Learn more about the 3 steps to setting up an ERM program and why they are critical both inside and outside the organization
Congratulations! You’ve just been handed the responsibility of setting up or revamping your company’s ERM program.
Once the excitement wears off though, you really have no idea where to begin. You quickly learn the extent of an effective ERM program and go into a panic. How in the world am I going to develop a program that will gather the necessary information to properly manage risks to achieving the company’s business objectives?
As the old saying goes, a thousand mile journey begins with the first step.
A clear framework must first be established to create a “…truly holistic, integrated, forward-looking, and process-oriented approach to managing ALL key business risks and opportunities” as defined by this e-book from the Institute of Management Accountants. Companies without one will find themselves at a distinct disadvantage and be unable to translate top risks at the enterprise level into day-to-day operations.
We invite you to continue reading to learn more about the steps to setting up an ERM program. These should be considered general recommendations since many factors combine to determine the best structure, standards and methods for your particular organization.
Step #1 – Developing your Framework – The Bones of your ERM Program
Before holding your first meeting with business unit leaders or sending surveys out to middle managers, you will first need to establish the governance structure of your program, identify which standard you will use, determine how often certain processes will occur, and more. This “framework” is a governance document and is essentially a high-level overview of your ERM program that you will provide to the Board of Directors and senior management.
ISO 31000 defines the framework as:
[a] set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.”
While the framework is supposed to provide a description of the processes you will use, it won’t get too heavily into how the process will work – that comes later when you define your methodology, processes, criteria and more.
Several structural elements of your ERM program will need to be defined in your framework/governance document, which at a minimum, should cover the following areas:
- Define ERM and establish objectives for the program
To start the conversation about ERM in your organization, it’s important to provide a high-level definition of Enterprise Risk Management and outline the goals of your organization’s ERM efforts.
Developing a definition of ERM is relatively easy – many organizations like ISO 31000, the ERM Initiative at North Carolina State University, or the Risk and Insurance Management Society (RIMS) provide great high-level explanations of what ERM is and how it helps companies make better-informed decisions. From RIMS:
Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of risks and managing the combined impact of those risks as an interrelated risk portfolio.”
The objectives statement will require a little more customization for your organization, but it is very important for getting buy-in and consensus from senior executives and the board. While the statement needs to be succinct, it should also clearly state how the ERM program will help the company support business goals and protect or enhance value. In other words, the objectives statement provides the goal and purpose of ERM.
For example, your objectives statement could explain at a high-level how the ERM program will work across the organization with multiple goals like:
- Ensure achievement of the organization’s mission.
- Facilitate the gathering and communication of risk information to decision makers.
The important thing to keep in mind with the definition and objectives statement is that it should start the conversation among the company’s top leadership. We can’t stress it enough – buy-in and leadership from the top are critical for ensuring an ERM program’s success.
- Provide high-level overview of risk management standard, process, etc.
Another important part of your framework document is establishing which standard you will use, and by extension, a high-level overview of your process. Remember, your main audience for this document is your organization’s senior management and board, so you don’t want the minute details of how your ERM program will function in this document.
Before outlining this process though, you will need to establish which standard you plan on using. The two major ones for U.S. organizations come from the Committee of Sponsoring Organizations (COSO-ERM) or the International Standards Organization (ISO 31000). Which standard you choose will depend on a variety of factors, including your industry, any regulatory considerations, where your company conducts business, and more.
Many banks and financial institutions will gravitate toward the COSO standard since it better aligns with their structure and reporting requirements to various regulatory agencies. On the other hand, ISO 31000 is applicable to any type of organizations, including non-profits, and across all industries. According to many who use it, the ISO standard is easier to customize.
A 2011 study by RIMS analyzing six frameworks found that all of them are similar in certain ways – each requires executive buy-in, clearly structured steps, formal reporting of identified risks and more.
Interestingly, the same study by RIMS found that 44% of risk managers in North America actually don’t adopt a singular standard like COSO or ISO 31000, but combine elements from a variety of standards. Although many companies combine elements from different standards, you need to be very careful since doing so can lead to confusion for everyone from your top leaders to middle managers.
Once you’ve established your standard, you can then provide a high-level description of the process based on that standard. Explaining how often certain processes will occur and how you will communicate top risks to the board are a couple of examples of what you should include in this section. Again, since this document is mainly for your Board of Directors and C-level executives, you do not want to get into too many details here.
Learn more about common risk management standards by visiting:
- The ISO 31000 Standard – Background & Overview
- COSO ERM Standard – Background & Overview
- ISO 31000 vs. COSO – Comparing and Contrasting the World’s Leading Risk Management Standards
- Where will the ERM program reside in the organizational structure
This is a very important consideration for setting up an ERM program – who will the ERM staff ultimately report to?
It’s important to note that leadership from the board and executives is a key part of a program’s success, which is one reason why ERM programs typically sit at a very high level within an organization. Visibility and access are invaluable to creating a mature, effective ERM program. With this in mind, many ERM programs report directly to the CEO or CFO.
Despite the benefits of keeping the ERM program at a high level within your organizational structure, some companies choose to place it within another business unit, such as internal audit. ERM is facilitating the assessment of risks, and internal audit has historically also assessed risks. So placing ERM within your audit department is an option, but not preferred for two reasons:
- Audit is supposed to be independent of the company’s day-to-day operations. A big part of ERM’s focus centers around business goals and strategy. If ERM is embedded within internal audit, you will have an inherent conflict of interest that will need to be reconciled.
- Managers and personnel could be distrustful of ERM since they will feel any shared risk information will put their business area under a microscope from internal audit. Being able to have an open, frank dialogue about risks is critical to a program’s success.
Every organization is different, so there’s no one-size-fits-all approach to where your ERM program fits within your organization’s structure. Check out this article from Jim DeLoach for some key considerations when positioning the ERM program.
- Assign roles and responsibilities within the organization
This portion of your governance document will define the role executive management will play in your ERM program and who within the organization will be responsible for managing risks on a day-to-day basis.
Many organizations will charter an Executive Risk Committee to oversee the program’s performance and results across the enterprise. This committee is typically comprised of some of the company’s top executives and will often times have authority to allocate human and financial resources for mitigating risks.
Individual business units, on the other hand, should be responsible for handling the day-to-day management of relevant risks. The directors of these units and their respective teams should promote not just a culture, but an awareness of risk management objectives within their respective area. An individual within the unit can be appointed as a risk liaison or risk champion to be the go-to person for that unit and the subject-matter expert for ERM program personnel and the Executive Risk Committee.
Your ERM program’s framework document will take considerable time and will likely need several revisions before it is final. It’s not only important for engaging leadership and obtaining the executive buy-in you need; it will also be a reference point for auditors, credit ratings agencies and more.
Step #2 – Developing your Risk Appetite statement and tolerance
After completing the framework document, you will still have other items to complete before you’re ready to launch your ERM program.
The next step in this journey is developing a formal Risk Appetite statement for your organization and establishing your risk tolerance. This document is also commonly called a Corporate Risk Profile.
The National Alliance for Insurance Education & Research (Alliance) defines risk appetite simply as:
…an organization’s willingness to accept or tolerate risk.”
Taking it a step further for your ERM program, a company’s risk appetite should also be considered the amount of risk the board and senior executives are willing to take to achieve strategic objectives. One of several areas is determining the financial loss threshold, such as your company is willing to risk a $50 million loss to achieve a goal.
According to CEB, a well-defined risk appetite statement:
…creates a set of guardrails for managers to operate within when making strategic decisions. It also provides a tool for communicating the role of guardrails in the decision-making process and for confirming that individual parts of the business are independently and collectively operating within those guardrails.”
The risk appetite for your firm requires a bit of consideration, and should go beyond just financial losses to cover areas like customer service, system outages, compliance issues, human resources and more.
Many factors, internal and external, can collectively affect an organization’s risk appetite. Below are some examples according to the Alliance.
In one way, the risk appetite for your company will be even more individualized than your governance documents. What may be bad for your company may be good for another, and vice versa.
Your risk appetite statement should define acceptable risks within the appetite, risks that are undesirable and outside the risk appetite, and parameters, or “…a framework within which risks are agreeably undertaken” according to Protiviti. These defined strategic, financial, or operating parameters can consist of targets, ranges, floors, or ceilings.
(Learn more by visiting 7 Questions for Understanding the Fundamentals of Risk Appetite.)
Establishing risk tolerance
After you have established your organization’s risk appetite, you will next need to establish risk tolerances for specific circumstances or business units within your organization. Although many use the terms appetite and tolerance interchangeably, Enterprise Risk Management – Understanding and Communicating Risk Appetite from COSO explains that risk tolerance relates to risk appetite, but:
…differs in one fundamental way: risk tolerance represents the application of risk appetite to specific objectives.”
Taking this a step further, risk tolerance establishes minimum and maximum boundaries around the risk appetite that the board is willing to accept. Exceeding the risk tolerance levels would, in the board’s view, endanger the company’s strategy, objectives and even its very survival in extreme circumstances.
The risk tolerance statement is meant to be actionable – it is the vehicle by which you take information from your appetite statement and apply it to day-to-day activities within the business units. Without this guidance, project implementations that take much longer than scheduled don’t have a stopping point and could cost the organization too much, both in the areas of money and risk.
The risk tolerance also gives your mid-level managers and directors more of a sense of ownership in the risk management process.
Below are two examples of an actionable risk tolerance statement:
- Let’s say management would like to try a new structure for employee benefits, but implementing it could lead to a turnover in staff. Management is willing to tolerate an increase of 5% in employee turnover in pursuit of this new approach.
- Your R&D area is about to rollout a new product. While a cost variance of up to $500,000 is acceptable, there is absolutely zero tolerance for any fines or investigations from regulatory agencies.
The risk appetite statement will need to be revised periodically as situations arise, such as change in finances, ownership, or leadership. It’s important your risk tolerances are adaptable so adjustments can easily be made when new information is learned about a specific business unit or project.
Step #3 – Establishing methodology and processes
The final step in setting up your ERM program is an extension of step #1 but provides more detail on your methodology and process. This is meant as more of an internal guide for the ERM staff rather than the high-level overview provided to the board and senior management.
Here is where you will provide more detail on how you plan to identify, assess, mitigate and report particular risks.
For example, will you interview business unit leaders to identify risks, or will you use a survey method? A combination of methods? Or maybe have available multiple methods to identify risk based on the situation or need?
Is your organization solely concerned about the impact of a specific risk, or do you want to determine such metrics as velocity, frequency and/or likelihood?
What kind of ratings will you use in the assessment? Will you use a 1-5 scale or a 1-10? Will you have pre-defined criteria for each rating for consistency?
Unless your organization is only interested in discovering the impact of a specific risk, you will need to develop more in-depth formulas and logic for arriving at a risk score that is usable.
Also, how will you report on risk identification and mitigation activities? How will you communicate risk information up to top management or down to business units?
Like your appetite statement and tolerances, your methodology will always be evolving based on observations and lessons learned during the rollout of the risk management process. You may learn that you need to involve middle managers and their staff in the identification process, and therefore need to develop another method for that situation; or, you may learn that a 1-5 scale is insufficient for scoring risks.
(Check back soon for a more in-depth article on the cycle of risk management and methods for identifying, assessing, reporting and more.)
Although this is a long process in of itself, having a formal governance document, risk appetite statement, tolerances and standardized methods and processes for your ERM program is vital for several reasons, including:
- Your ERM program will not be effective at translating information about risks into better decision-making and action.
- These documents will be used to audit the ERM program, which is one of many reasons they should be absolutely clear in terms of roles and responsibilities, processes and more.
- A transparent governance document, risk appetite statement and process for an ERM program are increasingly important when it comes to an organization’s credit rating. Standard & Poor’s for example initially started evaluating financial and insurance companies only, but now evaluates ERM programs in all types of industries.
All of the recommendations contained within this article are general in nature – not everything mentioned here will apply to every organization. It is important to remember that every company is unique, especially in terms of risk. What may be ideal for one may be absolutely useless to another.
Have you been working on governance documents and other critical components of setting up an ERM program? Have you encountered any challenges to crafting tolerances around the risk appetite?
We invite you to share your thoughts and questions in the comments section below or on my LinkedIn page.
And if you’re in the beginning stages of setting up your ERM program or need assistance to turn your risk appetite into actionable guidance, contact me today.
Intro image courtesy of Jon Rawlison via Wikimedia Commons
Bottom image courtesy of “chrisroll” via FreeDigitalPhotos.net