In leading businesses, we have seen the idea of Enterprise Risk Management (ERM) evolve from a single, general risk department to fragmented risk teams like IT Risk Management (ITRM), Governance, Risk and Compliance (GRC), and Operational Risk Management (ORM). Many organizations now are looking for strategies to integrate ERM into their risk teams and their businesses. In this article, we will describe a three-step process to achieve a higher level of integration by recognizing the value of ERM, engaging with stakeholders, and leveraging technology.
1. Recognizing the Value of ERM
The first step in integrating ERM starts with understanding the value of a risk management function spanning across the organization. A value-adding ERM function operates at three tiers within a business — at the strategic, operational, and project levels. Strategic risk consists of the most critical threats and opportunities the organization faces that would make a material difference to its ability to achieve its main objectives or even survive. Operational risk includes the uncertainties related to business processes arising routinely in the business. Project risk involves detailed risks like investing in new facilities, launching a new product, or undertaking a business change initiative. ERM adds value by consistently linking the organization’s risk appetite and control environment, allowing leaders to take more thoughtful risks in pursuing opportunities that can lead to greater rewards.
2. Engaging Risk Stakeholders
In ERM, we constantly watch for emerging risks on the horizon that can disrupt our business, but ERM must share this information for the organization to find value. The key to the next step in integration is frequent and consistent engagement with the right stakeholders including the board of directors, senior management, business managers, process owners, risk practitioners, internal and external auditors, and regulators. Pooja notes that ERM engages with stakeholders through meetings and reports frequently, often monthly, in her organization. Information sharing sessions can influence discussion on risks identified that can impact the organization, results of risk assessments, and review of the risk mitigation strategy, including ongoing control monitoring.
3. Leveraging IRM Technology
The last step in integrating ERM into your business comes from leveraging purpose-built technology. As we said at the beginning, risk management has evolved into a set of fragmented business activities and teams, each with different agendas. Fragmented risk management is a common roadblock to efficient and effective ERM, and is one of the main issues we seek to overcome with a tech-enabled integrated enterprise risk management function.
Purpose-built Integrated Risk Management (IRM) technology enables ERM to bridge the gaps among fragmented activities and teams. In this way, all the risk management efforts throughout an organization are visible, and business leaders can make informed decisions about risks likely to impact their company. IRM technology, allows business leaders to link their desired business outcomes to key risks that have a significant impact on the company’s overall strategic objectives. This risk visibility and understanding propels informed decision-making and execution that is aligned with the company’s risk appetite. Once leaders have the necessary tools, they can achieve great results for their teams and the organization as a whole.
Integration Instills Greater Risk Accountability
When following these three steps, ERM acts as the guiding light that unites the view and understanding of risk throughout the business. ERM provides direction for the different risk disciplines like finance, IT, legal, operations, and compliance. As your ERM program matures, it delivers information, data, and metrics that can be linked to business managers’ and process owners’ performance and incentives — and that’s where risk management really starts to take off. Ultimately, a mature ERM program with established metrics and data sets will drive the actual performance not only of individuals, but also groups within the business as it drives risk-informed decision-making across the organization.
Pooja Knight is the AVP of Enterprise Risk Management and Climate Change Initiatives for Arthur J. Gallagher. She came to Gallagher with a blend of both industry and public accounting experience, and heads up the Global Enterprise Risk Management function in addition to sustainability activities including assessing Gallagher’s global carbon footprint and sitting on Gallagher’s Global ESG Steering Committee. Connect with Pooja on LinkedIn.
John A. Wheeler is the Senior Advisor, Risk and Technology for AuditBoard, and the founder and CEO of Wheelhouse Advisors. He is a former Gartner analyst and senior risk management executive with companies including Truist Financial (formerly SunTrust), Turner Broadcasting, Emory Healthcare, EY, and Accenture. Connect with John on LinkedIn.