Moving Forward with ERM emphasizes the importance of managing risks throughout the organization and the emerging communications of ERM developments in corporate reports. Corporate reports often:
- state how ERM relates to international best practice frameworks;
- explain the CRO’s responsibilities;
- explain the ERM processes within the realm of an organization’s strategy;
- summarize business objectives in conjunction with internal and external risk factors;
- provide quantitative technique data for individual risk categories; and
- define the company’s risk tolerance and appetite ranges to meet strategic objectives.
An emphasis on the role of the CRO is highlighted in the article. The report, authored by Sean De La Rosa, emphasizes how CROs should provide adhesion for businesses risk management activities and also work to eliminate duplication of effort. Qualities of a successful risk manager are well-developed risk consciousness; knowledge of main business processes; current education in risk management curriculum; communication skills that include working with individuals at all levels; facilitation skills; and skills in finance, accounting, and insurance. In addition, the CRO’s key duties include the following responsibilities:
- overseeing risk management activities and management of framework process;
- assisting management by designing an appropriate risk management foundation;
- monitoring enterprise-wide risks and making certain major risks are communicated upward;
- ensuring and validating effective management of risks by business unit leaders;
- serving as ERM adviser for other upper level executives;
- assisting with corporate governance responsibilities;
- assisting in the execution of risk management processes;
- facilitating an integrated approach to ERM;
- managing specific risk types; and
- participating on risk management committees.
Three touchstones outlined in the article assist managers with problems that can hinder a successful ERM program. First, it is important to focus on top risks during implementation by keeping ERM simple. Resources can be wasted if the initial stages are not perfected before movement to a full-fledged ERM program. The use of automation to identify risks should only be done after management has manually identified the business’s top 20 to 40 risks. Software can be beneficial, but first management must understand ERM. Second, businesses benefit from utilizing a road map to track improvement in their ERM program. Internal auditors may recommend the use of an ERM maturity model. The maturity model will typically include the following items.
- communication of leaders within the business,
- type of management style used,
- adaptation to change and attitudes toward adjustment,
- coordination of business strategy with risk plans,
- human resource deficiencies,
- ERM training used, and
- intensity of management’s oversight of risk committees and employees.
Third, it is crucial to know what really matters. Do not cease looking at the big picture when meeting agendas become filled with operational issues only. Meetings should be structured around the top 10 to 20 risks that need to be addressed.