In my last blog, I reviewed the benefits of ERM. That means you are probably hungry to sit downand take on a risk management initiative. But analyzing risks,setting controls, ensuring communication, and monitoring progresstakes time and effort. Like serving any large, multi-course meal,ERM projects can be large, intimidating, tough to coordinate, anddifficult to digest.

In tackling an enterprise riskmanagement rollout, breaking down the project is essential forsuccess.

The Five-Course Menu (or Project Plan)

Every multi-course dinner starts with a menu plan. Each courseis reviewed, and then the assigned ingredients, preparation, andcooking times are shaped by the chef's culinary vision. Similarly,the ERM manager should start with a general overview of the ERMprocess and set out the specific steps required to realize thecompany's vision and goals.

Over the next few months, this blog will examine each majorcomponent of the ERM process in greater detail. First, here is amenu of the basic steps of ERM—in five delicious courses.

The Starter: Identifying Current and EmergingRisks

Hors d'oeuvres or appetizers are designed to excite the tastebuds and prepare guests for the coming feast. They are afundamental first step in showcasing the chef's gastronomic talentsand introduce a “theme” for the full culinarypresentation.

In ERM terms, the first course is identifying currentand emerging risks. The identification process oftenstarts on a small scale, with face-to-face interviews. Groups ofkey managers and staff are asked about root causes and drivers ofrisks in their particular areas.

Next, the ERM team will look at any connected or similar risksthat might affect multiple departments. The review may increase incomplexity. The company can conduct surveys, review news, researchindustry press, and retain experts and consultants. A harvest ofpotential risks will be gathered, sliced and diced, and main groupsof risk bucketed and blended. Even the smallest tidbits ofinformation gleaned here can reveal patterns and trends of loss notpreviously appreciated.

ReadMore Risk Management Insights From Denise Tessier

This is a fundamental step, designed to form the basis for theentire ERM plan, and can whet the appetite for future ERM work.Often, participants get their first real taste of the magnitude andfinancial impact of risk in such interviews. As new ideas and riskscome to light, participants may begin to realize how vulnerabilityin their areas of responsibility might impact the company on agreater scale. New, interesting flavors are added toresponsibilities already on their plates.

The identification course also can introduce a “theme” for theoverall ERM project. The company begins to educate all staff aboutERM principles early in the process. The instructions given; thequestions and answers elicited; and the information gathered atthis stage can leave an impression. With care, that impression willbe that the company is serious about risk management, it sees ERMas a collaborative effort, and is committed to developing asustainable, long-term approach. ERM is not fast food.

NEXT: The Salad and the Sorbet

The Salad: Using Metricsto Assess Frequency and Severity

The purpose of a salad in a multi-course meal is to addsomething that the main entrée itself may lack—be it a certainflavor, texture, color, or nutritional base. Salads complement andcomplete the dining experience.

Metrics could be considered the “salad” ofERM—something that complements and completes the risk analysisprocess. A company that has catalogued its risks and hasestablished some controls to manage them has accomplished a majorstep toward mitigating future losses. But it isnot quite enough.

Adding the extra step of developing metrics allows a company torank its risks by significance, and prioritizeits resources and activities around the most dangerous risks andthe most beneficial controls. It also provides some objective,quantitative measurements of specific risks against anorganization's risk appetite, the statement of a company'swillingness to assume a degree of risk in pursuingopportunities.

In this phase, companies assess the frequency of a potentialrisk—how often could the event or loss happen? They also measureseverity—how bad could the event or a loss be? Other metrics canalso be used, such as the duration of an event or loss and thedevelopment time for that risk or loss. Taking the time for thesekinds of assessments helps with risk avoidance or mitigation.

Of import, the key feature of any ERM program is to set standardscales/metrics for evaluation of different kinds of risk acrossdifferent business divisions, so that they can be compared on an“apples-to-apples” basis. Measuring risks in standard formatsultimately enables the company to make more comprehensive andstrategic decisions. Metrics make an ERM program complete.

The Sorbet: Risk Reporting, Monitoring &Adjustment

Sorbet is often served between courses as a way to cleanse thepalate before the main dish, an intermezzo between more intensecourses that freshens the taster's perspective.

ERM programs must also have planned pauses for participants toevaluate prior work. The world of risk is constantly changing. InERM, risk reporting and monitoring will bescheduled on a regular basis, so that risks can be reviewed,re-ranked, and controls can be tested. Risks become more or lesssignificant to a company over time, others are newly identified.Building time into the overall process to appreciate and critiquewhat has passed, address needed changes, and prepare for the nextcourse refreshes perspective on risk.

NEXT: The Main Entree and Dessert

The Main Course: Setting Effective Controls

A well-planned main dish is the heartiest course and is thehighlight of a meal. Preceding courses are designed to steadilyincrease appetite, culminating in a solid, satisfyingentrée.

ERM's main course is effective controls. It isthe ultimate goal of an ERM program to establish a suite ofspecific techniques, policies, and procedures to reduce or mitigateidentified risks as much as possible. While they won't operate toeliminate 100 percent of all risk, well-developed, sustainablecontrols will have a direct financial impact on a company. Controlscan make or break a company, as is being recognized by suchindustry gourmet critics as state and federal regulators, ratingagencies, and shareholders. Solid controls satisfy reviewers.

Dessert: StrategicAnalysis

For a professional chef, dessert serves an important purpose,either reviving the palate or facilitating digestion. For thediner, dessert is pure pleasure. In either case, a superb dessertcan make the entire meal truly memorable, adding that extrasomething special.

Strategic analysis is the icing on the cake formany ERM programs. Strategic analysis is the process of weighingwhether potential gains will outbalance losses in a proposed courseof action. Once main controls are established and operatingsmoothly to mitigate the “downside” of risk, a company can push itsanalyses to a new level, allowing it to more fully address the“upside” of risk: opportunities.

Using ERM to perform strategic analysis can help decision-makingon some very practical issues. For example, how much capital shoulda company hold in reserves to cover some of its key risks? Shouldthe company enter into a new line of business or develop a newproduct or market? Strategic analysis adds that extra specialsomething to the ERM process.

Menu Planning Tips

When integrating these courses into a new ERM project, here issome advice to take away:

“Keep it simple,and make it tasty.” –GordonRamsey

Gordon's kitchen mantra is to offer fewer, simpler options for ameal—but use high quality ingredients—to make a strongerimpression. In ERM, remember that it is okay to keep it simple,particularly in the early days. A company new to the ERM processmay want to taste the sauce and perfect its methodologies with alimited population of risks, selected lines of business, or atargeted group of staff, before rolling out a major new ERMprotocol or system to a large population tooquickly.

“Focus on the guests, not just thefood.” –Martha Stewart

ERM is not just a theoretical model or fancy computer system. Itis a method of reviewing risks with input from many people acrossan organization. ERM efforts should be primarily focused oncommunication among people—eliciting input from many levels,sharing of information across former “silos” of individual businessunits, and reporting information to decision-makers. All yourcustomers need to be satisfied.

“The only real stumbling block is fear of failure.In cooking you've got to have a 'What the hell?'attitude.” –Julia Child

Don't be afraid of trying ERM and experimenting with differentanalysis methods, metrics, strategic applications, and the like.ERM should be a flexible and forgiving process, which changes withthe times. Today, there are many tools and systems that givecompanies the freedom to flavor ERM to their unique needs andtastes. Take that first bite!