At the very least, a well-implemented ERM program reduces a company's exposure to market volatility by introducing controls to improve compliance, increasing interdepartmental coordination, improving its credit score and building managerial transparency.

The next level of benefit can involve saving some serious money.

During a panel titled “Designing an ERM Framework” at the Risk and Insurance Management Society (RIMS) Conference held in Philadelphia last month, Grace Crickette, chief risk officer of the University of California, noted that ERM can lower overall risk exposure, which means fewer and less-expensive claims, which leads to lower insurance rates and expenses—and which ultimately translates into improved debt ratings and lower borrowing costs.

At its best, ERM encourages companies to view risk not only as a threat that needs to be mitigated but as a competitive advantage that, when handled in the proper way, can mean robust top- and bottom-line growth.

ESSENTIAL STEPS TO IMPLEMENTATION

Carol Fox, RIMS' director of strategic and enterprise risk practice, has created a checklist of steps to get companies moving in developing their customized ERM plans.

An initial task, she says, is to define what an organization would gain from sprucing up its risk-management program.

“Organizations seem to fail in articulating the value that will be created from risk management, and too often the conversation is about ERM itself rather than the company's objectives,” Fox tells NU. “An organization that uses ERM only to protect value as a compliance function is not going to realize its full potential.”

Another critical effort is to determine the company's risk appetite and risk tolerance; that process begins with understanding what these terms mean—and how they differ.

“Risk appetite” is the amount and type of exposure that an organization wishes to risk against its expected returns or in order to execute its strategy. Young, high-risk startups with little to lose usually have a high risk metabolism, while companies valuing stability and heavily influenced by regulation and legislation will have a lower appetite.

In order to quantify risk appetite, financial executives must come up with a calculation that includes such factors as capital requirements, acceptable changes in credit ratings, and a supportable level and probability of annual loss. This will go into a risk portfolio that measures and monitors risk and reward trade-offs as they occur.

“Risk tolerance” identifies the boundaries of what the executive team is willing to lose. This is linked to risk capacity, or the maximum amount of risk that an organization can feasibly take on in the view of stakeholders—and the market. Risk tolerance is influenced by whether a company emphasizes value creation or protection.

Once these concepts are digested, it is important to research some of the existing standards and frameworks to identify which of their components pertain to your existing business practices.

Many organizations will be surprised by how many ERM mechanisms they already have in place. “It can be challenging for companies to take on a fully mature practice on the outset, and this is where enterprises begin to stumble,” says Fox. “You don't need a lot of resources, external consultants or to have a large budget for tools. I can guarantee that organizations are practicing ERM—but in a siloed fashion.”

A business should already know its exposure to environmental damage, theft, data breach, IT-infrastructure collapse, execution failure, a natural or man-made disaster, finance risk, and worker or public injury—and should have management programs in place to mitigate these risks.

If extra help is needed at this point, an ERM consultant, external auditor or broker may be hired to spearhead the coordinated effort between departments and in organizing paperwork.

NEXT STRATEGIC STEPS

The next step would be to develop a committee of operations, sales, accounting and legal stakeholders and educate them about their role in ERM implementation—essentially assigning them to be the owners of the risks they have ranked and identified. Each party should monitor these risks and report them to senior management on a regular basis.

In order to be feasible, the goals must be realistic (i.e., small and incremental). “Have people understand the materiality of the wins and focus on things that really matter to the organization's success and go for the low-hanging fruit,” Fox advises.

The development of “soft skills” is a must—the ability to communicate the positive value of risk management companywide. Articulate how every employee can contribute in their own way, because to be successful ERM is a mindset that must be shared across the organization.

In his analysis, Sarnie describes how one Fortune 500 company formed a finance council to monitor its ERM efforts. The group, chaired by the CFO and comprised of all of his direct reports and the group's financial leaders, met every six weeks to discuss and publish the risks of each division, projecting them onto sales, new markets, the supply chain and international business penetration.

“This effectively covered all areas of risk the firm was encountering and left little room for surprise or error,” Sarnie writes.

After drafting and developing policies, companies should remain flexible about risks that are not quantifiable and those which may change the corporate culture or its perception, including even such factors as firing or hiring of individuals, which may affect the company's knowledge or experience base.

As it increases organizational ability to meet strategic goals; as it improves risk response and contingency planning and unit and management accountability; and as it drives efficiency in capital and resource allocation, ERM can be a key element in formulating a corporate culture that outperforms competitors in the tricky task of balancing risk and reward.