Enterprise risk management is the newest buzzword, but the concept is actually not a new one. Only recently–with the meltdown of the financial sector and the economic slowdown–has ERM begun receiving a tremendous amount of publicity.
What exactly is ERM? My definition is holistic management of all material risk. Simply put, it is the view and identification of risk throughout the organization, and the steps being taken to manage risk.
If you search for a definition of ERM on the Web, you would see many explanations. This can be very confusing because of the broadness of the definition–it means different action items and components for every single company. Among the questions to help you define this process for yourself:
o What exactly do you mean by risk?
o How material are those risks to the organization, and what exactly does “material” mean to your company?
o What about corporate governance?
o Is there insurance involved?
o Who should lead this? Do I need a chief risk officer?
o How do I begin?
o How much will this cost, and what are the benefits?
The answer to the above questions is that it varies, which confuses the issue further. There are books, articles, specialty companies and departments that are all dedicated to ERM. There is even an “ERM for Dummies” manual.
Yet all the haphazard advice and differing opinions do not help firms implement ERM. What needs to be understood is there is no magic potion or plan for ERM to be implemented or effective within an organization.
Companies need to define their own process and customize it for themselves. Only then can you begin the process of implementing a focused ERM plan within your culture.
Remember Y2K? That was the fear back in the late 1990s about what effect the date change one minute after 12/31/99 at 11:59 p.m. was going to have on computer systems. I can remember reading about the prophecy of impending doom, and as a result, companies were spending millions on consultants and studies of what might go wrong.
There were many solutions created to protect against the potential catastrophe when we reached the year 2000–or Y2K. A cottage industry was born, whose sole purpose was to help organizations deal with this potential worldwide crisis.
Insurance companies went as far as to add Y2K exclusions to their policies in anticipation of this event.
At the end of the day, the predicted crisis never materialized. However, what it did do was force management to better understand their business and all the moving parts that affect it both internally and externally.
ERM is now the Y2K of 2009. What is vital to this process is what makes the world go around–money. The global recession, in conjunction with the financial meltdown of several large institutions and government bailouts, has brought the issue of ERM to the forefront as a “new” concept.
As a result, Standard & Poor's announced that it plans on evaluating a company's application and implementation of ERM as one of the credit rating factors when evaluating each organization.
S&P does not instruct companies how to implement and manage ERM. However, they will evaluate how well the company defines risk and what systems are in place to highlight them, then get them to the proper level of management so they are addressed in a timely manner.
In actuality, the practice of ERM has been used by various successful companies for years as the way they run their business.
Several years ago, I was asked by a journalist for my opinion on the concept of ERM. I responded that I preferred to call it holistic risk management (not ERM) and that any organization that managed their company properly did not need a chief risk officer, or a Risk Czar.
All risks boil down to money, and most organizations either have a chief financial officer or a similar position responsible for managing, controlling and overseeing the company's monetary activities.
This concept of holistic risk still stands true in my daily practices today as it did many years ago. Implementing ERM should not be as complicated or daunting as some make it out to be.
Who needs to be involved? Previously, I was with a Fortune 500 company I felt had perfected an ERM process complementary to their practices and culture. They formed an Internal Committee called the Finance Council, chaired by the CFO and made up of all the CFO's direct reports, their associates and the Business (Operations) Groups' Financial leaders.
He also invited the head of investor relations, the outside audit firm's senior partner and a representative from the general counsel's office. This group met every six weeks and had a working session discussing and publishing the risks of each division's business plan. The risks could be projected sales, new markets, supply chain, entry into new countries, etc.
He then would assign appropriate members of the council to work on these highlighted risks and report back at the following meeting on what steps were being taken to eliminate, mitigate or transfer those risks. This effectively covered all areas of risk the firm was encountering, and left little room for surprise or error.
On an annual basis, he reported the group's work to the Audit Committee and to the board of directors. This practice took place over a decade ago and was simply their standard operating procedure.
My point is that ERM is no great mystery. When done correctly, it is simply a well thought out and implemented business plan with sound management processes in place. So, why the confusion?
The reason for all the current discussion regarding ERM returns to not having a set definition and the disarray that comes along with trying to decipher something you don't understand.
I have seen companies trying to purchase computer software to identify and track risks. Accounting and audit firms present themselves as being able to help companies put ERM into place.
My recommendation is that before spending money on software or accountants, or anyone else referring to themselves as “risk professionals,” there needs to be a fundamental understanding of ERM and the risks facing your company first.
My recommendation is to implement that KISS (Keep It Simple) approach. Here are my recommended steps to begin achieving a productive ERM process:
o Identify a champion (someone to lead and manage the process). My recommendation is that the CFO needs to lead this initiative. If the CFO is not qualified to lead this exercise, then I recommend engaging the services of a competent risk management advisor who is well versed in ERM to help design and manage the process.
The next step is to gather all the pertinent internal business leaders and form a working group to manage the process and system.
o Define what dollar amount would be “material” to the entire organization. A loss of that dollar amount would either shut the company's doors or impact share price.
o Once the material dollar amount is identified, have each leader list what risks within their respective area could possibly bring about a material loss of that caliber. (This list should be a short.)
o Have the group assign personnel to identify the steps needed to eliminate, mitigate or transfer that risk.
o Meet periodically to track progress against the action steps and continually define and improve the process.
o Once the material risks have been identified and steps put into place, the group then can broaden their definition of risk and begin the process of risk management for those non-material but large risks within their respective areas.
Once you have an ERM process in place, it becomes routine for your company. ERM should not be a buzzword or a project (with a beginning and an end). It should be the way you manage your business today and tomorrow–in other words, a way of life.
Richard W. Sarnie, CSP, P.E., is senior vice president and chief operating officer of The ALS Group in Upper Saddle River, N.J. He may be reached at rsarnie@als-uic.com.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.