webinar-3.png?width=207Last week, we introduced the latest findings from studies of the RIMS Risk Maturity Model (RMM). In an effort to explain the model and results of the study more fully, it’s beneficial to break the RMM into each of its attributes. This week we’ll examine the first two attributes of an effective ERM program, ERM Based Approach and ERM Process Management.

ERM Based Approach

The focus of this attribute is to move organizations from an old, obsolete style of governance to a more holistic, integrated approach. Old-style governance is focused on regulatory compliance and silo specific risk management. The problem with this approach is it leaves the organization exposed to risk that isn’t governed by regulatory mandates, as well as cross functional risk that may be systemic to the company.

We see examples of failures in this approach all the time. West Virginia’s water contamination crisis was caused by a series of risks with inadequate controls – the chemical tank was not adequately surveyed, the employees were not directed to immediately report the leak, even the water filtration organization wrongly estimated that it could filter the chemicals out. None of these entities were at fault from a regulatory perspective, but they were still on the hook for millions in remediation (the chemical plant filed for Chapter 11 bankruptcy in January).

An ERM approach moves organizations past regulatory concerns, which are only a subset of the overall risk universe. This requires a number of activities that the Risk Maturity Model identifies as drivers of ERM Maturity – tone from the top, assimilation into front line activities, risk ownership – which when combined result in a more risk-aware enterprise.

RIMS Risk Maturity Model: ERM Process Management

With a new governance mindset in place, organizations can move to applying a risk-based process framework of Identify, Assess, Evaluate, Mitigate and Monitor within each business process. The Risk Maturity Model assesses the degree to which these activities are pervasive inside business processes. Many executives misinterpret these processes as unique to ERM, when in fact the steps are iterative, constantly reoccurring within organizations but without any defined process or standardizations.

The key to ERM Process management is to create a common language and structure so areas can better transfer knowledge to each other where beneficial.  This is done by integrating these framework steps into the business in a way that provides accountability, repeatability, and adequate reporting. A great example is the Vendor Management Governance function. Vendor Management is frequently tasked with identifying critical vendors, assessing their risk (e.g. “due diligence”) and then managing through mitigation (contracts, insurance certificates, etc.) and monitoring (shipping times, order completion).

The problem is Vendor Management, like other functions, is operating independently with too little information exchanged between Vendor Management and other governance functions.

Why is this important?

Strategic Imperatives are by nature cross-functional, but are rarely linked to processes and activities on the front line. When not linked, risks to corporate objectives are either not addressed or treated differently by the business processes. This alignment is a critical driver of ERM maturity. Organizations that can effectively communicate goals, not just at the corporate level, but down to the front lines, are better equipped to achieve results and elevate concerns.

Interested in seeing how this approach differs from traditional governance? Watch our short video on Strategic Risk Management.

 

Votes: 0
E-mail me when people leave their comments –

Steven Minsky, CEO and Founder of LogicManager, is a recognized thought leader in risk management. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts in January of 2020 and swiftly published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead