Failures in strategic planning and execution. Bungled social media. Early retirement of a (or return of a former) CEO. Private equity company takeovers. New federal reporting and control regulations. Cybersecurity breaches. Earthquakes and tsunamis. Political unrest. Governmental and commercial bribery. Employee embezzlement and financial fraud.
All of the above are real, demonstrable risks to today’s global organizations. As risks like these are increasingly realized, any lack of organizational preparedness can cause complete shutdowns, reduce shareholder value, and potentially result in skyrocketing SEC payments and disgorgements.
Smart organizations understand the urgent need for sound risk management on a global scale, and board members realize the need to be involved in risk identification, assessment, and monitoring. Enterprise risk management (ERM) is vital to the survival of modern day organizations, and yet, according to an APQC survey, only 26 percent of organizations have extensive implementation of ERM. For a company not to be caught off guard (and individual officers and directors potentially held liable or tarred as incompetent) if a major risk were to materialize, companies need to understand what must be done to establish, develop, and refine ERM processes.
In its most recent ERM best practices report, Enterprise Risk Management: Seven Imperatives for Process Excellence, APQC uncovers best practices in creating and maintaining ERM processes and systems that allow for sound board oversight, refined identification and assessment processes, and agility in reaction time to new or previously unexperienced risk.
ERM IS STILL A NASCENT TOOL
Today, ERM process excellence means ensuring that the organization’s board of directors is kept well-informed and remains involved in productive conversations about risk.
Increasingly, organizations are reconsidering their compliance-driven ERM programs. As academic studies and real-life examples demonstrate, there is a value side to ERM that can be leveraged to increase shareholder value. ERM can do more than ward off long and painful disruptions of core strategy.
What this tells us is that those who recognize that ERM is on the cusp of daily relevance have the best chance of staying ahead of the game.
NEED FOR PROCESS RIGOR
Organizations that quantify and use strict risk identification approaches have effective ERM. Also, when asked how many times a year their organization formally reviewed progress on action items that were generated to mitigate strategic risk, the organizations that review these action items continuously, quarterly, or even biannually largely find their ERM processes to be more effective—compared to those who do not review or do so only once a year, the majority of which find their ERM processes barely or not effective.
WORRISOME VULNERABILITIES
One reason that organizations may not want to acknowledge and confront potential risks is because there is a cultural perception preventing them from advertising these risks as “shortcomings,” for fear that they will be perceived as weak. Furthermore, many MBAs have not been taught enterprise risk management and have difficulty incorporating it into the fold of everyday considerations and operations.
APQC research finds that only 19 percent of organizations say that their ERM processes are effective at identifying new risks. Additionally, 61 percent of organizations do not systematically ensure that strategic plans properly account for risks that have been identified in the risk review cycle.
BEST PRACTICES OVERVIEW
1. Establish:
At this first stage, an organization’s senior executives identify and deputize an ERM leader. The objectives now are to define the process steps and name and train the people accountable for risks. The ERM leader must:
- Build a reliable and repeatable process for risk identification, assessment, mitigation, monitoring, and regular reporting to the board and top executive; and
- Train board members, managers, and other key stakeholders to use a common vocabulary and set of concepts that facilitate sound risk identification and management.
2. Cultivate:
The core ERM process is in place at this stage, and risk owners understand how and when they must contribute. The ERM leader focuses on improving the quality of risk conversations. The ERM leader must:
- Ensure the visibility of new or growing risks, and
- Creatively build a risk-intelligent culture.
3. Refine:
The organization now can manage not only the risks in the strategy but also the risks that may prevent strategic aims from being achieved. To fully realize the power of effective management of enterprise risks, the ERM leader must:
- Develop a way to demonstrate the potential financial impact of a strategic risk;
- Ensure that strategic plans include action items to address identified strategic risks; and
- Leverage technology for uniformity, collaboration, and risk correlation.
Bio:
APQC is a member-based nonprofit and one of the leading proponents of benchmarking and best practice business research. Working with more than 500 organizations worldwide in all industries, APQC focuses on providing organizations with the information they need to work smarter, faster, and with confidence. Every day we uncover the processes and practices that push organizations from good to great. Visit us at www.apqc.org and learn how you can make best practices your practices.
To learn how successful ERM programs work at companies such as the LEGO Group, Rockwell Collins Inc., and Exxaro Resources Ltd., be sure to read APQC’s new best practices report: Enterprise Risk Management: Seven Imperatives for Process Excellence and listen to the free webinar Enterprise Risk Management: A New Landscape Prompts Change.
(C) APQC – All Rights Reserved