Three Best Practices for Enterprise Risk Management (ERM)
By Samantha Beavers
Between navigating staff shortages, preventing cyber attacks and reducing greenhouse gas emissions, organizations have a lot on their plates. This, along with a steadily accelerating pace of global change, means the need for robust enterprise risk management (ERM) processes has never been greater.
So, what can organizations do to drive their strategic priorities forward, prepare for unexpected events and ensure their ERM processes add value? A few best practices shared at the ERM Initiative’s most recent ERM Roundtable Summit, featuring industry leaders and faculty from Poole College of Management’s Master of Management, Risk and Analytics program, provide a good place to start.
Commit to continuous improvement
No matter how mature an organization’s ERM capabilities are, there’s always room for improvement – and in a constantly evolving marketplace, organizations can’t afford to slow down or stand still.
As an example, Mike Burns, director of enterprise risk at Corning, Inc. and a member of the ERM Initiative’s Advisory Board, noted that in the risk factors section of the company’s 10-K form in 2004, the word cyber wasn’t even mentioned – which goes to show how much the risk landscape has changed. Pursuing continuous improvement, then, is non-negotiable. In addition to keeping an eye on emerging risks, organizations must also strengthen their risk management efforts – regularly looking for opportunities to learn and improve.
“One big thing for us is never settling and constantly trying to improve. When it comes to risk management, we’re mature – we’ve been doing this a long time. But we believe we can do better,” Burns said. “So don’t rest. Keep doing better, keep striving and keep doing the work. None of us will do this perfectly. But because there’s so much complexity – especially internationally – we need to continue to grow.”
Allow tools to guide you
According to Burns, Corning refreshed its ERM processes by conducting a Design Sprint – a two-and-a-half to five day process that helps companies identify problems, sketch solutions and design a path forward.
And whether it’s conducting a Design Sprint, following Six Sigma or improving alignment with the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s ERM framework, Burns urges organizations to strengthen their organization’s ERM by leveraging trusted tools and frameworks.
This doesn’t require organizations to put all their eggs in one basket or rigidly adhere to a particular process. Adaptation is key. However, using these tools as a guide helps organizations assess what’s working, identify what’s not and fill in the gaps.
“People sometimes roll their eyes when it comes to these tools, but they’re really valuable. So you have to trust them – they actually work. And if you’re open minded, you’d be surprised at what kind of output you’re going to get,” Burns said.
Tap into data visualization
To add value through ERM, it is also useful to create visual tools that help organizations better understand the link between risk and strategy – and help them make timely, strategic decisions.
American Fidelity does this with a risk appetite dashboard that monitors and reports on the company’s key metrics. Annually, the company’s senior management and risk leaders set targets and agree upon tolerances for each key metric. The dashboard then reports on the actual performance and shows whether the metric is within tolerance – or whether it has reached a trigger point for either management or the board.
“I don’t want to overestimate this, but this is one of the best tools from the last 25 years – it really works,” said Larry Baker, chief risk officer for American Fidelity Assurance and another member of the ERM Initiative’s Advisory Board. “Our board loves the visual – and the reason the tool works is because of the visual.”
Moving forward in a digital world, companies will need to increasingly leverage data to stay competitive and resilient – but importantly, not every shiny new tool is necessary. According to Baker, data is essential for American Fidelity – but the company is modest in its risk-related tech investments.
“We’re technology-lite – and that’s intentional. We don’t have a specific technology to power our dashboard, for example. But we want that exact dashboard, so we develop the tech to support that. Some [organizations] are much bigger and have a lot more data and may need more tech – but we’re consciously choosing not to get any certain risk-related tech at this stage in our maturity, because what we’re doing is working,” he said. “Know what you need and do what’s right for your company.”
This post was originally published in Master of Management Risk & Analytics.