Begin with the end in mind. -Stephen Covey
Our previous article laid out 7 steps to restoring credibility and importance to the ERM function for organizations. In this article, we address the two most fundamental questions that ERM professionals frequently overlook:
Hint: They are often misaligned.
In our experience, ERM organizations can evolve through three stages of development, although most get stuck in the process. The lines between the three are not fixed, of course, but the roles provide a good starting point for you to evaluate where you are currently and where you want—and need—to be.
The progression is as follows:
In approximately 40% of the organizations we know or have worked in, ERM assumes the “Loyal Servant” role, and rarely evolves much beyond it. This role emphasizes procedure over content, and favors acquiescence over confrontation when dealing with individual business units or the organization as a whole. The Loyal Servant role aggregates rather than integrates information, and its Risk Management efforts deliver rather than interpret data in its interactions with the C-suite and Board. Mitigation efforts tend to be limited in scope and non-controversial, e.g., ergonomics, other workplace safety, etc., and ERM understanding of core business processes and risk nuances is weak. Because the unit focuses on procedural adherence and only on very limited process improvement or change management, it uses rudimentary technology (disparate spreadsheets) and risk classification categories, and has limited exchange with LOB risk owners. Furthermore, it has little if any Board visibility and carries little strategic weight. This type of ERM unit is largely perceived as “bureaucratic” and ineffective, and appears to reinforce the perception of ERM as a “check the box” exercise for the organization. The biggest challenge here is gaining relevance.
Another 50% of organizations succeed in developing more advanced ERM skills, and ascend to the “Watchdog” role. Watchdog organizations generally possess broader business knowledge and better technology (often including multiple Risk Registers / ERM systems), but struggle to integrate them. Although Watchdogs typically monitor KRIs and provide input to their development, they rarely lead the development process. They employ standard risk classifications, e.g., Probability vs. Severity (H, M, L). Their relationship and involvement with individual business units or risk owners varies greatly, i.e., close partners with some, distant from others. Watchdogs typically report to the Board at least annually on the top risks that the organization faces. Their focus, however, remains more on KRI trend reporting rather than true synthesis or holistic integration. They monitor traditional risks, such as Finance, IT, and Operations well, but don’t exhibit a great deal of creativity in exploring newer areas such as Cyber, International, or the identification of correlated risks. They are often perceived as simply covering the same ground as—or second guessing—the business units. This often creates friction across the organization, and the LOBs can be somewhat dismissive. The ERM staff does understand the business reasonably well and can contribute more than they do. But they often feel that they just don’t have a strong enough mandate to do so.
Only about 10% of ERM organizations grow into the “Business Partner” role within their respective companies, thereby achieving the highest levels of effectiveness. Their stature derives from three elements:
These ERM organizations provide strategic value by creating a holistic perspective on the enterprise’s total risk posture as it evolves overtime. The unit typically concentrates its efforts not on evaluating the existing LOB mitigations around established risks, but on defining the interactions between those risk across LOBs, defining their interactions with new and emerging risks, and creating mitigation plans for those exposures and potential risk cascades. This provides unique value to the enterprise, as ERM is the only group with the mandate and the capabilities to view risk from this perspective. Enabling technology typically allows risk prioritization and focuses ERM attention on the highest value priorities. Many of these organizations are currently determining how to integrate AI into these efforts.
The three key questions for all CFOs, CROs and Risk Managers should first be: where are you, what do you want to be, and how can you best serve or save your organization? In our experience, we have often found significant divergence between ERM’s internal perception of itself, and the perception its corporate partners have of it. You may want to begin by surveying your senior management on what they expect or would like of you and then conduct an honest evaluation of your current skills and existing activities.
So, what should you do NOW?
This assessment tool should assist you in structuring your ERM discussions, framing important issues, and gaining clarity with Senior Management on ERM’s ideal role within the organization.