How to Develop an Effective ERM Program and Prove the ROI
Enterprise Risk Management has taken a foothold in today’s business environment. Since the enactment of the Sarbanes-Oxley Act of 2002 (SOX), public companies have taken steps to strengthen their internal controls over financial reporting and enhance their ability to comply with rules and regulations. For the past two decades, in response to numerous data breaches, accounting and corporate scandals—as well as increased enforcement of Foreign Corrupt Practices Act of 1977 (FCPA) violations by the U.S. Securities and Exchange Commission and Department of Justice—there has been an increase in corporate boards’ awareness and management’s focus on governance and risk management. Many organizations have turned to ERM as a solution.
Not only does an ERM program help minimize risks and reduce the impact and severity of negative events, but it also allows companies to become more efficient, make better decisions based on data and create a risk culture. In fact, mature and successful ERM programs have been shown to reduce earnings volatility, strengthen capital position and increase profitability. But not all organizations are aware of what it takes to implement and operate a successful ERM program.
Below, we identify what all effective ERM programs have in common, three ways to prove the value of ERM and how technology like Resolver’s enterprise risk management software plays a critical role in the success of an ERM program.
4 Elements of an Effective ERM Program
ERM programs that have proved successful typically have several things in common, including buy-in across all departments, resources and money allocated toward the cause, continuous improvement of the program, and measurement of the program’s success.
Adoption across all departments
Sometimes, we see ERM programs initiated at the request of the board, at the request of the CEO, or as a result of something negative that has happened to the organization. Organizations need to have the support, engagement and buy-in from the C-suite and top managers for ERM to be a success. There should be an appointed champion at the executive level that will present ERM program data and performance to the board of directors or the financial risk committee.
In order for ERM to stick, it is all about answering the question “why” and then empowering people, providing them with the tools they need, and giving them the autonomy to own it themselves so it becomes part of the fabric of the business—not something that is imposed, but rather a part of how they get things done. With this approach, that explicit link with the strategy, goals and objectives of the organization may be missing. When something starts up, it is brand new, it is fresh, it is the latest thing on the agenda, so a lot of people jump on it. But after about a year or two, the interest begins to fade. So, getting company-wide buy-in from the start—and keeping all stakeholders engaged and accountable—is one of the most important aspects of a successful, long-term ERM program.
Most risk assessment activity takes place when the executive management team has the time to do it, and that is typically not in the midst of planning and budgeting. Unfortunately, in most organizations, the risk assessment takes place three months after the planning and budgeting is done, which is when teams have time. However, that is not the time you want to do it. Push for risk assessments to occur in the midst of developing upcoming plans and devising a budget. An ERM program cannot survive without allocated resources.
Continuous improvement and evolution
Those who assume the most ownership of an organization’s ERM program have the task of continuous innovation. They should always be thinking, “How can I do things differently?” An ERM program needs to remain fresh. Failing to update and innovate leads to an ineffective ERM program.
What doesn’t get measured, doesn’t get managed. Many organizations with strong, mature ERM programs in place say measurement is key. They try to quantify efforts and have leading indicators around risk and performance to show the variables and the delta between the work they are doing versus if they did nothing at all. Below, we look at ways to measure the value of an ERM program.
3 Ways to Prove the ROI of ERM
Many organizations ask, “How can I quantify or demonstrate the value of a program that is supposed to eliminate or mitigate the bad things from happening in the first place? How do I prove the ROI of something that doesn’t happen?” The following are a few of the most common ways to successfully prove the value of your ERM program.
Benchmark against companies with mature ERM programs
For example, a global study conducted by EY concluded that companies in the top 20% of risk maturity generated three times the level of the EBITDA (earnings before interest, taxes, depreciation and amortization) as those in the bottom 20%.
Monitor key metrics
Some of the most important metrics used in valuing an ERM program include the total cost of risk, annual loss expectancy, risk coverage ratio and reputation quotient. Measuring these—and many other types of risk metrics—becomes a daunting task when relying upon outdated methods of measurement, like spreadsheets.
Attempting to manage company-wide risks with a series of jumbled, complicated spreadsheets is a recipe for disaster. Organizations should have a single technology platform in place to streamline the process of identifying, ranking and addressing risks, among other things. This software can show past mitigated risks, trending data, and the financial benefits of such actions.
Taking Advantage of ERM Software
Using dedicated software to manage ERM is a necessity in today’s business environment. Effective ERM software should provide management and end-users with the information that they need to understand risk, make data-driven decisions and reduce negative impact. The software must enable risk owners to effortlessly submit risk assessments and share data across the entire enterprise, and align to globally accepted risk management principles and frameworks including ISO 31000, Basel and COSO ERM.
What does the board of directors want to see when it comes to ERM? Most prefer a short, concise list of the top risks, confidence that the ERM program is designed and operating well, and how the program is helping the company achieve its objectives. Your ERM technology should allow users to produce meaningful board-ready reports, gain access to real-time dashboards, promote a risk culture through collaboration, and enable powerful automation. It should also:
- Manage and track risks across the enterprise
- Use heat maps to easily identify and prioritize risks
- Share data across risk, audit and compliance teams for a holistic view of risks and controls
- Enable consistent and organized monitoring of events
- Address qualitative and quantitative risks
- Identify instigating events
- Streamline risk assessments with automated workflows and notifications
- Provide real-time notifications to risk managers and owners when a KRI has been breached
- Activate mitigation plans when an issue has been identified
- Generate customizable reports and shareable dashboards
- Provide trending data to help ascertain future areas of potential risk
- Be adaptable to all necessary departments in a company
- Be easily updatable as compliance and regulations within your industry change
- Maintain ERM momentum
- Be fully customizable and responsive
With evidence that a company’s financial performance is tightly correlated to the level of integration and coordination across risk, control and compliance functions, many organizations are now actively working to embed a risk culture throughout their business. While the ultimate aim is to fuel better performance and achieve a competitive advantage, many are realizing the wide range of benefits created from an enterprise risk management program, and software is helping them do just that.
In partnership with The Risk Management Society, Resolver hosted a webinar to answer questions many risk managers struggle with:
- How do you prove the value of an ERM program?
- Who is ultimately responsible for risk management?
- What metrics and KRIs should you track to measure the impact of your ERM program?
- How do you encourage risk-based decision-making across the enterprise?
- How can technology be leveraged to maximize the value of an ERM program?
Watch the recording of the webinar