Implementing ERM: How To Get It Right

There’s much discussion in boardrooms and executive offices these days about enterprise risk management. Certainly, general counsels, compliance officers and internal auditors are among those actively considering whether and how to move forward with some form of risk management.

Of course, many large financial institutions have long had enterprise-wide risk management programs, focusing on interest rate, credit, market and liquidity risks, with increasing effort devoted to operations risks. But while a number of other companies have implemented enterprise risk management in their organizations, most considering ERM still are at the talking stage.

This column, however, isn’t about what ERM is or the benefits it brings. Readers interested in the what and why may wish to refer to my 2004 columns of Sept. 21, Nov. 16 and Dec. 14. Rather, this column is designed to advise those organizations that have already decided to adopt ERM on how best to proceed with effective design and implementation.

The reality is that managements have fallen into several traps while seeking effective ERM. I’ve been fortunate to work with many companies that have avoided the pitfalls. Sharing these experiences will, I hope, help those of you now embracing ERM to avoid these pitfalls as well.

Wavering Support From The Top

Interestingly, in many instances the initial impetus for ERM does not come from the chief executive. Often the board of directors initiates discussion of ERM, with the board or audit committee seeking to ensure it is apprised of all significant risks. The immediate question is: “How does senior management know that it has identified the key risks, to be positioned to communicate that information to the board?” When looking seriously at the answer —after the CEO gets past the initial “Of course we know the business and where the risks are!” —the dialogue moves to how to put the necessary discipline around whatever risk identification and management processes might already be in place.

Why is this important? Because experience shows that when the CEO is not the initial driver, and especially where the board initiates a call for an ERM program, senior management may agree to move forward but their hearts might not be in it. That’s not always the case; I’m currently working with a large client where the impetus for ERM indeed came from the audit committee chair, but the CEO fully embraced the idea and is providing the needed support. But where top management is not truly on board, the likelihood of successful implementation drops like a rock.

And this is the point: To have a reasonable chance of gaining the full benefit of an effective ERM program, the CEO and other senior managers must have bought into the proposal. Where the impetus comes from can be an indicator, but is not always critical to success. The all-important issue is whether the needed support at the top exists.

An Administrative Burden

Another major pitfall is drifting away from a main purpose of implementing ERM in the first place—to support managers’ ability to make better business decisions in accomplishing corporate objectives—and instead turning the program into an administrative nightmare. This trap is all too easy to fall into, especially when too much emphasis is placed on reporting information upstream to more senior levels of management and ultimately to the board.

What sometimes happens is staff supporting ERM program development think in terms of forms and procedures, and get immersed in excessive detail and formality. The process becomes one of form over substance, unfortunately resulting in the company’s people seeing ERM as an administrative exercise, serving no purpose for themselves or the company.

Yes, providing information to the board is an important benefit, but one really best viewed as a normal outgrowth of effective ERM. The real focus should be on how ERM integrates into the culture and processes of the business, to provide managers with meaningful information enabling them to manage risks and seize opportunities proactively. Indeed, clear communication channels upstream to higher levels of management must exist, to facilitate agreement on what risks need to be addressed and how, and what opportunities should be pursued with additional investment. But that is best done in the context of existing management processes, not as an administrative overlay, or (even worse) an entirely separate process.

Misplaced Responsibility For Risk Management

Senior management tends to want to fix responsibility for risk management in one individual, usually an existing or newly designated “chief risk officer.” They want to look to that individual for information on identified risks, their relative seriousness, and how they are being managed.

While going this route might initially seem appealing, it seldom works well in practice. Yes, a chief risk officer, however named, is extremely helpful if not critical to effective ERM. This person or office can and should act to support line and staff managers in understanding how best to implement ERM in their spheres of responsibility. But experience shows that operating managers must be responsible and held accountable for effective risk management. The reasons are manifold, but in summary ERM works well when and because it’s built into the fabric of the organization and executed by those with the requisite authority and responsibility for running the business.

Within this context, there are a couple of ways senior management can readily obtain the risk information it needs:

It can look to the chief risk officer for a summary of key risks. The risk officer is positioned to be in the “reporting loop” as information flows upstream, and can be a focal point for top management inquires. But ERM works best when risk information is communicated upstream by managers through normal reporting channels in the normal course of managing the business. Managers communicate emerging risk information upstream in regular meetings or written reports, or they may pick up the phone or send an email with time-sensitive information. And actions to be taken to manage risks are discussed through routine dialogue. The chief risk officer should be aware of important risks and ensure they are being reported though normal channels. If not, then the risk officer should urge that dialogue, and in the event of continued non-action should communicate the information directly to senior management. In that way, the risk officer continues as a staff function, providing support, summary information where desired, and acting as a fail-safe in providing information on specific risks.

Increasingly effective software exists to aid managers in tracking risks and related actions to manage them. These technologies have the added advantage of enabling more senior management levels to be readily apprised of emerging and previously identified risks, and to drill down or across the organization to learn whether coordinated actions are being taken. Many of these software systems were initially geared to deal with Section 404’s internal control provisions of Sarbanes-Oxley and have been adapted for broader ERM application. If used well, without excessive administrative effort, they can be highly useful to all levels of management.

Losing Momentum

Perhaps the most common pitfall to successful ERM implementation is failure to maintain momentum. My age is showing when I think back to the early days of ABC’s Monday Night Football, with Frank Gifford, Howard Cosell and Don Merideth in the announcers’ booth. If memory serves, it was “Dandy Don” who after a turnover of the ball harped on terrible price of loosing momentum, coining the term “old Mo.”

Forgive my walk down memory lane. Still, the same point applies to the topic at hand. ERM implementation often begins with the best of intentions, sometimes with great internal fanfare and resources and a great project plan to design, build and install ERM throughout the organization. People are excited—as even those fearing change decide they can’t or won’t try to wait out this initiative, and climb aboard—and the initiative moves forward.

But then bad stuff gets in the way. Perhaps the project leader is moved to a new role, project team members get caught up in other ongoing responsibilities, the business hits a snag and budgets are cut. Or other initiatives are begun, dealing with business process improvement, data analytics, key performance indicators or other matters seeking to enhance performance. (By the way, ERM has proven to be a solid platform and enabler for these types of initiatives.) Whatever the cause, momentum for ERM implementation can be disrupted. When it is, it can be difficult to regain.

Success occurs when project team members have enough time allocated to their participation in ERM, with some or perhaps all other responsibilities reassigned at least for the duration of the project. Senior management can’t knowingly or unwittingly loose interest, even in favor of other pressing needs. And time must be committed to see the project through—typically 18 months from start to finish for a midsize to large company (several billion dollars in revenue) or major unit of a larger company.

A client I’m now working with began to fall into this trap. About a year into the 18 months to design, build and implement the project, events began to obstruct the project, jeopardizing the prior year’s investment. Recognizing the pitfall, momentum has been regained, with the project back on track and nearing successful completion.

Viewing Training As A Panacea

The last pitfall we’ll discuss is thinking that all implementation issues somehow can be dealt with through training. The idea is simple: have a one-day, or one-half day, session to train your people in ERM. and “presto,” all works perfectly.

In reality clarity about what people are trained in is a must—that is, clarity about how ERM is designed in the company to fit into the way the business is managed. Decisions need to be made on whether ERM will be built into all business processes and departmental units during the project’s design and build stages, or whether for some processes/units that will be done by the process/unit leaders after initial implementation. Experience shows that before training, it’s important that ERM be incorporated into the more significant processes, such as objective setting, budgeting, performance assessment and at least several key line processes, to provide a sufficient foundation for ERM in the company to serve as a model for other processes/units. If some design/build work is to be done later by process/unit leaders, then training must provide that knowledge and technique as well.

Training is important, but it must be done in the context of effective design and implementation. A one-time session generally is not sufficient. Implementing an effective ERM program requires cultural and behavioral change, calling for well-orchestrated use of change management techniques, of which ongoing training is a part.

Getting To The Promised Land

With all these pitfalls, one might ask whether moving forward with ERM implementation is worth the effort. From experience the answer is a definite “yes!” It takes commitment, planning and execution, and those companies that have done it right have gained the tremendous expected benefit.