Four Key Practices for Advancing Your Risk Management Maturity Level

Organizations with immature risk management environments are facing challenges to evolve. With minimal historical risk information to build upon and little to no pre-existing enterprise risk management (ERM) process, it’s difficult to see organization-wide risk clearly or ensure appropriate follow-through.

An organization’s risk profile constantly evolves alongside market, industry, and economic conditions and demands from an ever-widening group of stakeholders. Its ERM program must evolve, too. 

Now more than ever, maturing risk management programs is a strategic business imperative. A robust ERM program can help your organization avoid financial losses, reputational damages, or catastrophic business interruptions while moving forward with more confidence. It can also be a powerful tool for identifying opportunities to create a competitive advantage. 

On AuditBoard’s implementation team, we’ve assisted clients at different maturity levels in implementing risk management solutions. We also asked Matt Solomon, a Senior Manager in Deloitte‘s ERM practice with deep risk management, resilience, and crisis response experience, to share his insights. Whatever your program maturity, these four key takeaways from our conversation can help you advance to the next level.

1. De-silo Risk Activities

Pain Point: Different BUs often manage day-to-day risk processes in silos, using their own risk profiles and ways of managing risk. Without cross-departmental collaboration, it’s difficult to understand, compare, or properly prioritize the true risks to the overall organization. 

Leading Practices:

• Dedicate a cross-functional committee to discussing risk. Solomon says, “Consistent communication is key. Have leaders across the organization hold monthly or quarterly meetings to discuss risk issues. Your risk champions should have bandwidth, authority, and proximity to business activities.”
• Undertake organization-wide education. Set the expectation that risk is everyone’s responsibility. Use your committee to drive top-down (e.g., informing perspectives with strategic objectives) and bottom-up communication (e.g., surveying teams on local/departmental-level risks). Get everyone speaking the same language and using consistent criteria. 

2. Engage the Right Resources

Pain Point: Many organizations lament having inadequate risk resources. In truth, it’s less about having 100% dedicated resources, and more about involving the right resources. 

Leading Practices:

• Deputize trusted resources in each function. They’ll know it better than anyone on the ERM team, and can act as agents to manage risk within it. Identify trusted resources who have the right knowledge and skillsets so that teams are comfortable raising problems, risks, and ideas.
• Define clear ERM roles/responsibilities. This is foundational to ERM program success.
• Assemble adequate resources for launch. Solomon advises, “Getting a risk program off the ground is the hardest part. Once you have a consistent process, it can be relatively simple to execute a basic ERM function. But it can be helpful to pull in outside help or rotate in resources from your organization to ensure a successful launch.”

3. Start Simple and Stress Consistency

Pain Point: While most organizations understand high-level risks and have some level of risk mindset, many lack formalized processes to support the build-out of a comprehensive risk framework. It’s challenging for teams to stay focused and ensure follow-through.

Leading Practices:

• Start simple. You don’t have to attain 100% “rockstar” status from day one. Build a basic framework around the core steps of identification, assessment, response, and monitoring/reporting. Consider an industry common practice impact-and-likelihood, residual-risk approach, and make sure it’s adaptable to each function. Add complexity down the road.
• Focus on consistency. Solomon explains, “Consistency allows structured discussions and comparability of risks. It requires anchoring yourself in a repeatable process.”

4. Use Technology to Level Up 

Pain Point: Manual environments impede efficiency while increasing effort, given the need to gather and aggregate data from disparate sources, share it with stakeholders, calibrate, and iterate. Efforts get out of sync, teams struggle to keep up data and discussions, and data amasses, becoming hard to manage and true up.

Leading Practices:

• Use technology to centralize risk activities. Risk platforms like AuditBoard enable business units to collaborate in one centralized system that creates a universally accessible source of truth, avoids duplication of effort, increases efficiency, and empowers risk owners to manage risk via a consistent set of structured tools (e.g., centralized risk inventory, built-in risk assessment, and automation features). Says Solomon, “This takes some of the pressure off the ERM team to be the middleman handling communications. ERM is still responsible for facilitating the process, bringing in tools, and making risk conversations happen, but risk owners in different functions are accountable for tracking and making progress on risks.” 
• Choose technology that can grow with your team/process. While smaller-scale or less mature programs may require ERM teams to maintain greater control, mature programs typically rely on risk owners to be active in monitoring/mitigating risk. Risk solutions should support both.

Taking Your ERM Program to the Next Level

By taking a thoughtful approach to maturing your ERM program, you can increase its value and impact across your organization. Breaking down silos, engaging the right resources, starting simple, stressing consistency, and using technology to centralize risk activities are accessible strategies for any organization. You’ll promote increased cross-team collaboration, greater efficiency, lower redundancy, and higher levels of engagement. By creating a better, more consistent, organization-wide conversation about risks and opportunities, people will understand the risks that matter and take accountability for helping to manage them. If that’s not strategic business advantage, what is?