You’ve flown home from a phenomenally successful ERM Summit in Boston (November 18-19, 2024).
You are basking in the aftermath of receiving so many incredible ideas from a host of great speakers.
Great intentions abound.
One week turns into one month.
One month becomes a quarter.
You’re stuck. Nothing gets done on ERM.
To get over the hump, here are two steps that I believe are eminently doable and are common denominators of every successful ERM program:
Step 1.
Secure upper-management (and Board) support and backing for the design and implementation of an ERM Governance structure and risk management framework (RMF), including the ERM program’s agreement on risk ownership
Explanation:
I’m not suggesting this management approval is simple to attain but, without it, your ERM program is dead in the water.
Risk culture doesn’t drop miraculously out of the sky. It isn’t bought at some specialty store. It is deliberately cultivated through management support that leads to shared understanding and behavioral attitudes of the company’s employees toward risk-taking.
You need to show senior management what the end result is going to look like. You want to demonstrate how legitimate stakeholder questions around risk are going to be satisfied.
There’s no wiggle-room allowable in an ERM program. The all-or-nothing part of this may seem daunting but the critical importance of ERM, in helping to meet the company’s high-level business goals, must carry the day.
Step 2.
Install and embed an automated risk register process, centering around an efficient and configurable ERM tool, to drive your unique tactical execution of risk management.
Explanation:
ERM roles and responsibilities need to be formalized, in perfect alignment with the governance structure. Mere spreadsheets don’t cut it.
Then you need to get onto the business of managing risk, eliciting perceptions from subject-matter-expert (SME) risk owners. Get them to weigh in on identification, assessment, mitigation, monitoring….over and over again.
Two steps in sealing the deal on ERM, one foundational (governance structure and senior management support) and one tactical (automated risk owner survey and rating process, to enable risk prioritization).
About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One™ application.
