Fundamentals of Implementing Enterprise Risk Management


Many companies believe the concept of enterprise risk management (ERM). But most of them are frustrated by implementation issues which caused ERM to fall far short of its potential. 

Where is the problem? 

How can we make ERM work better? John Wooden, a great basketball coach says “There is no secret to achieve something. It’s all about fundamentals.” To make ERM work, you have to do the groundwork and start by working on fundamentals.

For ERM, “working on fundamentals” means establishing a company-specific ERM operational framework that transparently defines what ERM will mean for the company, and then use that framework to develop an ERM implementation plan designed for the success of the company. There are no “right or wrong answers” on how to implement ERM for a company. Though it is a “right question” each company should ask itself. The success of ERM really depends on the particular situations of particular companies with particular cultures, histories, and management.

The Continuing Gap

The continuing gap between what senior executives see as the promise of ERM and the fulfillment of that promise is apparent not only from what our customers tell us. It also has been documented in ERM practices among companies in different industries. 

The gap between ERM’s promise and performance is seen in lots of ways, including the below-mentioned aspects.

  • Relatively low satisfied managers express with the tools and capabilities which they think are available to manage risk sources mentioned in the ERM programs
  • The Relatively limited inclusion of operational and risk sources in ERM programs, despite the intent of ERM to cover both financial and non-financial risk sources
  • Limited integration of ERM with other functional areas across the company
  • Relatively low agreement on how to “institutionalize” ERM in the structure of the organization

The Operational Framework

To minimize the gap, through our experience we have learned from our clients that companies need to have a transparent and measurable company-specific “operational framework” in place for ERM. If they don’t have then they need to create one as soon as possible. They can use this framework as a temporary structure to develop a company-specific ERM implementation plan.

To establish the right operational framework, company leaders need to genuinely answer important questions below:

Question #1: First question is “What is the objective of ERM? That is, what are we trying to achieve with ERM that we cannot achieve otherwise?” Companies usually have the same general objectives for ERM programs. What makes a company’s ERM program unique is the relative priority the company gives to objectives as follows.

  • Compliance
  • Defense
  • Coordination and  integration
  • Exploiting current opportunities and creating value

However prioritized, the company’s ERM objectives should be measurable and show the ability to give expected results by achieving them. The payoff should be maximum, on the impact on the performance measures that are utilized to run a company. This rule implies, if the company already clearly articulated and well-understood performance measures in place. These objectives are established and continuously supported by senior management to succeed.

Question #2: “What is the scope of our ERM program?” Scope surrounds two dimensions: Risks that ERM will cover and the management processes that ERM is intended to influence.

Risk types covered by a specific ERM program are divided into the following categories.

  • Financial—ex: investment, liquidity, credit, interest rate, asset market value
  • Operational—ex: technology, political or regulatory, people or intellectual capital
  • Hazard—ex: property damage, legal liability, natural catastrophe
  • Strategic—ex: poor planning and poor execution
  • All enclosing—ideal ERM actually achieved, probably not necessary to achieve for many companies in the short span

The important principle to follow while defining the risk types for a given company will cover in its ERM program. Company managers need to be attentive and manage in an integrated way to understand what risks matter most to the company’s strategic goals. 

Managers need to have a clear understanding on how a company is affected by those risks and why they are vital for a company’s performance. The second dimension of scope is related to the management processes that company executives want ERM to influence. Those processes generally include the following.

  • Strategic planning
  • Asset allocation
  • Capital management
  • Risk financing or hedging
  • Performance measurement
  • Internal audit
  • Mergers and acquisitions
  • Financial modelling

While setting the scope of their ERM program, company leaders need to know the scope of risks and processes which are aligned to help the company reach the ERM objectives. While determining the management processes to be effective, they need to be realistic about the degree of influence the “ERM function”. The result of dealing with things sensibly and realistically is that the initial scope is often less broad than the long-term desired scope.

Leave a Reply