This time of year we focus on those things we’d like to improve in the coming year, and personal fitness and diet goals are frequently at the top of the list. But if you’re an enterprise risk management professional you’re probably also thinking about ways that you can make your ERM process more effective in 2017. ERM is still a relatively new discipline and most organizations find their ERM process evolve over time. I have never met an ERM professional who said their ERM process was fully mature. Rather, most note that there are one or more aspects of their organization’s ERM process that could be changed or refined to become more effective. So this year I thought I’d ask a number of ERM professionals what their specific “resolutions” are for their ERM programs in 2017 and what advice they would offer other ERM professionals trying to improve their ERM process.
One theme I heard several times was the resolve to drive the principles of effective risk management further across or deeper into the organization. Jeff Cantrell, ERM Program Manager at UPS put it this way:
“The COSO definition of ERM includes the notion that ERM is a process applied “across the enterprise”. To that end, one of our ERM program initiatives in 2017 is to drive the principles of risk management to the business unit level; to ensure that not only are UPS’s strategic risks being managed, but that our local risks – the ones rooted in our operations – are being addressed as well."
He plans to extend the use of cross-functional risk committees further across the organization. These risk committees serve as a forum for risk management issues and are particularly effective at overseeing risks that are actionable at the business unit level. These committees also provide an opportunity to educate those in the field on risk identification and mitigation, and provide the corporate ERM function with a “zoom lens” into specific risks that may be visible in the field but overlooked as the corporate function takes a “bigger picture” view.
Merri Beth Lavagnino, Chief Risk Officer at Indiana University, also wants to drive ERM practices further throughout the organization, resolving to “improve decision making throughout the organization by creating and promoting risk awareness and risk training materials that are relevant to employees at all levels and in all areas of our organization – not just the executives who are formally involved in ERM processes.”
Another common resolution was to get the ERM program more formally linked to the strategic planning process. This provides greater visibility to the potential value that ERM can add particularly when ERM is used to support key strategic initiatives by actively identifying and managing the unique risks each initiative brings. If your organization’s ERM program is not yet linked to the strategic planning process, see our case study of three companies that have successfully linked ERM and strategic planning: Integration of ERM with Strategy.
Similarly, many risk professionals want better linkage between key objectives, the risks to achieving those objectives, and the actions that can be taken to deal with those risks in a way that can generate more business value. Larry L. Baker, who led the ERM function at a Fortune 250 energy company, offers this advice:
If your ERM process has not been resulting in timely, meaningful action that drives business value, in 2017 consider directly involving an executive-level risk owner and VP-level risk champion in the ERM process to analyze and resolve an unacceptable residual risk that could have a significant impact on the business and achievement of key objectives. This direct involvement allows the executive to bring the right level of attention to the risk. The VP can then demonstrate management ownership of the risk by leading the analysis and involving a cross-functional team of subject matter experts to help clearly understand the risk exposure. The subject matter experts thoroughly analyze, discuss and document the contributing factors driving the risk exposure and the risk management activities in place to manage the risk. Once the analysis is complete, any gaps or opportunities for improvement can be addressed by an action plan specifically developed by the respected, knowledgeable business leaders. Once the EVP and VP gain the executive team's approval of the action plan, meaningful action will take place to better manage the risk and greatly increase the likelihood of achieving the related business objectives."
Philip Maxwell, Director of Enterprise Risk Management at Coca-Cola wants to take his already mature ERM process to the next level:
“So far on our ERM journey, we have implemented an ERM framework globally, rolled out an ERM Policy to further strengthen risk management governance, and established routines that provide 100% risk visibility for all operations. To continue advancing our ERM program, during 2017 we will be keenly focused on turning risk data into risk insights. I am very excited that these insights will help improve risk mitigation plans, afford better risk monitoring as well as inform resource allocation decisions.”
And finally, at least one company believes 2017 is the year to step back and re-assess the overall ERM function. The ERM leader at that company plans to ask the key stakeholders in the ERM process from the Board of Directors to line management for candid feedback on what needs improvement in order for the ERM function to meet their needs. That process will likely generate some opportunities to improve the effectiveness of the ERM function.
What is your “resolution” for your ERM program in 2017?
As Executive Director of North Carolina State University’s ERM Initiative, Bonnie Hancock works closely with senior executives as they design and implement enterprise risk management (ERM) processes in organizations they serve. That hands-on advising leads to insights about techniques useful in addressing a number of practical challenges associated with ensuring ERM processes are value adding without over-burdening the process.