This paper, authored by Neil Baker, notes how ERM has gained increasing attention in the current economic environment. Investors, regulators and chief officers alike look to managing enterprise-wide risks as a magic bullet to rebuild trust and prevent future major events like the credit crisis. In this article, Neil Baker looks to companies who have been engaged in ERM for the past several years. These companies appreciate the benefits, but site obstacles to implementation. The major issues faced in implementation are:
- Lack of executive involvement in implementation process
- Auditor’s ownership role
Complexity of ERM systems
Companies who have the most successful ERM systems make their starting point the risk management related procedures they already have in place. They utilize already recognized frameworks, such as COSO, and they emphasize successful, risk assessment procedures already being used in the organization. Baker calls this “making ERM real” by dropping the language, sometimes even the label, of enterprise risk management. Creating a simple, consistent framework that does not reinvent the wheel or disregard what managers are already doing in their normal activities related to risk oversight make ERM accessible and produces increased employee buy-in. The risk assessment processes utilized by each silo of a business should be incorporated and emphasized to help create the risk mindset across the organization. Using existing practices in an enterprise-wide system will help prevent burn-out associated with ERM.
Many companies are now implementing ERM at the request of the senior levels. While the CEO may express enthusiasm, involvement in the entire process and continuing is necessary to really establish the tone at the top. Executives should not treat ERM as a project that runs itself once established; it is an ongoing assessment process that should start with senior risk analysis.
The article describes ERM as a journey; not a destination. While auditors may be best equipped to start the ERM process, they should eventually hand ownership over to a senior role. Every aspect of the organization, including internal audit, should continue the process of ERM. But rather than a periodic report by the audit team of what the company needs to do to mitigate risks; this should be an analysis by all the executives at the entity-wide level.
The overreaching recommendation is to show value, keep it simple, and build real support when implementing and ERM system. Essential factors are to recognize and use current effective processes, and treat ERM as an ongoing program that needs the assessment and ownership of senior executives.