Those in the risk management field have heard plenty about the benefits of establishing an enterprise risk management (ERM) program. In some cases, they’ve likely heard too much. Lost in debates about frameworks or which acronym to employ (ERM vs. IRM vs. GRC) is the answer to the question, “How do I actually establish an ERM program that produces tangible, measurable results?”
An ERM program doesn’t have to be overly complicated (really!). Neither does it have to be an academic exercise that takes you away from critical daily tasks. When ERM is done right, it’s tied directly to your organization’s central strategic goal and consists of clearly laid-out, doable steps.
You can launch a manageable and sustainable ERM program. You can get everyone on board with the process. You can find success without losing your mind.
You can do ERM differently.
Focus on execution
ERM isn’t a magical, all-knowing tool into which issues are input and solutions spit out. ERM is a considered process that forces you to ask the right questions—questions that lead to the right preventative measures. So when embarking on the creation of an ERM program, your focus should be on execution: What actions am I not taking today that I should be taking in order to get out in front of risks?
To begin executing, establish your end goal. Without knowing what you’re ultimately going after, progress will be futile. What is your organization’s most important strategic goal? For example, a fast food chain’s most important strategic goal may be selling chicken sandwiches. That goal should be at the heart of the business’s ERM program.
By using common language and straightforward ideas, the concept of ERM becomes relevant to stakeholders throughout the organization.
Next, ask, “What types of things could threaten our most important strategic goal?” Those at our hypothetical fast food chain would start by listing out the variety of threats to selling chicken sandwiches (foodborne illness, supply chain disruption, etc.).
Finally, ask, “What actions can we take to mitigate the risks that threaten our most important strategic goal?” Everyone can consider risks, but thinking strategically about how to go about preventing them—and, ultimately, executing on those risk controls—will help you find success. By identifying risks and setting up risk controls, ERM is already underway.
Go beyond heat maps and risk assessments
When people think of ERM, heat maps and risk assessments may be the first two things that come to mind. Although these tools can be helpful for defining what your risks are, they do little to provide strategic direction for when and how to take action. This is because they only measure two factors: likelihood of risk and severity.
To highlight the limitations of heat maps and risk assessments, let’s say Risk A has a slightly higher likelihood and severity than Risk B. A heat map will indicate that Risk A is more urgent. However, what a heat map can’t show is likely time to exposure. If Risk A has a time to likely exposure of five years, while Risk B has a likely time to exposure of two years, Risk B would actually be more urgent.
Risk strategy requires multi-factor analysis. Heat maps and risk assessments are, by themselves, inadequate—and potentially even misleading. To get a more accurate picture of risk and begin executing risk controls, organizations can start by analyzing data in a more practical manner. Merely capturing data does little to produce change. But turning data into insights, and then using those insights to ask the right questions and take the right action, provides real value.
Origami Risk’s ERM platform allows for the creation of customized charts, graphs, and dashboards that filter data points that matter to your organization—and then send automatic alerts to spur action. These actionable data points, known as leading indicators, foretell potential risks, spark discussion, and help establish controls.
Continuing with the example from the previous section, if the fast food chain is concerned about supply disruption, the supply chain department could set up a trigger for a leading indicator—such as poor weather—that may affect the supply route. When severe weather data points show up, the team is alerted and can intervene in a meaningful way, such as holding their supply of chicken from the weather-affected region and purchasing more from another. Without an ERM program in place, without having considered the threats to their ultimate goal, it’s unlikely that the fast food chain would take this much-needed action.
Using the right data to inform the right person about the most pressing risks that threaten the ultimate strategic goal—that is ERM.
ERM makes you look at the data and ask the right questions so that you’re in front of risks you may not have otherwise noticed.
Putting the enterprise in ERM
Although individual departments of an organization have specific areas of focus and expertise, risk doesn’t recognize such boundaries. A risk never falls neatly into one category or picks who it will affect. Because of this, organizations need the shared, strategic approach of ERM to manage threats against a common goal.
This starts with the sharing of data. Origami’s single, integrated ERM platform receives data no matter where it originates—in the kitchen of the fast food restaurant, from a fleet vehicle delivering chicken, or from surveys completed by customers indicating how much chicken they’re eating. With all of these data points in one place, employees reap the benefits of greater insight into the overall picture of risk and strategic progress. Then, when it comes to getting out in front of a particular set of risks, organizations can divide and conquer.
Origami’s lens feature plays a big role here by allowing departments to set thresholds for what matters to them within shared data. The fleet manager, for example, may want to be alerted when 3% of the fleet could be delayed. The operations manager, on the other hand, may not be concerned until 5% of the fleet is affected. Each department can establish its own parameters for what is considered problematic, and set up automatic alerts for when that threshold has been crossed and action is warranted. Although the strategic goal and ERM mindset is shared, departments can focus strictly on their own role in managing a particular threat.
Applying lenses can also help keep departments from paralysis. If everything is listed as a red alert for everyone in the organization, it’s likely no one will know where or how to tackle it. But if members of a department receive a notification only when it applies directly to the work they’re doing and it actually indicates that action is required, they’re more likely to spring into action.
When an ERM program is up and running with teams using actionable data to stay out in front of risks, a major milestone has been reached. Of course, that doesn’t mean all risk is contained. The risk that remains after controls are put in place is known as residual risk, and tracking this matters most to leadership and the board.
When leadership has confidence that the myriad risks threatening the organization’s strategic goal are being handled properly, they can focus on what’s left over. They can decide if the remaining risk requires further action (purchasing insurance, setting aside additional funds) or if they can leave it be and accept the risk.
Origami’s dashboard functionality helps deliver the right information to the board at the right time. Users can set up specific thresholds within a dashboard. When met, these can trigger the system to automatically email a PDF or pull data into a PowerPoint template that is then sent on to members of the board. These reports reduce the noise (the granular details that individuals and departments are managing and the threats they’re working to mitigate) and deliver the information that really matters. The more effectively each department manages its own area of risk, the better the board can do its job.
When an entire organization shares a strategic goal, an understanding of threats against that strategic goal, and the data that will lead them to ask the right questions and put controls in place, departments can divide and conquer on execution of those controls. When controls are in place, leadership or the board can focus, without distraction, on residual risk.
ERM need not be a theoretical concept. It has purpose grounded in reality and provides measurable value. Start with the end (the extra actions you want to be taking to protect your most important strategic goal) and use the right tools to execute them. Do that, and your ERM program is on the road to success.