives unfamiliar with ERM. While I intuitively know the difference between an ERM framework and process, the random use of these terms can lead to confusion for some.
If you’ve read my blog for a while, you know how much I love explaining ERM concepts through illustration.
For this topic, consider the construction of a house…
A “framework” for a house would be your architectural drawings, floor plans, and so on. Why are you building this house? Is the purpose to raise a family, or are you an empty-nester who is downsizing? Where on the property will the house sit?
The “process” on the other hand will consist of the actual construction. What contractor will you use? How will you obtain the required permits? What sort of finishes will you have? How will you furnish it and move in?
As you can see, the framework has to be established before you can begin the process of construction and move in. You wouldn’t simply pull up to a site, start piecing a structure together, throw some furniture in, and have friends over for a house-warming party all on the same day.
In the ERM context, a framework and a process aren’t really that different…
Your ERM framework is a high-level guideline that you must develop first…
The ISO 31000 ERM standard provides a decent definition of a framework. It states –
[a] set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.
And as I explain here, an ERM framework not only should contain a high-level overview of purpose and methods, it will also explain where in the organizational structure ERM will reside, assign roles and responsibilities, and more. A framework will also include high-level guidance on the amount of risk the board and senior executives are willing to take in pursuit of strategic objectives (a.k.a. risk appetite).
In the book Prepare to Dare (pgs. 17-18), author and former Strategic Risk Management Director at the LEGO Group Hans Læssøe writes that one of the primary reasons for developing a framework first is consistency – it ensures you have consistent answers to questions like what can happen, how important it is and what you do about it.
Developing the ERM framework will require you to think about why the organization wants an ERM program in the first place. Is it to simply tie different silos together to understand risks across the enterprise or is the purpose to embed ERM in strategic decision-making to ensure the company’s success?
Understanding the “why” of ERM is vital as this will drive who will be involved and how you will interact with different stakeholders (i.e., the Board, executive leadership, middle managers, regulators). Will there be more face-to-face interaction or will it be more hands off?
At a high level, the framework guides the tools and methods you and the organization will use to achieve the goals set for ERM. And those goals should be based on the organization’s culture, needs, and desired results.
For example, if the purpose for establishing ERM is to help executives take risks in a more informed way without all of the documentation and back-and-forth, automated tools will not meet that need. Instead, conversation-based ERM is the best way for them to know the right level and type of risks to take.
There are different ERM frameworks or standards to choose from that can provide a good starting point, but as you can read in this comparison of ISO 31000 and COSO, any framework you use will need to be tailored to the organization’s needs and culture.
The ERM process consist of the steps you’ll be taking and the tools you may need to carry out the framework…
Once the framework is complete, you are ready to move into the actual process of ERM. This “process” consists of things I have written about extensively, so I won’t go into a lot of detail here. To learn more about different ERM processes, check out the following:
- 5 Effective Methods to Identify Risks in your Organization
- Enterprise Risk Assessment – Transforming Risk Information into Action
- Enterprise Risk Analysis – Prioritizing Risks for Maximum Benefit to the Organization
- Why Assigning a Risk Owner is Important and How to Do it Right
- The Ultimate Primer for Effective Risk Reporting
Besides specific points in these articles, there are few additional general considerations risk professionals need to keep in mind when developing their ERM process. These include:
- Don’t make things complex. Period.
- Don’t be afraid to try something new. (See Experimentation and ERM: How ERM is like Manufacturing a Product)
- Know that what you’re doing now will change as the organization adapts. Things will be added, modified, or removed based on if they are successful or otherwise adding value.
- Don’t focus on the documentation. Make it about the end-result. If regulators need to know the outcome, then document the decision and why, not everything else.
I can’t stress the importance of avoiding the documentation-heavy route. More and more companies are moving away from the documentation version of ERM and more into what I call conversation-based ERM.
In the end, both the framework and supporting processes must adapt to the organization as changes in leadership, the Board, products, etc. are all triggers to reexamine past decisions. The COSO standard puts it well when it says:
As an entity changes, the capabilities and value it seeks from enterprise risk management may also change…it is natural for the operating structure to change as the nature of the business and its strategy evolves.
Simply putting something in place and leaving it as-is for multiple years on end will not work. Change has a way of sneaking up on you – if you’re not prepared, you will soon find the framework and processes in place are unworkable.
Have you tried to develop processes for ERM without first developing the framework?
How has your organization adapted ERM framework and process in light of big change?
I encourage you to share your thoughts and experience as this type of discussion can be helpful to fellow risk professionals. Feel free to leave a comment below or join the conversation on LinkedIn.
If your organization is struggling to understand why it wants ERM or to develop processes that fit its culture and needs, contact me to discuss your specific situation today.