More and more companies are today embracing ERM, yet its implementation remains poorly integrated, with disparate practices grouped under the same label. In order to be successful in the implementation of ERM organizations must look beyond technology to establish a culture of risk management throughout the organization.
ERM is adopted in organization in various ways. The success of implementations of ERM depends on pre-existing centers of control and practices within the organization. Considering the role that experts play in implementing ERM and the tools they bring in the play, there is value in a holistic research approach to the implementation of ERM. This will improve the chances of a successful and sustainable implementation.
Successful adoption of ERM is more likely when risks are represented as ‘real’ problems for managers, instilling urgency in the form of a new moral vocabulary, and by visualizing impacts in a manner close to their actions and responsibilities, rather than just creating an audit trail of controls that primarily consists on paper. A key factor in this translation is the way experts operate and collaborate, constrained by the organizational space found within control frameworks and decisional centers. Greater social interactions are crucial for transferring cultural values, problematizing ERM and insinuating apprehension in managers. ERM then moves from a black box of risks and solutions, to a process of confrontation potentially able to prepare managers for a Black Swan. ERM is then rendered a managerial problem only if the rationalities are reflected in operable technologies.
- Arena, M., Arnaboldi, M., and Azzone, G. 2010, The organizational dynamics of Enterprise Risk Management. Accounting, Organization and Society 35, 659-675
- Power, M. 2009, The risk management of nothing. Accounting, Organizations and Society 34, 849-855.
ERM as presented and updated by COSO but also in the way it is elaborated for example in ISO 31000, may be best practice at a high conceptual level at best. The fundamental contribution of the concept is that organizational risk management does not consist of a set of isolated processes operated by risk experts., but that the risk management philosophy, resulting in risk assessment, control and monitoring, should be linked to, and integrated with the existing organizational and business culture in order for it to be effective and eventually influence the very same culture it is part of. This is a complex change process and it takes some time to level on the need for, and contribution of ERM throughout the organization, including the meaning and limitations of the concept, the expectations of its added value and the role of managers and employees in the implementation.
- Make sure the tone at the top is congruent and that one language is used. Do not introduce new functions or roles at the start of the project. I recommend to start the project with drafting a internal control framework that provides management and experts to allign concepts, definitions and approaches and that serves as reference for all next steps (see the example).
- Design the framework in a holistic manner, top down in alignment with mission and vision, and organizational specific. Make sure the implementation is bottom up, using existing tools, methodologies and logics as much as possible.
- Be aware of a tendency to overestimate risks at hand, while neglecting the big picture. At every level of the organization and at all process levels, the emphasis should be on risk appetite related to organizational goals and strategy.
- Distinguish between tools needed for analysis and tools needed for operational risk management. In general, use qualitative risk maps and spreadsheets as tools for discussion and to increase focus, but be careful to use them as operational risk management or reporting tools. For management and reporting purposes, look for opportunities to integrate ERM with existing tools/methods such as BSC, BPM, BCM, etc.
- Work with multidisciplinary teams, consisting of employees, managers and experts (controllers/auditors/risk managers) in assessing risks and controls.