Enterprise-risk management (ERM) has come a long way in a short time. Just a few years ago, the question was whether ERM was really even relevant.
Today, a growing perception that ERM “is a business discipline that can advance an organization’s [big-picture] objectives” is driving higher adoption rates across all types of organizations, says Carol Fox, director of strategic and enterprise-risk practice with the Risk and Insurance Management Society.
In fact, acceptance of the strategic value of ERM has evolved to the point where ratings agencies and equity analysts are starting to ask companies to demonstrate that they have robust ERM programs in place.
For risk managers, this new level of respect for and emphasis on ERM is something of a double-edged sword.
On the positive side, of course, the increased importance of ERM gives risk managers the chance to elevate their own status and assume a more strategic role in their organization.
But it also means risk managers will have to determine how to implement these complex initiatives quickly and well—no easy task. And they’ll also have to figure out a way to get the whole company on board with the program.
Fox has firsthand knowledge of both the how and why of beginning an enterprise risk management program that works well, a task she took on in her previous role as a risk manager with Convergys. An ERM program she started there in 2004 met “with good success,” she says.
One impact of the program, she notes, was the way people in the company began to think about the business.
“People became more reflective in terms of the risks involved with the issues they were making decisions about,” she says.
When the ERM education process began and then spread throughout the organization, employees “discovered there were many ways they could deal with risk,” Fox says.
They were shown, for example, that a risk can be managed through mitigation, it can be exploited, “or we can look for ways to transfer it—and by the way, we can do all three.”
This, she says, was an “aha” moment for many managers and directors—“that we wanted them to make thoughtful decisions about [risk] in a disciplined way”—to always ask themselves “if something was within the company’s risk appetite and manageable, or if it was something the company didn’t want to accept.”
ERM, Fox points out, needs to have company-wide buy-in to succeed, and she recommends achieving this through pilot programs that can demonstrate its value.
Once the value is seen, “then ERM becomes somewhat viral. When people have success with it, they talk about it,” she says. “Then there is a contagion, where other people ask us to help them as well.”
She adds, “You know you’ve made a difference when people are incorporating the tools and training you’ve provided them.”
During the implementation of the program, she says, “often I was fighting the perception that ERM was for achieving my personal goals. While I had good relationships with people, and they were willing to help me, it was not until we figured out what was in it for them that it became much more part of their DNA.”
One example of a group discovering ERM’s value to itself, she says, was in the IT department, which was often asked to install new hardware and software to guard against risks.
“But by going through the risk assessment from a corporate-wide perspective,” she says, “we would often find that the controls already in place were more than sufficient. We could say we didn’t think it was a good expenditure of resources” to make these additional installations.
THE C-SUITE PERSPECTIVE
While there is a perception that risk managers are having difficulty getting invited to a seat at the C-suite table, Fox believes that most corporate leaders, with only rare pockets of resistance, are eager for expert input about the strategic risks the organization faces.
“With all the external pressures—whether it’s Dodd-Frank, shareholders or the disclosures required now by the SEC for public companies—there is plenty of demand, visibility and support at the board level and at senior-management level” for ERM, she says.
Risk managers need to recognize that “it’s up to us as practitioners to step up and show where we can make a difference within the organization,” she adds.
“For those looking for an invitation, I would say show your value first as a business partner, as a growth partner—and you won’t have to worry about an invitation.”