There are many reasons why Enterprise Risk Management (ERM) programs stall, and sometimes even fail. But it’s not too late to give your program a kick start.
To understand why these programs stall, let’s first put ourselves in the shoes of the risk owner. At the beginning of the year, there is a brainstorm or questionnaire period where risks are identified and assessed as a group. After one quarter passes, the risk owner receives a notification asking them to update their risks. What does this mean to the risk owner when they are filling out these risk assessments? They begin asking a few questions, such as: Where does this risk assessment go? Am I really comfortable with my risk assessments? Isn’t this my perception of risk and not the actual risk? How do I know that this is an accurate assessment of my risk levels? What impact does it have to the organization? What is the value add? Why am I even doing this?
This lack of buy-in permeates itself into a culture of guesswork and pointlessness, which eventually leads to an unfinished and/or failed implementation. Is this the position you’re in? Don’t fret. We’ve narrowed down five steps you need to take to get your program back up and running in no time:
- Define your critical success factors up front for this initiative and get buy-in from board and execs of what these are. Come up with three points as to what will make this ERM program successful.
- Have a kick-off meeting by execs. The age-old saying that risk management is a culture and not a process comes from somewhere. The organization needs to understand that execs are setting the tone at the top.
- Tie in strategic objectives, key results and indicators into the risks. Most department heads/execs are tied to departmental objectives. What risks have been identified to block them from achieving these objectives? For example, low employee engagement scores for the HR team, or an increasing number of customer complaints for the Support team. Work with risk owners to determine what they would like to see in their risk profiles.
- After the assessment, there should be meaningful discussion of action plans. It is often more difficult to ask for resources to mitigate a risk, rather than asking for a resource that will block them from achieving their departmental objectives.
- Don’t be afraid of technology. There are some simple ERM applications that can get you up and running in a month without the massive cost of a long, drawn-out implementation. Resolver offers an out-of-the-box solution that doesn’t require teams to maintain it (yes, including IT). We make the data collection a lot less painful by allowing risk owners to fill out their risk profiles on their iPads and mobile devices in less than a minute.