Printed from

Enterprise risk management program should bring value to organization

Posted On: Apr. 22, 2012 12:00 AM CST

Enterprise risk management program should bring value to organization

PHILADELPHIA—Risk managers implementing enterprise risk management programs at their organizations first must define what value ERM will bring their organizations, panelists said during a session at the Risk & Insurance Management Society Inc.'s conference in Philadelphia.

Ways risk managers can demonstrate value to senior leaders at their organizations include enhanced reputation, improved credit scores, risk avoidance through hedging and insurance, elimination of silos, and the ability to assess risk across the organization, panelists said.

But failing to tie an ERM program to an organization's strategic objectives can leave a hole in the value statement and result in the demise of the ERM program, said Carol Fox, New York-based director of strategic and enterprise risk practice for RIMS.

“Organizations are not only trying to protect value, but they're really looking at how to create value for the organization—and you can do that through ERM,” Ms. Fox said during the session.

Panelists offered attendees 10 steps to consider when initiating ERM programs at their organizations (see box).


ERM has reached a tipping point of acceptance, panelists said, and risk managers at organizations need to evaluate and understand nonregulatory risk management standards and frameworks.

There are various risk management models that provide guidance on how to structure an ERM program, such as ISO 31000 and BS 31100, but most practitioners are not following any one particular standard, Ms. Fox said.

“They're adapting,” she said of many risk managers, who are taking common elements from many models and building their own framework according to their business' strategy, risks and exposures.

Richard W. Sarnie, vp of risk management for Great Atlantic & Pacific Tea Co. Inc. in Montvale, N.J., stressed the importance of risk management departments spearheading ERM initiatives.

“The risk manager should be leading ERM efforts in your organizations,” he said, noting that risk managers should not be focused on just buying insurance. “It's the noninsurable risks that are taking companies down.”

“It's not about (property) hazard risks; we've got that nailed,” Ms. Fox added.

When approaching senior management, risk managers should define themselves as the ERM facilitator, Mr. Sarnie said.

“You're the leader, the expert on how to manage risks,” he said. “Stop talking insurance.”


Risk managers also need to identify who in the organization has a stake in the ERM discussion and develop a working committee of all stakeholders, including operations, sales, accounting, legal, Mr. Sarnie said.

“You need to have someone in the C-suite to be your sponsor and your champion to back you on this,” he said, noting that organizations often make the mistake of hiring consultants too early in the ERM implementation phase, which is costly.

“You have the talent and expertise in-house. It's just a matter of harnessing and putting it together,” he said.

A critical step when implementing ERM is to keep it simple, avoiding insurance language and terminology that often leads to confusion, panelists said.

To avoid losing senior management's attention and getting bogged down in too many procedures, Mr. Sarnie said to keep the process “cartoonlike.”

“Don't make a 20-page report to senior management,” he said. “One page: Here's what we're doing. Here's how we're managing it.”

As the process can be complex and daunting, it's important to have “people understand what they need to do or what they don't need to do,” Ms. Fox said.

Mr. Sarnie recommended that risk managers start by questioning which risks can most adversely affect their organization.

“You need to start small. You want to demystify the process,” Mr. Sarnie said.