Redefining Enterprise Risk Management

John Duncan, VP-Government Sector and Laura Jackson, Sr. Manager-Risk Management, ABS Consulting

John Duncan, VP-Government Sector and Laura Jackson, Sr. Manager-Risk Management, ABS Consulting

risk management is critical for an organization and a major function of executive engagement. To appropriately manage risk, the risk has to be defined by identifying what can go wrong, evaluating how likely it is, and determining the consequences. Although defining risk appears to be the easiest step in the Risk Management process, the first step is not even remotely as easy as it seems.

In recent years, the definition of risk management has changed. Today, Enterprise Risk Management (ERM) is synonymous with internal controls/activities that focus in most cases on governance, risk, and compliance. The unfortunate consequence of perceiving ERM this way is that- instead of truly managing risk, many companies have allowed ERM to devolve into a box-checking activity that allows the organization to pass an audit and helps achieve financial compliance. Innocuous as this approach seems, it is in fact, a trap.

To truly address risk, business leaders need to refocus on the core principle of ERM, the element that makes it comprehensive, strategic, and action oriented. ABS Group serves a global client base, and much of our work focuses on risk management and safety practices. Our staff are frequently called upon in the aftermath of a major disaster, often one resulting in the death of an employee, to assess the root causes of the failure and to help clients recover. As practitioners of ERM, we would prefer to preemptively apply our risk management experience and knowledge- helping firms avoid catastrophes, save lives, maintain leadership, and preserve the existence of the entire organization. The best companies will pursue ERM as an integral part of their strategic planning and management processes.

The key to achieving this objective is having a holistic ERM program that considers all aspects of an organization’s activities and addresses any shortcomings that are narrowly focused on internal controls and compliance. We refer to the new interpretation as ‘Adaptive ERM’.

ABS Group’s ERM-lens approach supports identification of both an organization’s risks and opportunities – which is the first step in building an effective ERM plan. This is supported by a repeatable and transparent process for developing prioritized actions- the company can take to pursue opportunities and mitigate risk.

Developing an ‘Adaptive ERM’ program helps an organization move beyond the second challenge a large number of companies are facing – effective implementation.

Some organizations are good at identifying their major risks, events that can lead to significant organizational change. They may even be good at developing plans to address the risks. But ERM is not complete until, there is an ongoing progress to implement those plans. and This takes executive commitment and follow through. The best organizations implement a Program Management Organization (PMO) to advance risk management initiatives.

The end result is an ERM approach that connects with the organization’s strategic plan, business intelligence system, performance measures, root cause analysis, and project management office support systems.

Many ERM issues lurking just beneath the surface have the potential to have near-disaster-level impact. One that seems to be prevalent in recent years is succession planning. In many government agencies, for example, Baby Boomers make up a disproportionate percentage of the workforce. These agencies are facing a tidal wave of turnover as employees reach retirement. Agencies stand to lose not only a large number of employees but also the core knowledge these seasoned professionals will take with them when they walk out of the door.

A number of executives we interviewed described succession planning as a top priority in mitigating risks relating to loss of expertise. These executives have identified a problem, but some are overwhelmed by the prospect of developing succession plans for as many as 40,000 people who soon could be joining the retirement rolls. When dealing with that number of staff, where do you start?

“Many companies have allowed ERM to devolve into a box-checking activity”

The answer is to apply a comprehensive, action-oriented ERM approach. By rating and ranking the major functions of an organization, executives can quickly identify areas where staff turnover would have the most detrimental effect. ERM actions, or ‘risk treatments,’ can be applied to those functions within an organization where the greatest risk reduction can be achieved.

Another very serious risk is cybersecurity. Although, companies have spent billions of dollars to protect their IT systems, there are major breaches multiple times each day. The traditional approach is to apply more layers of security, but as we know, the safest computing platforms are those that are disconnected from networks and are turned off. A holistic ERM approach allows organizations to assess the risk related to their IT infrastructure in the context of overall organizational risk. The result is often a better, integrated understanding of risks and a more appropriate allocation of resources to address them.

Most organizations focus their resources on achieving their goals. Executives should evaluate both how they are going to achieve their goals, but also how much enterprise risk they have in not meeting those goals. An efficiently structured organization does not have extra resources to draw from. That is why, it is essential to have a structured and systematic method for prioritizing time-critical risks and identifying opportunities to improve the focus of limited resources on executing the most effective actions. ERM should be an integrated element of the Performance Management System and a key focus of business planning cycles, following a regular process that guarantees progress by allowing risks to be identified and managed.

By implementing an ‘Adaptive ERM’ process and maturing it over time, business activities become risk-informed. The end result is that risk impacts are considered as part of a process, which improves the decision process and as a consequence, protects and improves shareholder value for businesses or mission performance for government agencies.