Why Settle For Less? Twenty (20) Elements in a World-Class ERM or GRC Program

A World-Class Enterprise Risk Management (ERM) or Governance, Risk and Compliance (GRC) program offers numerous benefits to organizations of all sizes and across various industries. Here are 20 key elements needed for the creation of an efficient, effective, and successful program:

1. Mission Statement

• Purposeful connection of strategy and tactics

2. Framework – Part A

• Strategic context (“Who are you and what are you trying to achieve?”)
• Without this, there is no reason for ERM or GRC

3. Framework – Part B

• Foundational underpinning (Culture and Governance)
• Connective tissue existing between strategy and tactics
• Underlying essence; these foundations are in place at all times

4. Framework – Part C

• Tactical Execution (4-Step iterative process: identify, assess, mitigate and monitor)

5. Governance Structure

• Clear-cut roles and responsibilities
• Best portrayal: Three lines of defense

6. Universe

• 4 categories – 3 common (“Finance”, “Operational” and “Strategic”) and 1 unique (“Core Business”)
• Dynamic; encompasses emerging risks
• Aligns with always-changing nature of risks themselves

7. Rating Scales

• Understandable
• Severity, likelihood, direction and velocity
• Inherent and residual

8. Policies

• Major risks (dozen or so)
• Each comprised of: definition; goal; roles and responsibilities (1st/2nd/3rd lines); appetite; tolerances

9. Language

• Succinct; simpler is better
• Don’t throw in unnecessary phrases (“I was able to…”)
• Precise; exact
• Iterative; over and over
• Powerful
• One shot; on the mark; needs to resonate
• Use present tense whenever possible (alive, here and now)
• Pragmatic (understands dynamics, keeps big picture in mind)
• Embedded and actionable
• Positive (figure out a way, convince)
• Purposeful and insistent
• Rigorous and disciplined
• Not merely esoteric, hypothetical or academic
• Put away the pom-poms; self-praise is no praise

10. Reporting

• Risk arrow heat map
• Risk owner report

11. Overall Cultural Model

• Code of ethics
• What do your people do when no one is watching?
• Behaviors you expect and tolerate

12. Risk Culture

• Shared understanding towards risk

13. Deputized Risk Owners

• Subject matter experts
• Hold them accountable
• Don’t be afraid to critique or challenge
• Ensure that people are not just going through the motions (e.g. no changes year-to-year)
• Educate them; understand this is not their day job
• Depend upon them, and their perceptions, heavily
• You are only as good as what they provide
• Be respectful of their time

14. Risk Owner Surveys

• Take the opportunity to ask special, “hot-button” questions each year
• Don’t overdo it

15. Risk Appetite

• High, medium, low
• Tolerances – exact point at which appetite exceeded

16. Configurability

• Collaborate with a vendor having a matching mindset

17. The Fuel of Passion Fuel

• Get excited and stay excited
• How many people have this opportunity?
• Keep turning insights into actions
• Don’t be dragged down by leanness of resources, staggering workload, sometimes-mundane nature of work or undervalued role by others

18. The Importance of Pride

• No slouching
• Do not accept a back seat
• No sloppiness or mistakes should be tolerated; prompts the question – what else is wrong? How can I have confidence in anything?
• It’s a huge job; don’t ever forget that
• Keep the mission statement in mind
• Cognizant of the overall framework that melds together strategic context and tactical execution

19. Transferability to Other Risk-Related Areas

• Every single risk-related area could benefit by adhering to these 20 elements

20. Risk Register

• Organizational (“tree”) view as well as workbench view
• workbench for risk owners
• doesn’t need to be exorbitant $
• seemingly fashionable these days to downplay or disparage importance of the risk register
• ERM One – a viable alternative to:
  • doing without an automated tool or
  • tolerating someone else’s system

Closing Thoughts:

• Get ready for the elevator speech
• Trapped in the elevator with CEO and asked to give him/her your impressions of GRC/ERM priorities in 30 seconds
• No excuses – take the time to do the dirty work beforehand
• Connect the dots, dot by dot
• Build the program, brick by brick
• Bold, presumptuous goal (“World-Class”)?
• Shoot for the moon; even if you miss, you’ll land among the stars
• Common denominators
• Better every day; better than yesterday
• Incremental improvements
• Keep attacking
• Heed the children book classic – “Little Engine That Could”
• Mission: reach the boys and girls on the other side of the mountain
• When it found itself in trouble in trouble, neither a shiny new passenger engine, with all sorts of compartments, or a big strong engine was necessary
• All that was needed was a little blue engine who “tugged and pulled”, “pulled and tugged”
• “I think I can” was converted into “I thought I could”

About the Author:
Michael Cawley is a risk management executive with a 35-year record of broad and diversified accomplishment in the strategic and tactical elements of corporate enterprise risk management (ERM). He performed day-to-day development and execution of a risk management program that covered all elements in the identification, assessment, mitigation and monitoring of all exposures within the corporate risk universe. Specific experience involved being a corporate risk manager for a service-related conglomerate (15 years) and then a biopharmaceutical manufacturer (10 years) before assuming an ERM governance and disclosure leadership role (10 years, through 2021) for a major worldwide financial entity. Currently, Mike serves as a Subject Matter Expert (SME) in an advisory role for ERM Best Practices for the advancement of DoubleCheck’s new ERM One™ application.