Enterprise risk management is the newest buzzword, but theconcept is actually not a new one. Only recently–with the meltdownof the financial sector and the economic slowdown–has ERM begunreceiving a tremendous amount of publicity.

What exactly is ERM? My definition is holistic management of allmaterial risk. Simply put, it is the view and identification ofrisk throughout the organization, and the steps being taken tomanage risk.

If you search for a definition of ERM on the Web, you would seemany explanations. This can be very confusing because of thebroadness of the definition–it means different action items andcomponents for every single company. Among the questions to helpyou define this process for yourself:

o What exactly do you mean by risk?

o How material are those risks to the organization, and whatexactly does “material” mean to your company?

o What about corporate governance?

o Is there insurance involved?

o Who should lead this? Do I need a chief risk officer?

o How do I begin?

o How much will this cost, and what are the benefits?

The answer to the above questions is that it varies, whichconfuses the issue further. There are books, articles, specialtycompanies and departments that are all dedicated to ERM. There iseven an “ERM for Dummies” manual.

Yet all the haphazard advice and differing opinions do not helpfirms implement ERM. What needs to be understood is there is nomagic potion or plan for ERM to be implemented or effective withinan organization.

Companies need to define their own process and customize it forthemselves. Only then can you begin the process of implementing afocused ERM plan within your culture.

Remember Y2K? That was the fear back in the late 1990s aboutwhat effect the date change one minute after 12/31/99 at 11:59 p.m.was going to have on computer systems. I can remember reading aboutthe prophecy of impending doom, and as a result, companies werespending millions on consultants and studies of what might gowrong.

There were many solutions created to protect against thepotential catastrophe when we reached the year 2000–or Y2K. Acottage industry was born, whose sole purpose was to helporganizations deal with this potential worldwide crisis.

Insurance companies went as far as to add Y2K exclusions totheir policies in anticipation of this event.

At the end of the day, the predicted crisis never materialized.However, what it did do was force management to better understandtheir business and all the moving parts that affect it bothinternally and externally.

ERM is now the Y2K of 2009. What is vital to this process iswhat makes the world go around–money. The global recession, inconjunction with the financial meltdown of several largeinstitutions and government bailouts, has brought the issue of ERMto the forefront as a “new” concept.

As a result, Standard & Poor's announced that it plans onevaluating a company's application and implementation of ERM as oneof the credit rating factors when evaluating each organization.

S&P does not instruct companies how to implement and manageERM. However, they will evaluate how well the company defines riskand what systems are in place to highlight them, then get them tothe proper level of management so they are addressed in a timelymanner.

In actuality, the practice of ERM has been used by varioussuccessful companies for years as the way they run theirbusiness.

Several years ago, I was asked by a journalist for my opinion onthe concept of ERM. I responded that I preferred to call itholistic risk management (not ERM) and that any organization thatmanaged their company properly did not need a chief risk officer,or a Risk Czar.

All risks boil down to money, and most organizations either havea chief financial officer or a similar position responsible formanaging, controlling and overseeing the company's monetaryactivities.

This concept of holistic risk still stands true in my dailypractices today as it did many years ago. Implementing ERM shouldnot be as complicated or daunting as some make it out to be.

Who needs to be involved? Previously, I was with a Fortune 500company I felt had perfected an ERM process complementary to theirpractices and culture. They formed an Internal Committee called theFinance Council, chaired by the CFO and made up of all the CFO'sdirect reports, their associates and the Business (Operations)Groups' Financial leaders.

He also invited the head of investor relations, the outsideaudit firm's senior partner and a representative from the generalcounsel's office. This group met every six weeks and had a workingsession discussing and publishing the risks of each division'sbusiness plan. The risks could be projected sales, new markets,supply chain, entry into new countries, etc.

He then would assign appropriate members of the council to workon these highlighted risks and report back at the following meetingon what steps were being taken to eliminate, mitigate or transferthose risks. This effectively covered all areas of risk the firmwas encountering, and left little room for surprise or error.

On an annual basis, he reported the group's work to the AuditCommittee and to the board of directors. This practice took placeover a decade ago and was simply their standard operatingprocedure.

My point is that ERM is no great mystery. When done correctly,it is simply a well thought out and implemented business plan withsound management processes in place. So, why the confusion?

The reason for all the current discussion regarding ERM returnsto not having a set definition and the disarray that comes alongwith trying to decipher something you don't understand.

I have seen companies trying to purchase computer software toidentify and track risks. Accounting and audit firms presentthemselves as being able to help companies put ERM into place.

My recommendation is that before spending money on software oraccountants, or anyone else referring to themselves as “riskprofessionals,” there needs to be a fundamental understanding ofERM and the risks facing your company first.

My recommendation is to implement that KISS (Keep It Simple)approach. Here are my recommended steps to begin achieving aproductive ERM process:

o Identify a champion (someone to lead and manage the process).My recommendation is that the CFO needs to lead this initiative. Ifthe CFO is not qualified to lead this exercise, then I recommendengaging the services of a competent risk management advisor who iswell versed in ERM to help design and manage the process.

The next step is to gather all the pertinent internal businessleaders and form a working group to manage the process andsystem.

o Define what dollar amount would be “material” to the entireorganization. A loss of that dollar amount would either shut thecompany's doors or impact share price.

o Once the material dollar amount is identified, have eachleader list what risks within their respective area could possiblybring about a material loss of that caliber. (This list should be ashort.)

o Have the group assign personnel to identify the steps neededto eliminate, mitigate or transfer that risk.

o Meet periodically to track progress against the action stepsand continually define and improve the process.

o Once the material risks have been identified and steps putinto place, the group then can broaden their definition of risk andbegin the process of risk management for those non-material butlarge risks within their respective areas.

Once you have an ERM process in place, it becomes routine foryour company. ERM should not be a buzzword or a project (with abeginning and an end). It should be the way you manage yourbusiness today and tomorrow–in other words, a way of life.

Richard W. Sarnie, CSP, P.E., is senior vicepresident and chief operating officer of The ALS Group in UpperSaddle River, N.J. He may be reached at [email protected].