Implementing an effective ERM program

All organizations — no matter their industry — face business challenges, and their risks seem to be increasing in volume and complexity. In the past, organizations could rely on a traditional risk assessment to help them lessen their risk burden, but it’s no longer enough. Now the key to successfully meeting their challenges and mitigating their risks is by implementing an effective enterprise risk management (ERM) program. 

Recently, ISACA hosted a “fireside chat” during which Baker Tilly risk advisory professionals Matt Reierson, senior manager, and Joe Shusko, principal, talked with Michelle Bolger, the University of Illinois Foundation’s vice president of financial operations and controller. During their conversation, which Shusko moderated, the presenters discussed the foundation’s nearly five-year journey into the ERM process as it has worked alongside Baker Tilly. They looked at how the need for ERM arose for the foundation, the process around the implementation and the factors necessary for making it an effective program.  

Why organizations need ERM  

Organizations may believe they don’t need an ERM because of their size or industry, Reierson said, but every organization faces business risk, and therefore every organization should evaluate how it can improve its risk management. The approach does not require sophistication. Even if methodology for implementing components of ERM may be less formal and less structured, the basic components can be present. 

ERM will also help any organization meet its business challenges by establishing oversight, control and discipline to drive continuous improvement of risk management capabilities in a changing operating environment. It can redefine the value proposition of risk management by providing an organization with the tools and resources it needs to become more anticipatory and effective at evaluating, embracing and managing uncertainties.  

In fact, Reierson said, effectively functioning ERM infrastructures can become a root differentiator between mere survivors and pace-setters in an industry.  

Further, ERM will provide reasonable assurance to management and the board that its business objectives are being achieved. By creating a common framework that can be used by disparate areas within the organization, it also aligns and integrates varying views of risk management.  

Organizations have started to integrate risk management into their critical management activities, linking risk management to more efficient capital allocation and risk transfer decisions. They are aggregating common risk exposures across multiple business units with the objective of understanding the greatest threats to their enterprise value and then formulating an integrated risk response.  

Ultimately, what organizations are doing with ERM is elevating risk management to a more strategic level, which is what differentiates it from traditional risk management as that typically focuses on protecting tangible assets and related contractual rights and obligations – the emphasis of ERM is on enhancing business strategy. 

When organizations should implement ERM 

Every organization’s journey to applying an ERM program is unique.  

For the University of Illinois Foundation, Bolger and her team knew it was time for a more structured framework when they realized the risks and complexities the organization was facing were changing rapidly, they were lacking a formal approach and needed accountability. 

Because the foundation had support from champions on its board, Bolger said they were given the space to focus and the commitment of resources to build out a program that would give them an enterprise-wide framework and guard rails to help the foundation’s different departments stay on track to minimize their risk. 

That said, no two organizations’ ERM approaches will be the same as there are an array of approaches and choices when it comes to ERM. The nature of the industry will drive the risk and risk management practices the organization adopts to manage those risks. 

When evaluating the desired risk management capabilities in a specific risk area or areas, the issue is not about deploying the most sophisticated processes, competencies, technology and knowledge – it is about selecting the most appropriate processes, competencies, technology and knowledge. And that decision, made by management, should be made in the context of the strategy-setting process. 

For the foundation, the critical element to making its integration successful was buy-in from leadership, Bolger said. From the start, she and her team procured feedback from nearly 50 stakeholders. They also created a cross-functional ERM committee that meets on a regular basis.   

In the beginning of its journey, the foundation had identified its top risks but lost momentum after a certain period. Bolger said once it started working with Baker Tilly, the foundation refreshed its risks and priorities, clarifying whether they were in the correct categories as far as impact and likelihood. 

Her team then focused on the most important key enterprise risks from its enterprise risk assessment and assigned risk sponsors to each key enterprise risk to develop risk summaries that included documentation of current state and future state risk mitigation capabilities. These capabilities were in the context of policies, procedures, controls, competencies, reporting, methodologies and technologies. And they stay accountable thanks to quarterly reports to the audit committee. 

Establishing that cadence and the expectation that the leaders responsible for ERM are regularly communicating has built a framework in which management functions are viewed in terms of risk and risk mitigation strategies. They recognize the importance of ongoing discussions with stakeholders, and it has established an environment of accountability and transparency. 

Bolger acknowledged that the foundation’s path may have been smoother than others since it had support from the beginning, but she said education was key for those on the board who were not as familiar with ERM and its benefits. Being able to share with stakeholders why they should care about risk in addition to why they should be embedding risk and risk mitigation into their day-to-day activities was important. 

She and her team also didn’t want to make the process onerous, so they set small, incremental goals. Bolger said it wasn’t realistic to believe the foundation could accomplish a fully developed ERM program in one or even two years. Instead, they have used their goals to develop a long-term road map, with the understanding that the foundation will refresh its goals along with their mitigation plans every 18 to 24 months.  

What the necessary factors are for a successful ERM program 

One of the essential factors in the foundation’s progress, as previously mentioned, was starting with the buy-in of leadership and stakeholders. That is the first and most critical step, Reierson said. Setting the overall culture and tone at the top has a direct impact on the attitudes about the need for and benefits of a robust risk management process. He said when there are cultural barriers, it inevitably leads to resistance to spending time and energy on risk management. 

However, an ERM program works best when all key managers contribute as they all participate in the organization’s decision-making process. 

It is also helpful to integrate the ERM process into existing management processes, taking inventory of current risk management activities so it’s not viewed as an appendage or overlay, and it’s not some “add-on” work to do. An ERM plan should address the internal and external pressure points that created the need for change, and it should articulate to leadership the state of readiness for moving forward with such a program. 

The business should be grounded in the priority of risks and gaps as well as capabilities around managing those risks. From the beginning, stakeholders should understand that it is a continuous and evolving process, not something that could be accomplished in a year or two, Reierson said. 

Again, a successful ERM program will have realistic objectives that don’t exceed the organization’s capacity for executing against the plan, and it should establish periodic check-ins with management to keep the program on track and on strategy. 

That has been key to the foundation’s ERM success. Now that Bolger and her team are regularly communicating its ERM activities with the audit committee and board, the foundation is in the development stages for a dashboard that will highlight top risks, current mitigation plans and gaps. 

It's just the latest step for the foundation, but as Reierson said, ERM is a means to an end, but not an end in itself. It’s a commitment to continuous improvement as opposed to a project with a specific start and end date, and it’s building confidence, enhancing corporate governance, and aligning strategy and culture.