Five Step Plan for an Enterprise Risk Management (ERM) Program

Enterprise Risk Management (ERM): is a process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of a risk to an organization.  It expands beyond a daily run of the mill operational management! A true ERM program will have its scope expand to strategic, financial, reputational, human resource and business continuity as well as operational and legal risks. Most organizations, as they mature embark on a journey of establishing a robust Enterprise Risk Management (ERM) Program! The 5-step plan outlined here can be used for rolling out any organization-wide change.

Step 1: Organize effort for a successful change

• Identify your team! Make this group a core part of the ERM work
• Assess current organizational change saturation and establish a process to address any road blocks
• Engage the Executive Leadership Team (ELT) for support
• Have a clear plan of action
• Ensure that ERM becomes a strategic priority
• Be flexible when creating an ERM process because it needs to work for your stakeholders! Design with customers and end-users in mind.

Step 2: Establish a framework around risk

• Customize standard framework to meet your organizational needs
• ISO 31000 and COSO are good starting points to explore 
• Capture risks, both prospectively and retrospectively
• Create a process to link captured risks to strategic planning and organizational decision making

Step 3: Create a profile of top risks

• Create a process to prioritize top risks in each of your key areas
• Develop or use organizational risk matrix
• Use departmental risks to shape organization-wide risk profile of top risks
• Create a one-page summary for the Board of Directors, CEO and ELT
• Keep the profile current by reviewing risks on a regular basis

“Top Risks” is the most important list of risks you may ever create! The profile of top risks of an organization allows the CEO and the Executive Leadership Team to focus on the most urgent and burning issues faced by the organization. This may include opportunity waiting to be taped into. These risks usually reside in the red zone of the organizational risk matrix. It allows stakeholders to identify, understand and communicate the significance of the risks for action.

Step 4: Review mitigation plan

• For each identified Top risk, work out a plan to minimize or mitigate the risks
• Create infrastructure that supports mitigation plan(s) and promotes actionable environment
• Keep the plan SMART! (Specific, Measurable, Achievable, Reliable and Timely)
• Communicate plan(s) and integrate efforts for broader engagement and ERM awareness

Risk mitigation plans, when created using the ERM approach, prevents the organization from falling into the trap of isolated and fragmented risk management. A big part of  ERM program success depends on the effectiveness and execution of mitigation plans for the identified risks. This is the weakest link for most ERM programs for the majority of organizations.

Step 5: Review and take action

• Make tracking of actions easy and visual
• Identify gaps or lack of action
• Set clear accountability structure
• Empower those who are accountable
• Coach and support as necessary
• Ensure that risks remain within defined risk tolerance

Having a plan, which is not actionable is worse than not having a plan at all! The ERM program allows the board and executive team to determine something called “risk tolerance”. It simply means, whether the organization would prefer the status quo or a decision towards reducing the risks. When issues fall above or beyond the risk tolerance, an action is required.