Steps to devising a successful enterprise risk management programReprints
CHICAGO — More organizations are implementing enterprise risk management, but the effort often fizzles out quickly instead of growing over time, an expert says.
“We see over and over where organizations start out really strong and have executive support, but then they don't continue to steadily grow the risk management process at their organizations,” said Steve Zawoyski, Minneapolis-based partner and enterprise risk management leader at PricewaterhouseCoopers L.L.P. said Monday.
“Everyone at an organization should understand their role and what the company is trying to achieve and how their role plays a part in that,” he said during the Risk & Insurance Management Society's Enterprise Risk Management conference in Chicago.
Even though no ERM program is alike, Mr. Zawoyski offered 10 ways to immediately improve a company's ERM capabilities.
1. Establish ERM program objectives: Understand the purpose in putting an ERM program in place, such as “we want to make better decisions,” he said.
2. Manage stakeholders: Aside from the board of directors, other groups involved in ERM include managers who want to know how to execute the strategy, the risk compliance group that wants information to help make better decisions and regulators overseeing the organization.
3. Align risk management functions: Coordinate reports from various areas, trying for presentations that have similar reports while recognizing overlaps.
4. Align risk and management processes: Learn how the organization manages the business today and try to align the risk process with that.
5. Define risk: Most of the time, risk is thought of as hazards or failures, but the ability to take a risk that benefits the organization is something that more companies are improving upon, he said.
6. Give credit: Understand the risk management capabilities already in place and examine risk-related information from others without unnecessary steps that add to the process.
7. Risk is a four-letter word: Commonly considered to be negative and associated with failure. “Risks are nothing more than variables; there are also opportunities in taking risk,” Mr. Zawoyski said.
8. Eliminate categories: Dividing the risk into categories such as operational or strategic or technology can cause confusion. “In the end it doesn't make a difference what category the risk is in. What matters is that it is a risk to the business,” he said.
9. Conduct research: Prepare by developing a thorough understanding of the business and its drivers. “Risk managers need to be asking questions. When you talk about the business, the risk will come out of the conversation,” he said.
10. Simplify risk appetite: “Risk appetite should also be looked at risk-by-risk,” he said. “Current capabilities versus desired capabilities should be the organization's risk appetite. Ask, 'Will these management processes get us there?' ”