In my previous article, I discussed assessing ERM maturity. Here I will run through the main points of implementing an ERM programme.
It is worth noting that every organisation’s ERM implementation programme should be based on its own maturity, objectives, requirements and applicable regulatory standards. However, the points below should help to benchmark your approach.
1. Assessment and Alignment
The first step is to conduct a comprehensive assessment of the organisation’s current risk landscape, including both internal and external factors. This involves engaging stakeholders across all levels of the organization to gain insights into existing risk management practices, pain points, and objectives. Simultaneously, it’s crucial to align ERM goals with the organization’s overall strategic objectives to ensure buy-in and integration into core business processes.
2. Project Management
ERM implementation takes time and requires appropriate planning, resourcing and consideration for successful implementation. Establish a project plan, including scope and objectives, stakeholder representation, agreed-upon deliverables, roles and responsibilities, and target actions & dates.
3. Governance
Establishing a robust governance structure is essential for the successful implementation of ERM. Determine the appropriate governance and oversight requirements, appointing a dedicated risk management team or committee, and integrating risk management into decision-making processes at all levels. Clear lines of communication and accountability are key to fostering a risk-aware culture throughout the organization.
4. Risk Culture & Communication
Risk culture is what influences individual decision making and behaviour. Frameworks, methodologies etc. support but do not drive.”In a sound risk culture, everyone not only knows and understands the policies, but also shares the values behind them.” (Lam, Implementing ERM)
Risk culture is driven from the top but also requires support and communication, often with the need to provide eductional sessions on risk management to the board, management and key internal stakeholders.
5. Develop an ERM Framework
Develop an ERM framework and policies tailored to the complexity of your organisation and its objectives. The key deliverables would include: An overall policy document and mission statement, Risk Appetite Statement and risk tolerance levels, risk assessment and identification methodology e.g. Risk & Control Self Assessments (RCSAs), risk quantification methodology that integrates objectives and Key Risk Indicators (KRIs), monitoring and reporting mechanisms.
6. Integration and Optimisation
To truly embed ERM into the DNA of the organisation, it must be integrated into existing business processes and systems. This may involve customising ERM software tools, providing training and education to employees, and incorporating risk management considerations into strategic planning, budgeting, and performance management processes.
7. Continuous Monitoring
As I have previously mentioned, risk management is a continous process and as risk is dynamic there is no end state. The methods above provide all the components to set up, however clear performance criteria and metrics with respect to the overall ERM programme are necessary. This includes objective feedback loops and integration into overall business performance and outcome assessment.
Reach out to us if you need help with Enterprise Risk Management.
Ghassan Zeidan, Founder & CEO of Paragon Consulting Partners