Is there room for improving Enterprise Risk Management at my organization? (Yes, think strategically)
Your organization’s Enterprise Risk Management (ERM) activities are mature; your Board and Executive team are in alignment on expectations of ERM integration; your ERM program is unified with your strategic objectives and tied to performance.
Governance and oversight objectives are neatly aligned with performance, and ongoing monitoring of results is communicated effectively to further drive organizational decision making.
Your risk appetite is aligned with your strategy, and is frequently re-examined to drive ongoing objective setting.
You monitor risk using detailed metrics and up-to-the minute measurement of key risk indicators, leveraging myriad technologies and interfacing with third-parties.
Emerging risks are identified immediately and are implemented into day-to-day decisions…ok, we’ll stop there.
If any of these statements ring true; congratulations, your organization may have a very mature and proactive ERM program. You’ve probably even instituted the components of the June 2017 Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management-Integrating with Strategy and Performance publication (1). Or, perhaps your stakeholders view “Risk” as an annual process of one-hour meetings, followed by a PowerPoint provided to your Audit Committee.
If your organization has been involved in ERM for many years now, it’s possible that the program has become static. Initial excitement, followed by stakeholder acceptance of your ERM program may have transformed into complacency over the years. Now may be the time to examine if ERM is providing value, or if it has become a check-the-box exercise.
When reviewing your existing ERM program, looking to identify areas to provide increased value, a good place to start is examining where “Risk” falls in the strategy and objective setting process.
If your organization is like many others, your ERM program may often feel like it’s on an island separated from your performance and strategy. It is not uncommon for the Board and Executive team to silo strategy from risk, or worse, they perceive ERM as an Internal Control activity fully separate from business objective setting.
As identified in COSO ERM – Integrating with Strategy and Performance, many organizations historically utilize ERM to identify, assess, and manage risk to the strategy. However, often the key risk to the organization is the strategy not supporting its mission, vision, and implications from the strategy.
The new COSO framework points out the importance of alignment of ERM, strategy, and objective setting. In this framework they outline a five principle (component) framework.
1. Governance and Culture: Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.
2. Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
3. Performance: Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.
4. Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
5. Information, Communication, and Reporting: Enterprise risk management requires a continuous process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.
By focusing on the 5 components, and incorporating the associated elements throughout the entity, your organization will further view strategy and objective setting as dependent on ERM, and thus evidencing value.
Implementation may take many forms; for example, many organizations will align their mission, strategic initiatives, and divisional objectives to their ERM risks. Once linked, they will monitor mitigation activities, and this performance monitoring is a natural touchpoint with strategy setting.
Seeking to change the view of monitoring risk from detective and reactive to predictive and proactive should be endeavored. To introduce a broader risk focus within the existing strategy and objective setting processes requires valuable risk information. This means leveraging data and stakeholder knowledge on an ongoing basis to provide up-to-date information to allow for better decision making. Incorporating enhanced risk information into strategy processes will aid in Management understanding the implications of decisions from a risk perspective.
Importantly, no matter where your ERM program is today, enhanced coordination of risk and strategy setting will result in more knowledge-sharing and ultimately better-informed decision making.