ERM Roadblocks and Remedies
I recently had a conversation with a client, a traditional risk manager/insurance buyer, who was asked to take over the leadership of his company’s Enterprise Risk Management (ERM) program.
The program had been in place for a few years and there was excellent documentation of three tiers of risks, described and managed.
But company leaders were unsure about the program’s vitality and worth. The risk manager wanted help reviewing and reviving the program.
It’s not unusual for ERM programs to create a lot of buzz and energy in the formation stage. People like to jump into the risk management process of identifying, assessing, analyzing and evaluating risks.
The risk assessment process is energizing, with people thinking holistically about operations and talking about what’s working (and what’s not). If done well, more and more people become engaged in the process and a meaningful understanding of how to manage key risks is developed among a broad group of stakeholders.
If an organization can also apply the risk management process (risk assessment + treatment, monitoring and communication) to the consideration of opportunities and strategy, ERM can really pick up steam.
That’s when people start to understand the connection of risk as both an opportunity and threat to what matters most to the organization and its future.
A pause at three years (or even more often) is a healthy opportunity to review what you’ve built and how it’s working.
And then what happens? How can organizations sustain ERM efforts over time and retain that engagement and enthusiasm?
The first thing to understand is that typically, about three to four years in, there is a pause. One reason is the shift from the formation stage to the sustainability phase.
The vitality and energy that created the risk register dissipates, and people must shift their focus to ERM as an ongoing process and continual effort.
It’s also common at this time for people to question the value and outcomes of ERM and wonder: “Is this worth the effort?” or “Is our ERM program succeeding?”
If your organization hasn’t put enough thought into the creation of a sustainable, integrated framework for the overall management of risk, this pause may look like a potential roadblock and the questions, frightening.
The truth is that if you are following the model described in ISO 31000 (the international standard on the practice of risk management), you will be anticipating this. The continual review and improvement of your overall program is built into that model.
A pause at three years (or even more often) is a healthy opportunity to review what you’ve built and how it’s working. It gives you a chance to assess, alter and (if needed) re-energize efforts.
The goal is to ensure that risk management is effective and continues to support organizational performance. The review must take into account not only the risk register or the management of key risks, but also how risk management is integrated into organizational activities and decision making.
In my years as an ERM consultant and delegate to the international committee that created (and is now revising) ISO 31000, I’ve observed a number of common roadblocks and challenges to the implementation of ERM.
I look forward to sharing more of them, along with possible remedies and solutions, in future columns.