Earlier this summer, more than 7,000 runners crossed over the finish line and danced to the beat of Sugar Ray at the Providence Rock ‘N’ Roll Half Marathon. I was NOT one of them. In one of my first blogs, “Motivation for the Long Distance ERM Race” (in which I likened the roll-out of an enterprise risk management (ERM) program to training for a major sporting goal), I boldly, perhaps foolishly, announced to a virtual world that with proper planning, I would finish that race, “slowly but surely.”
What happened? I started out with the best intentions, but now have to figure out exactly why I did not make my goal. Reviewing my efforts, there are a lot of “lessons learned” from my personal failure as a runner. On a positive note, my race analogy still works. These questions and lessons are equally applicable to a stalled or derailed ERM program. How do we all stay the course, and get back on track once a target has been blown away?
When managing any long-term project, including an ERM program rollout, it is important to debrief, review and re-strategize your priorities. This is particularly critical after facing a major setback. First, ask yourself the hard questions, and answer them as honestly and thoroughly as possible. Involve others who have either participated in the effort to date, or interested third-party observers who may have a fresh perspective on what the facts really were. Ask the following:
- Were you physically ready for the challenge? I had assumed I would be physically up for a half-marathon without really thinking of what a major effort it would be on my body. I chose an aggressive training plan that was tailored for muscles and lungs already accustomed to significant distance. My progress was painfully slow and difficult from the outset, without the right foundation.
From the start of an ERM program, companies must critically evaluate what their physical capabilities are to handle related analysis in terms of basic technology. Some organizations assume that they can do everything they need to assess risk, ensure consistent communication, and implement thorough controls with spreadsheets, intranet sites, or other standard systems that they use for day-to-day work. While this may work for some projects, a full analysis and prioritization of risk company-wide is a complex effort which can also be painfully slow and difficult without the right tools. Specialized ERM systems also enhance the sharing of information, breaking down “silos” that may exist between different business divisions, necessary for long-term success.
- Did you create a reasonable plan, and keep it updated? A good first step in training for a race is to create a plan that breaks down the target distance into smaller, more manageable runs and exercises. Including mid-term shorter races, and incorporating sprints, pick-ups and incline runs, help condition the body and mind for the ultimate goal. My plan never was updated to incorporate other exercises that would have kept me better motivated and prepped for my big day.
Similarly, companies developing an ERM project need to develop a thorough plan, involving all necessary stakeholders, up front. But they also need to frequently review the plan, over time, and evaluate whether the plan needs to be changed or updated to include interim milestones, different departments or new staff. An ERM project master plan should be a living document which incorporates the wide variety of smaller tasks and activities necessary for the execution of the overall effort.
- Did you give yourself enough time to reach you goals? Twelve weeks seemed like plenty of time to build up to a half marathon. Running magazines said that should be reasonable. But I miscalculated the time it would take for ME to do it. Companies new to ERM often underestimate the time needed to undertake risk assessment and control activities, and fully embed ERM into their daily workflows.
However, ERM experts, such as those professionals speaking at the 2011 Annual Risk Management Society Conference, stress that it will likely take several years (on average, three to five) to implement an effective, well-coordinated ERM program—no matter what the entity size. Both small and large companies face changing market conditions, new regulations, and have their unique organizational issues which may necessitate more time “than average,” or as originally planned to achieve their individual goals.
- Did you build in wiggle room for contingencies? Stuff happens. Runners may suffer from unforeseen circumstances, such as muscle fatigue, cramps, injuries or illness. Companies lose staff, suffer system outages and put out periodic fires. Not only should the overall timetable for your activities be realistic, but it will also need to include room for surprises. Set goals and milestones, but know which ones are “drop dead,” and which ones can be adjusted to accommodate detours or emergencies. Have backups ready to assist in the absence or change of key personnel, and build in multiple alternatives for processing control workflows where possible. In other words, risk-manage your ERM project risk!
- Did you have the right resources and support? At the outset of many ERM efforts, it may be assumed or projected that there will be money, staff and non-technical resources ultimately needed for the project. Over time, it may become clear that more people, investment or management support is needed. Is this being recognized quickly enough? Running does not require a lot of specialized gear. A pair of sneakers and a few pieces of comfortable lycra clothing was all I needed. However, professional athletes benefit from having coaches, training buddies and sponsor funding dedicated to their quest. Professional risk managers need to constantly evaluate whether they have enough of, and the right kind of, support.
- How often did you monitor progress? I thought I had a reasonable plan, but days went by that I did not stick exactly to the calendar. By the time I reached a six-mile run, I was way off on my schedule, and it was too close to the 13-mile event for me to really catch up on training. I did not monitor my progress effectively.
Having a plan is not the same as sticking to the plan. Monitoring specific ERM activities is a key step towards embedding lasting risk management practices. Certain corporate departments will be well familiar with the need for monitoring in their own areas, such as legal, compliance and finance. However, regular monitoring of practices within other departments, such as human resource, may be more of a challenge. Coordinating amongst business units can also be a new test. When setting out a schedule for monitoring various aspects of the ERM plan, consider having periodic assessments more frequently than you may think necessary, until everyone is comfortable with communication procedures and any procedural changes. Defaulting to quarterly reporting may not be enough, depending on the specific task needing completion. Consider carefully how progress will be tracked on a local, departmental, regional and company-wide level. Frequent and consistent monitoring helps give your board of directors, audit committee and chief risk officer credible assurances that the plan is on course, and minimizes surprises.
- Was there sufficient accountability? I’d like to think I had millions of virtual fans cheering me on in my training, who are now disappointed with my dropping out of the race. The truth is, though, only I cared about the race, only I set the goal, and I only had to chide myself when I shut off the 5 a.m. alarm. Having no one else involved made the devil on my shoulder seem unusually loud.
Risk professionals well understand this concept, and build in multiple layers of accountability to ensure that tasks within the ERM project get done. In the insurance world, underwriters have peer reviews, management reviews, sales and bonus incentives, and other checks and balances to help ensure that bad underwriting decisions are recognized and perhaps penalized, and good results are rewarded. Compliance teams are accountable to operational teams, managers, company executives, law departments, and ultimately, state and federal regulators. Similarly, it’s wise to build redundant accountability into the ERM process. Adopt team or peer reporting, financial and non-financial periodic bonuses for successful activities, or meeting deadlines. Add ERM-related responsibilities into the annual review process. There are many ways to get creative with incentives.
- Did you just “hit the wall”? “Hitting the wall” is the term for the dreaded point during a race in which the runner’s muscle glycogen stores become depleted, and a feeling of complete fatigue or pain hits. This may occur because the runner has trained too hard, too fast, too close to the race, and has not rested and recovered enough. Some experts recommend that runners add “junk miles” to their schedule, runs at an easy pace that help reach a specific mileage goal, but which also serve as a much-needed recovery from harder workouts.
At some point in any ERM implementation, even when ERM is fairly established in a company, people involved in risk efforts are likely to get burnt out. After the pizza party and pony show that kick off a new ERM plan, excitement and enthusiasm for risk management may wane. Day-to-day risk responsibilities may be seen as burdensome, costly and distracting from core staff activities. Know that this is natural, expected, and plan for that day. Hard work and top speed are difficult to sustain over time. How are you going to get your team past the wall? Do you need to ease up on ERM as a focus for management and staff for a short period, or can you schedule key ERM dates during “downtime” periods in the company’s business cycle? Will extra short-term incentives and rewards help get a stalled review moving? Ease up short term, to have a faster result overall.
On the up side, not everything went wrong in executing my plan. I am healthier for working out at all. Although I did not make this one race, I did get to the point where I started releasing endorphins and earning a “runner's high,” the coveted feeling of exhilaration and well-being associated with energetic running. For the ERM athlete, reviewing progress can also highlight interim successes. Debrief your ERM efforts not only to uncover weaknesses, gaps in strategy, and opportunities for improvement, but also to do more of what is going right. Only then can you reforecast and refocus your plan, and “Just Do It,” as the folks at Nike say.