Earlier this summer, more than 7,000 runners crossed over the finish line and danced to the beat of Sugar Ray at the Providence Rock ‘N’ Roll Half Marathon. I was NOT one of them. In one of my first blogs, “Motivation for the Long Distance ERM Race” (in which I likened the roll-out of an enterprise risk management (ERM) program to training for a major sporting goal), I boldly, perhaps foolishly, announced to a virtual world that with proper planning, I would finish that race, “slowly but surely.”
What happened? I started out with the best intentions, but now have to figure out exactly why I did not make my goal. Reviewing my efforts, there are a lot of “lessons learned” from my personal failure as a runner. On a positive note, my race analogy still works. These questions and lessons are equally applicable to a stalled or derailed ERM program. How do we all stay the course, and get back on track once a target has been blown away?
From the start of an ERM program, companies must critically evaluate what their physical capabilities are to handle related analysis in terms of basic technology. Some organizations assume that they can do everything they need to assess risk, ensure consistent communication, and implement thorough controls with spreadsheets, intranet sites, or other standard systems that they use for day-to-day work. While this may work for some projects, a full analysis and prioritization of risk company-wide is a complex effort which can also be painfully slow and difficult without the right tools. Specialized ERM systems also enhance the sharing of information, breaking down “silos” that may exist between different business divisions, necessary for long-term success.
- Did you give yourself enough time to reach you goals? Twelve weeks seemed like plenty of time to build up to a half marathon. Running magazines said that should be reasonable. But I miscalculated the time it would take for ME to do it. Companies new to ERM often underestimate the time needed to undertake risk assessment and control activities, and fully embed ERM into their daily workflows.
However, ERM experts, such as those professionals speaking at the 2011 Annual Risk Management Society Conference, stress that it will likely take several years (on average, three to five) to implement an effective, well-coordinated ERM program—no matter what the entity size. Both small and large companies face changing market conditions, new regulations, and have their unique organizational issues which may necessitate more time “than average,” or as originally planned to achieve their individual goals.
- Did you have the right resources and support? At the outset of many ERM efforts, it may be assumed or projected that there will be money, staff and non-technical resources ultimately needed for the project. Over time, it may become clear that more people, investment or management support is needed. Is this being recognized quickly enough? Running does not require a lot of specialized gear. A pair of sneakers and a few pieces of comfortable lycra clothing was all I needed. However, professional athletes benefit from having coaches, training buddies and sponsor funding dedicated to their quest. Professional risk managers need to constantly evaluate whether they have enough of, and the right kind of, support.
- How often did you monitor progress? I thought I had a reasonable plan, but days went by that I did not stick exactly to the calendar. By the time I reached a six-mile run, I was way off on my schedule, and it was too close to the 13-mile event for me to really catch up on training. I did not monitor my progress effectively.
Having a plan is not the same as sticking to the plan. Monitoring specific ERM activities is a key step towards embedding lasting risk management practices. Certain corporate departments will be well familiar with the need for monitoring in their own areas, such as legal, compliance and finance. However, regular monitoring of practices within other departments, such as human resource, may be more of a challenge. Coordinating amongst business units can also be a new test. When setting out a schedule for monitoring various aspects of the ERM plan, consider having periodic assessments more frequently than you may think necessary, until everyone is comfortable with communication procedures and any procedural changes. Defaulting to quarterly reporting may not be enough, depending on the specific task needing completion. Consider carefully how progress will be tracked on a local, departmental, regional and company-wide level. Frequent and consistent monitoring helps give your board of directors, audit committee and chief risk officer credible assurances that the plan is on course, and minimizes surprises.
- Was there sufficient accountability? I’d like to think I had millions of virtual fans cheering me on in my training, who are now disappointed with my dropping out of the race. The truth is, though, only I cared about the race, only I set the goal, and I only had to chide myself when I shut off the 5 a.m. alarm. Having no one else involved made the devil on my shoulder seem unusually loud.
Risk professionals well understand this concept, and build in multiple layers of accountability to ensure that tasks within the ERM project get done. In the insurance world, underwriters have peer reviews, management reviews, sales and bonus incentives, and other checks and balances to help ensure that bad underwriting decisions are recognized and perhaps penalized, and good results are rewarded. Compliance teams are accountable to operational teams, managers, company executives, law departments, and ultimately, state and federal regulators. Similarly, it’s wise to build redundant accountability into the ERM process. Adopt team or peer reporting, financial and non-financial periodic bonuses for successful activities, or meeting deadlines. Add ERM-related responsibilities into the annual review process. There are many ways to get creative with incentives.