The Importance of Making Informed Decisions: A Basic Overview of Enterprise Risk Management (ERM)
By John E. Garber, Jr., SPHR, SHRM-SCP
There are a few pitfalls associated with the “traditional” risk management approach. In the traditional approach to risk management, there is one-dimension assessment of risk, loss prevention and insurance. Risk is managed in a “siloed” manner and is typically reactionary. Risk is considered in “negative” terms.
The alternative approach is Enterprise Risk Management (ERM). With ERM, risk is approached from a portfolio or multi-dimensional view. It assesses risk holistically across the organization in a proactive manner. ERM is part of the organization’s culture – “it’s what we do” and is considered in strategic terms as being able to contribute toward business productivity and profitability. It is forward-thinking and proactive.
Traditional Risk Management Process vs. Enterprise Risk Management
Generally speaking, there are five (5) steps in the risk management process. They consist of:
- Step 1: Identify Risk
- Step 2: Analyze Risk
- Step 3: Evaluate or Rank Risk
- Step 4: Treat Risk or Control Risk
- Step 5: Monitor and Review Risk
There are some variations to the risk management process and there is one model which includes a sixth step – Assign an Owner to the Risk. The issue is not to debate the number of steps in the traditional risk management process but to point out that an insurance policy is a sub-set of one step – Treating Risk or Risk Control, where an organization would transfer risk to an insurance company by purchasing an insurance policy.
Would you like to learn more about how KMRD can help you? Contact KMRD →
Insurance can be one of the most expensive methods of transferring risk and makes up only one element of a comprehensive risk management program. Insurance policies and coverage placement represent an important element of an organization’s protection and it is a necessary component of a risk management program; however, growth-oriented, middle market clientele typically compartmentalize the approach to risk management and place more emphasis on buying insurance and instituting basic risk control policies while leaving further opportunities to reduce the total cost of risk off the table. This is where an enterprise risk management framework can have a positive impact on how an organization deals with risk.
In my 28 years of professional practice, I consistently encounter the same comment from growth-oriented, middle market clientele; “ERM is for larger organizations”. You may think it is only for the larger organizations, but ERM is about the nature of risk – strategically and operationally.
What is Enterprise Risk Management?
Enterprise Risk Management (ERM) is about structured decision-making. Thought of in another way, it is the art and science of making informed decisions1. In order to make effective, informed decisions a common framework should be considered. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released their updated ERM Framework in June 2017 and it simplistically illustrates a set of principles across five components. These five components are scalable. They are:
- Governance and Culture: establishing values, demonstrating appropriate behaviors and as system of oversight. Regardless of the size of your organization, there needs to be a basic management system. Moreover, all organizations have a culture which impacts behavior. This is where organizations set the tone for what is and is not acceptable risk.
- Strategy and Objective-Setting: taking a portfolio view of risk, rather and a silo approach through strategic planning and establishing objectives for defining risk tolerance, procedures for risk identification and response. Based on your business strategy, your organization will naturally carry certain risks, which create opportunity for success or if not properly managed, a recipe for losses.
- Performance: determining how individual, team and organizational performance are impacted by risk. In carrying out the objectives for fulfilling the business strategy, you should assess risk to determine if it is acceptable (within your risk appetite) and respond to unacceptable levels of risk to prevent or curtail the chance of adverse events which have a negative effect on performance.
- Review and Revision: identifying qualitative and quantitative metrics to determine how the ERM program is performing over time. How do you currently measure how the organization is performing? Do those metrics provide meaningful measures of success? Have you considered other elements such as human capital? Do we have a basic approach to measuring Total Cost of Risk (TCOR)? Growth-oriented middle market clientele have a tendency to limit their measures to insurance policy costs and claims.
- Information, Communication, and Reporting: communication is absolutely essential. Information needs to be gathered, interpreted and communicated across departments and teams – up, down and across the organization. At a simplistic level, many failures to properly communicate occur due to turf wars and a silo structure in the organization. Properly sharing information up, down and across the organization facilitates understanding of where risk exists and how it could serve as an opportunity for growth as well as negatively impacting the organization in achieving its strategic objectives.
Organizations exist to create value for their clients and stakeholders. Growth-oriented, middle market organizations can adopt and practice ERM appropriate to the size of the organization to support a strategy for delivering value in products and service. ERM supports effective business performance and productivity.
Keep ERM Simple
Complex problems do not require complex solutions. There is a tendency to over-complicate ERM in growth-oriented middle market organizations. The goal is to make well-informed choices. If we don’t know enough to know what we don’t know, we are not making well-informed choices. Here are a few simple steps to take to begin focusing on enterprise risk:
Establish a Risk Management Committee: Even if you are relatively flat in terms of organizational structure, assemble a small team of cross functional leaders to discuss strategic and operational topics. Develop a formal charter for the committee. The committee structure should be sufficient in size to provide the best representation of core business functions. Have the committee trained by a risk management professional on identifying enterprise risk and how it relates to the organization. Develop a recurring meeting schedule appropriate to the size and complexity of the organization, have a formal agenda and committee leadership to guide discussions. Begin with defining risk and how it relates to the business. This includes defining risk appetite.
Organizational Culture: take time to communicate business strategy and the expectations among the organization in terms of mission, vision and core values. The organization needs to understand desired behaviors. Risk management is not a thing we go through during renewal time, but “who we are, what we do and how we behave”. It makes up our organization’s DNA.
Policies and Procedures for Measuring, Managing and Mitigating Risk: prioritize risk by identifying frequency and severity in the context of risk appetite and establish policies, procedures and controls to keep risks within acceptable ranges. Internal dynamics, external market pressures and the legal environment combine to have an effect on an organization’s risk appetite. The acceptability of risk is a natural part of operating a business and effective risk management programs create opportunities for organizations to innovate and expand into new markets, as well as explore new products and services. This is due to confidence in policies, procedures and controls. The results of internal assessments and status of management and mitigation practices are reported to the risk management committee.
Continuous Improvement: ERM is not a destination but a journey. The governance process, reinforcing organization culture, policies and procedures and communication processes must be continually evaluated and monitored. Risk is dynamic and our ERM Framework must be agile enough to respond to the dynamic nature of change. This also makes building an organizational culture based on strong core values and desired behaviors, which reflect good risk management principles, is able to be agile.
Adopting a basic philosophy and approach to ERM will have a positive impact on your organization’s business performance. Risk management success is derived from organizational success. If we are making well-informed choices we are in a better position to manage our total cost of risk, and yes, this ultimately includes the cost of your insurance program.
Contact us below to talk with KMRD about your new or existing ERM program.
John Garber is Managing Director and Practice Leader at KMRD Partners, Inc., an award winning risk management and human capital solutions firm.
Note: This content is provided as general background information and should not be taken as legal advice or financial advice for your particular situation. Make sure to get individual advice on your case from a KMRD risk professional before taking any action.