The business paradigm of enterprise risk management (ERM) has been around for a while with some organizations finding tremendous success from their ERM efforts while others have struggled to sustain their enterprise-risk management approaches. A recent white paper by the Arthur J. Gallagher Think Tank for Higher Education Risk Management examines both ERM failures and successes to pinpoint some best practices that ensure an organization’s ERM efforts provide the value they should. Even though the white paper is written mainly in context of higher education, the ideas apply to entities across all types of industries.
The struggles associated with successful ERM implementation are associated with mistaken beliefs about the permanency and continuity of ERM process. The authors point out the significant difference between having risk managers and actually managing risks.
The white paper provides suggestions on managing risk through collaborative efforts. The key to successful Collaborative Risk Management is integrating risk management into the organization’s culture as a continuous process. Organizations need to distinguish between risk management as a one-time function performed singlehandedly, or as the process of managing risk, which involves collaborative effort and embedded process throughout the organization. According to the authors, CRM “aims to incorporate positive risks” to make organizations more aware of missed opportunities and loss of competitive advantage. The main difference setting CRM apart from ERM is the extension of risk management focus on the interaction between functional units of an organization. Overall, risk management is “about achieving success as much as avoiding failure.”
Risk Management Failure
Recent reports show that organizations experience many unsuccessful attempts of ERM implementations. Many of organizations get stuck in the phase of identifying risks and are never fully able to manage them afterwards. The four common reasons causing ERM failure, also called the “Four Horsemen of Risk Management Failure,” are:
- Absence of appropriate tone at the top
- Poor monitoring of emerging risks
- Decentralization and/or lack of accountability
- Lack of effective training and communication
Not all risk management attempts run into these issues and result in a disaster. There are organizations, which face smaller problems during their risk management efforts that do not necessarily always end up in an excessive failure. The problem for some institutions is focusing on the wrong risks, and that is where the use of CRM can be helpful. CRM pulls together strategic, operations and compliance risks, all of which are important for a well-functioning organization. Successful CRM can steer the focus in the right direction by embedding the process of risk management into the organization’s culture. Risk management requires proper risk identification and definition of risk appetite.
One of the major setbacks for organizations is failing the process of identifying risks during an implementation. Any organization trying to manage risks effectively should develop a framework even before making a list of risks. As was pointed out by the Think Tank, “CRM is about bringing an achievable structure, framework, and strategy to this so they can ultimately manage their vital risks consciously and well.” Limited resources are another problem facing organizations these days. Risk managers need to find creative ways to utilize the scarce resources and as a part of that effort create a strong institutional culture for managing risk.
Risk Management Success
Just as there are common failure causes, there are some factors that lead to successful implementations of risk management programs:
- Shared vocabulary of risk – Risk management should not be thought of just as prevention from threatening risks but also as an opportunity, including the benefits that can be gained from successfully managing risks. In addition, organizations should clearly define the purpose and expectations for well-functioning teams.
- Risk management is a process – A successful risk management program is not a one-time idea or activity that provides the ultimate fix; instead it is a continual process that is instilled in the organization’s operation based on a framework.
- All risks have altitudes and all risks have owners – There is a proper level of management for any risk and even though the final responsibility falls on the Board, each risk should be managed at its suitable “altitude.” Owning a risk means that there needs to be a single person who is primarily responsible for managing it.
- Culture transformation – change of culture can be extensive and time-consuming process, but effective implementation of collaborative risk management requires decentralization of management and use of collaborative efforts throughout the organization.
Managing Risk By Collaborative Teams
An effective CRM program requires cross-divisional cooperation, which can sometimes be difficult to achieve in certain organizations. Initially it is important to identify existing functional teams in the organization and use them to the company’s advantage. A collaborative team is defined as “one whose members are drawn from across several departments, meeting regularly for conversation, information sharing, and cooperation on specific tasks requiring cooperation for the good of the [organization].” Most organizations already have such teams and therefore there are two ways to foster the organization’s efforts in managing risks effectively: the organization can either train the existing teams, make them aware of their risk management function and assist them in their operation, or develop a new team specifically for the purpose of risk management throughout the organization. These newly developed collaborative teams will need a specific goal, a leader, appropriate training, carefully picked members, defined authority, respect for one another and adequate resources to be able to carry out their job.
The Think Tank provides a helpful step-by-step process characteristic of an effective Collaborative Risk Management implementation:
- Determine why you want to “do CRM”!
- Determine what model/framework to follow
- Garner support from the top
- Establish the steering committee
- Determine principles and a framework
- Establish a process for how risks will be managed
- Determine risk appetite
- Include opportunity analysis
- Communicate to stakeholders what CRM is all about
- Perform (Strategic) Risk Assessment
- Assign appropriate stratification of risk
- Establish the “risk owner”
- Determine specific board member ownership of each risk
- Apply mitigation techniques
- Review effectiveness; repeat steps if needed
These are all factors that can influence the success of any CRM program. Organizations need to take on the right approach in order to manage risks effectively. When all is done well and all the efforts come together, organizations can successfully manage risks through a collaborative process that leads to the fulfillment of the organization’s goals and objectives.
Click below to download the article.