Having led both strategic planning and enterprise risk management for large companies, my perspective is this:it depends. Let's break it down.
Yes. ERM is a part of making the culture. But in my experience, for ERM to be effective, there must be a culture of honesty, proactive leadership, open communication, and planning. Without these pillars, ERM will be nothing short of painful. Here's why this matters. What if there is a governance risk that needs to be addressed, but the governing leaders see it as a threat? I rest my case.
ERM does contribute to culture, because the process stimulates discussion and analytics about the environment and its impact on the business. But like all planning - related processes, there is some guess work involved and ERM is not a fail safe method of subverting disaster. It is a way to seeing it coming.
ERM is strictly about possiblity and probably. There could be a storm tonight. The probabilty of it occuring is X. The impact is Y. If the probability is high and the evidence suggests the impact will be high also (e.g. the clouds are circling and the sky is green) then the response will be (hopefully) to batten down the hatches and stay in, etc. Regardless of the response, though ERM is about taking chances with your eyes wide open. The key is to have intelligence and facts to paint the picture.
2. Strategic Planning
Integrating the ERM in the discussion supported by an environmental scan can be a great way inform strategy. Understanding the environment and both the opportunities and threats (upside and downside risk) is how strategy is formed. ERM does not mean not taking chances. But part of the framework needs to be an organizational understanding of how much of a risk taker the organization is. That's the hard part. It comes down to gut feel sometimes. The way I see it, planning to be prepared can't be a bad thing. Part of the discipline of ERM is being able to manage risk effectively as it occurs. An organization will never be risk free. The only question is, do you feel lucky?
An Integrated ERM and Strategy Planning Process
Think of two roads: Road 1 is strategy. Road 2 is risk. On Road 1, we look at the possiblity of the future and plan the steps that need to be taken to achieve that future. On Road 2, we look at the possible events that could occur that might impact the strategy, both positively and negatively. One informs the other. Therefore, these two processes need to be integrated at the strategy level.
Here's a quick overview of how it fits together and what the process might look like.
1. Board sets the vision and strategic direction.
2. Management establishes goals, measures and targets.
3. Management prepares a fact-based environmental scan.
4. Two teams are esstablished to review the environmental scan. Areas such as political, technological, people, clients / users, society, economic and other factors are taken into consideration.
Team A. Risk Event Identification (downside)
The team explores the possible events that could negatively impact the acheivement of the goals. Each of the risk events that are identified are supported with facts as to what, when, why and how the event may affect the organzation. The ERM team conducts analysis of the risks with the risk owners. The report includes ratings for Impact, Probability and over all ratings via voting. The risks are heat mapped. A report is prepared and presented to the executive.
Team B. Opportunity Identification (upside)
Team B is thinking about the future as it could unfold, and the possible opportunities that could emerge that the organization can capitalize upon. Each of these opportunities are supported with facts as to what, when, why, and how the opportunity could affect the organization's goals positively. For example, an opportunity to address employee morale could result in an increase of y% for employee engagement.
5. The teams come together to consider both views to consider if all the possiblities have been considered, and if there is agreement. Both Risks and Opportunities are categorized and assigned.
Strategic level (the responsiblity of the executive / board) become part of the organization's strategic plan as initiatives.
Operational level (the responsiblity of the management / operational teams) are assigned to department leads as initiatives.
6. Action Planning
Opportunties (soon to be initiatives) are assigned for planning. The format is as follows:what will be done, when, by whom, resources impact (financial, people, systems, processes). Each plan is reviewed by management team, and specifically those who support the plan (initiative owners, mangers and contributing supporters) and signed off in agreement. Executive sponsors sign off. The document is rolled up (forming a draft plan)
Risk are assigned for action plans to be developed. The format is as follows: what will be done, when, by whom, resources impact (financial, people, systems, processes). Each plan is reviewed by the management team, and particularly those parties that support the plan (risk owners, maangers and contributing supporters) and signed off in agreement. Executive sponsors sign off. The document is rolled up (forming a draft risk registry.)
8. Resource requirements are submitted into the budget model and rolled up for impact. The executive / senior management reviews the budget and determines actions that are needed. Plans are adjusted accordingly.
9. The strategic plan is rolled up to include goals, measures, targets, initiatives, a risk registry and budget.
10. Communication and Accountablity: hold a launch meeting and roll out the plan to all stakeholders as appropriate. Design a communication strategy that meets the needs of the various audiences. This will help to determine method, format, content for each stakeholder.
11. Reporting and Feedback
Report against the plan to ensure progress. Check in with changes to the environment, both internal and external,,
Sd is its vision and strategic direction, goals, measures, targts and initiatives
I believe that Strategy and ERM should be a combined / integrated effort to be led at the corporate level.
It should stand alone as a business unit with an objective purpose to facilitate and guide the discussion, document the accountablities and plans, and lead the reporting process. The key principle of ERM is that risk is owned where risk occurs. Therefore, it must be cascaded through the organization as appropriate, where it must be managed and reported upon.
Goal clarity is a must but goals are in a continuous state of refinement. That is why they must be visited and reviewed quarterly in the reporting process, and annually in the planning process. ERM and Planning once again are inextricably linked when you consider the power of cascading plans.
One must consider the culture and that is where the stumbling blocks often reside. A culture of fear, for example, will be highly risk adverse and frozen at times to have the discussions that need to be had. If the culture lacks honesty and courage, then it will be difficult to tackle the real risks that could bring an organization down, such as leadership risk and governance. Assessing culture is therefore a first step in the process, which includes establishing the governance and accountablity framework (which may includea revision to the Board Terms of Reference) policy, process, framework, terms of reference, and language. From there, the next step is to begin to apply the process - try it on and find the difficulties, and determine if the process needs to be adjusted, or the education levels increased for the decision makers. This is where CEO leadership comes to play. When the going gets tough, someone at the top needs to keep the process on task and hold the team accountable.
In terms of deciding the scope of ERM, I would suggest the question of how far, how fast, and what culture is required needs to be addressed. ERM can focus at the corporate level first, where I would suggest the culture and appetite for ERM would be established. In my experience, ERM is as much a commuication exercise as it is part of strategic direction and planning. It takes time to understand how to have the conversation, especially if they don't understand the words and the implications of those words. Goal clarity is a must also.
When we think of risk, we think of things going awry. Risk is a term that scares the beegeebees out of us. We are conditioned to believe risk is a bad thing. But risk is neither good, nor bad. Risk is just risk. Risk is inherent in absolutely everythiing we do, every step we take, every breath we make, every action we undertake, every reaction. Risk is part of life. It is essentially the unknown, or what is unknowable. Risk is real.
In the planning world where i spend the the majority of my mind, risk is there too. It is in the decison making, the process, the people, and the environment.
I recently attended a meeting of local strategic planners where the topic of risk was under discussion. The question was, should it be integrated into the planning process, and how.
The answer is yes. Strategic and operational planning are essentially change processes that explore where to go, how to get there, and what resources are needed. Since risk is real, there are real risks that need to be considered.
I like to think of risk as upside and downside.
Investing in the market, for example, can create positive returns (upside) or not (downside.)
Getting in your car and driving can result in getting to your destination (upside) or not (downside).
Going on a vacation can result in fun and relaxation (upside) or it can result in illness, bad weather, etc. (downside)
You get the idea. So risk identification needs to be proven. I would suggest that this work be completed by the risk owners and managers who have the most knowledge.
However, the not so easy part is proving and quantifying risk.
Getting back to what is risk, it is an event that can be described in tangible terms. The event must be described and fully is must be tangible and supported by facts. When there are no facts or evidence to support the is essential The discussion of risk identification and action planning should be integrated into the planning process, since the purpose of planning is to determine what level of risk the organization willt ake t It should be integrated into strategic planning. The "how" question requires a little more explanation. But I will explain what I believe works the best based on my experiences with organizations.
1. Practice Foresight.
Risk is essentially the unknown. So try to become visionary. Look for what could happen in the external envirionment and the internal environment and ask yourself, how could this effect us. Play the "what if" game. What if interest rates soared to 19%. What would happen. How would we react?
2. Get the facts.
Now get the facts on these possiblities. What are the indicators that something is coming down the pipe.
3. Bring the facts together with foresight.
Share the facts with the fore-seers and visionaries, then go deep on the discussion. Think about the upside and the down side. Think about the possiblities. What would happen if . . .
For probability, set a scale of 1 to 10, with 1 being unlikely and 10 being likely.
4. Give it a number.
Risk Severity = Probability of Occurrance X Impact of Occurance.
5. Heat Map it.
Look at how many trends are in the "red" - or the not zone.
What is the probability it could happen? What is the impact if it did? Now do the math. Establish a scale of 1 to 10 (for example) from unlikely to likely. interest rate spike is