The primary objective of an ERM program is to make risk management an integral part of organizational strategic and business planning processes, as well as a regular part of decision making. ERM provides a framework for using quantitative and qualitative information to evaluate risks and opportunities. ERM can also help transform the organization’s risk culture from risk averse to risk optimized.
An ERM program can demonstrate value right away by broadening the conversations about risk. Beyond operational or insurable risks, ERM identifies risks and opportunities in various areas such as reputational risk, strategic risk, compliance, workforce and safety risks. These risks can be prioritized and evaluated in an Enterprise Risk Register. It can take the form of a heat map displaying significant challenges and opportunities. It’s a way to gather data to assess the risks and document countermeasures.
To ensure the Risk Register reflects the broader goals of ERM, the risks identified do not need to have a significant loss history or the protection of an insurance policy. For example, the risk of inadequate succession planning can be a high priority risk on an Enterprise Risk Profile. There is no significant loss activity associated with it, but the operational and strategic risks are clear – loss of institutional knowledge. There is also opportunity to be gained from retirements. An opportunity to increase diversity, to have the workforce reflect the community served and to find new and innovative ways to serve customers.
ERM is similar to traditional risk management when it comes to risk assessment (identify, analyze, select, implement, monitor). However, ERM aligns to the organization’s mission and objectives, and takes into account the amount of risk that leaders are comfortable taking. There are many helpful tools to reconsider how to think about risk. One such tool is the Risk-Value curve, which comes from the Consortium for Advanced Management International. It depicts the relationship between risk and value along four zones. In the first zone, risk is low but so is value. This area shows that too much emphasis is placed on mitigation and avoidance of risks. An organization that makes decisions in this zone is inefficient, prioritizing compliance and risk mitigation over opportunity and value creation.
In the second zone, risk is optimized. The organization is taking on risks up to its tolerance level and maximizing value. Once the high point of the curve has been passed, organizations are in a high risk-interaction zone and key risk indicators become extremely important. In the last zone, the organization may be in crisis mode and should actively seek risk management tools (insurance, crisis management, public relations) to pull itself out of the crisis and into a more optimized zone. Decisions need to be quick and creative.
Focusing on risk and value together starts to change attitudes about risk. Conservative behaviors around risk aversion and mitigation transform into a balanced and informed risk-taking culture. This can be the beginning of a risk culture change: attitudes shape behaviors which form culture.
ERM can help shift an organization’s risk culture away from risk-averse decision making by providing the tools and support for balanced risk taking. In this way, ERM can help an organization to meet objectives and make progress toward its mission.