This week I faced the ultimate personal test of my risk management skills, where I had to soul search “do I practice what I preach as an ERM expert.”. Sunday, the night before the storm of the century Hurricane Sandy hit, I had tickets to fly to Texas as a speaker and expert on ERM. What would become of my home and family? Had I applied the same risk principles in my work as a CEO of the leading enterprise risk management software company in my personal life? Had I done put a personal business continuity plan in place for my family? Did I trust my risk assessment?
I thought back over my hurricane/nor’easter weather season risk assessment, mitigation and monitoring activities. Our house is not next to the ocean and is on a hill so we didn't face the risk of flooding from Sandy. In May, I had installed a whole house back-up generator that would automatically switch over if a loss of power were to take place. Over the summer I hired an arborist to inspect all the large trees around our property. Two 120 ft pines were identified as sick and weak and the mitigation plan was executed to take them down. In September, I had the slate roof inspected and repaired to seal all cracks and possible leaks. Friday and Saturday, we followed a check-list of the usual items like water, batteries, food and stored any yard items and furniture that could become airborne. I called our neighbors to update our contact info just in case something went wrong. I was confident I had identified the key risks in my assessment and I had executed mitigation and monitoring activities to cover these key risks. So I went on my pre-scheduled business trip with confidence. That’s ERM upfront and personal!
So that brings us to the RIMS ERM Conference 2012 in San Antonio, TX. What is ERM all about? Why nearly 200 executives gathered from all over the country for two days of intensive learning of ERM best practice and technology application case studies?
What is the problem: How do we know what is happening to our businesses where the rubber hits the road? For a really recent example, let’s look at what most of us did to learn about what is going on when Hurricane Sandy crashed into our lives. We first turned to the people we know and trust, our friends, colleagues, and family. But that gives us an incomplete picture, so we typically turn to the news. Generally we see a top down view from a satellite, that shows the whole of the storm, but that also does not give us an understanding of what is really going on. So we also see reporters out on the front line with windblown hair and the rage of the storm behind them to put it in perspective. In ERM terms, the view of the process owner, the person on the front line most familiar with what is going on in a particular area. Since our reporters cannot be everywhere at once, we use ireporters that send us snapshots and videos from the field where the action is to understand what is happening on the front line. This is how we get a clear picture of the storm, top down and bottom up.
Why is this important? ERM has evolved in stature from a proactive good idea and best practice to a regulatory requirement that has significant teeth for non-compliance. Since the landmark SEC ruling that made risk disclosures mandatory, boards are personally accountable for effective ERM programs or they face fraud or negligence charges if they cannot demonstrate and measure effectiveness.
What the BOD needs to know: The Board of Directors and regulators need to know their real state of ERM. How effective is their ERM program, means can they demonstrate that all material risks are identified and sufficiently mitigation and monitored. How do they do this? First they need to reach all business process owners and identify their material risks. Then for those material risks, the actual mitigation activities need to be documented and monitoring activities need to be conducted on a regular basis, typically quarterly.
How to build an effective ERM program? Get the requirements from the RIMS Risk Material Model, a comprehensive set of building blocks of what exactly needs to be done in actionable and measurable terms.
When I came home from the conference, while the neighborhood was a mess with fallen trees and a blackout for two days, everything was fine at my household. My family had electricity, heat and hot meals. Everything sounded like business as usual to an outsider, but an ERM professional knows what it takes to achieve business as usual in the face of adversity. This is what good ERM is all about.