10 Easy Steps to

Implement Enterprise
Risk Management
Carol Fox
 10 Easy Steps to Implement Enterprise Risk Management

At RIMS, we define enterprise risk management (ERM) as a discipline, not in the sense of
punishment, but as the mastery and continued maturation of risk competencies. Essentially, ERM is
all about building risk management capabilities throughout the organization.
As risk professionals, we often focus on ERM as an end to itself rather than a means to support the
organization’s objectives. But to be useful, that is exactly what it must center around: providing value
to the company.
Alas, there is no magic bullet to implement a program that will hit that target. But there are some key
guidelines you can follow. With that in mind, the following 10 simple steps may help guide you as
you begin planning your journey.

1. Define what value your organization will gain from ERM

Because it is so difficult to demonstrate ERM value through traditional investment metrics (return
on investment, return on equity, return on assets, or risk-adjusted return on capital), many companies
make the business case. This looks at ERM in four categories: shareholder value, risk mitigation,
process consolidation and silo elimination.
While these are worthy goals, they can be difficult not only to measure but to articulate to
management and the board. Since leadership is always focused on value creation, the link between
ERM and the organization’s strategy is often weak at best.
So how does ERM actually contribute to the organization’s value? How can that be demonstrated
and measured in terms that are meaningful?
You first have to discover what value your organization is trying to create, as well as protect. Is it
simply increased share price? Or is it reducing volatility to enable a more efficient use of capital? Or
perhaps, for non-profits, is it delivering more services to a broader constituency?
Whether value is expressed as market share, profit, service provision, donor levels, social impact or
some other benefit, how do the enterprise risk management competencies advance the
organization’s mission and related objectives? In other words, what business need will be met
through a structured ERM approach?

2. Research and understand different standards and

frameworks

Advocates of certain risk management standards and frameworks may encourage you to believe
that there is one, and only one, “right” way to define and manage risk. If you operate in a regulated
environment, you indeed may need to comply with specific risk management standards. But risk
management practices tend to be universal and evolve over time, whereas standards (and
regulations, for that matter) may not keep up with more current, innovative practices.
Even so, learning about each of the major standards can generate ideas. A 2011 RIMS executive
report, “An Overview of Widely Used Risk Management Standards and Guidelines,” analyzed six
frameworks, and nearly all were found to be similar in certain ways. For example, each requires,
among other aspects, the adoption of an enterprise approach with executive-level sponsorship;
structured process steps, oversight and reporting of the identified risks; a risk appetite definition
with acceptable tolerance boundaries; and monitored treatment plans.
 10 Easy Steps to Implement Enterprise Risk Management

Although we uncovered a number of common elements in our research, certain success factors
were either missing or underdeveloped, most notably root-cause analysis and risk appetite
management. Moreover, we found that 44% of North American risk practitioners choose to adapt
their practices from a number of standards rather than adopt any one standard. Learning as much
as you can will give you a solid foundation to decide what elements are the most vital to your ERM
initiative.

3. Inventory what your organization is already doing

Many organizations already have controls in place for widely understood risks, such as business
disruption, environmental liability or worker injuries. It is likely that the individuals responsible for
these controls also conduct risk assessments. While this is not enterprise risk management, it is a
start. And understanding what your organization is already doing allows you to leverage existing
practices within a broader ERM environment.
Additionally, having a common, collective understanding concerning which risks should be accepted,
avoided, transferred (or shared), mitigated or exploited can reduce organizational dissonance about
what is acceptable to the organization’s stated objectives.

4. Seek support and help

Implementing an enterprise risk management program is not the time to go solo. Many parts of the
organization have a legitimate stake in the discussion, and they can become either powerful allies
or forceful detractors. The “power of one” comes into play in recruiting those who can make a
positive difference in your implementation.
Your most important advocate should be an executive sponsor—ideally more than one. Once your
sponsors are on board, determine who best understands the risks your organization faces. Many
successful implementers have formed a working committee of internal stakeholders, such as
operations, sales, accounting, legal and internal audit. If you include the leaders responsible for
management controls in a working committee, it usually accelerates collaboration.
Mostly, however, you should seek out people who are knowledgeable about your organization and
able to influence others, which means the cast may vary depending upon the scope of operations. If
your organization’s mission is innovation, for example, include leaders from research and
development. Or, if your organization focuses on education, include faculty leaders.
You may also want to consider external sources of support, such as insurance brokers, external
auditors or consultants. But heed this word of caution when engaging external supporters: be sure
to clearly communicate the specific role you want them to play. Sometimes, this may require a strong
nondisclosure agreement.

5. Keep it simple

Focus on the basics. Once you have established why you are implementing ERM, work to de-mystify
the process. Be able to distill your messages down to two-minute sound bites that explain, in plain
English, how ERM is different from previous approaches. Refrain from using jargon; choose terms
 10 Easy Steps to Implement Enterprise Risk Management

that are already understood in the organization. In the same vein, simplify process graphics to
illustrate the steps the team will be taking.
Remember to keep the message focused on the organization’s objectives rather than on the risk
management process itself. To the end user, the ERM program mandate is less important than
gaining value by making better-informed decisions about risk. While a formal training program may
be characteristic of a mature program, simple process training, using available tools and templates,
is quite appropriate when first getting started.

6. Start small

What should be the scope of an ERM implementation? A number of successful implementers have
begun by focusing on a specific business area or single goal. The state of Washington’s strategic
goal is to improve the health and safety for all citizens, for example, so its ERM goal became
fostering ERM implementation in all of its 165 state agencies.
While this scope may seem daunting at first, nine specific and achievable objectives—including
assigning risk management to a specific employee within each agency—were agreed upon over a
multi-year period. Parameters were set for success, and the scope of activities was limited in a
manageable way. By initially targeting implementation in a controlled way and monitoring progress
against a single goal, Washington achieved a higher overall commitment. And now the state has
something it can build on.

7. Go for the quick wins

Don’t try to cover every possible risk. Start with those that matter most for the success of your
organization’s strategic objectives. By identifying and analyzing the risks that may have a material
impact on the ability to execute strategy, the odds of creating value quickly are much higher. If you
prioritize by risk criteria—severity, importance or speed to onset—action plans can be executed
immediately and revisited to validate the chosen responses.
Understanding which risk criteria are important to leadership creates an opportunity for frank
discussions about just how much risk the organization wishes to pursue, both for specific objectives
and in the aggregate. These leadership discussions tend to reveal where the organization may be
culturally when it comes to risk-taking or risk aversion. Overall, this exercise can go a long way
towards establishing a barometer of the organization’s risk appetite.

8. Delegate “fixes” to risk owners

Who will do something about the risks? The obvious answer is whoever is accountable for managing
the business functions most closely associated with those material risks. For example, a chief
information officer may be accountable for managing risks associated with potential data breaches.
Not all risks can be neatly compartmentalized, however. Risks such as unauthorized social media
releases may not find a “natural” owner, but a specific individual still needs to be named. There
always should be one identified owner held accountable for the risk management plan decisions and
execution. This person will likely need to rely on others to make the plan work and manage
 10 Easy Steps to Implement Enterprise Risk Management

interconnected risks, but naming an individual risk “owner” will help move the chosen response plan
to action.

9. Report on progress

Progress reports highlight the difference that enterprise risk management makes in your
organization and should be reported in at least two ways: by material risk and by ERM program
progression. The risk owners should be reporting in their normal business updates on key issues,
such as the material risk outcome target, specific activities that have taken place since the last
report, challenges in executing the risk plan, and a trend assessment in the risk profile against the
targeted outcome. Periodic reports to senior management on ERM program progression might
include progress related to milestones for specific ERM objectives.
In Washington state, one of those milestones is the percentage of agencies that assigned risk
management responsibilities to a specific employee over defined time periods. One result shown in
a 2011 ERM progress report was self-evident: a liability reserve reduction of $600 million. And an
intangible result was that the organization improved its overall risk management capabilities and
competencies throughout its 165 agencies.

10. Develop your “soft skills”

How do you “sell” ERM within the organization? First of all, understand the dynamics of your internal
market. People “buy” what they perceive to be of worthwhile to them and to their performance
objectives. The question you need to be prepared to answer is “what benefit will they gain if they
implement enterprise risk management practices?”
There is power in positive persuasion. Focus on the expected positive outcomes for the individuals
you want to engage rather than trying to convince leadership that “we have to do this to comply with
our ERM policy.” Above all, you need to be an excellent communicator with a specific value message:
“Enterprise risk management is a discipline that protects—and creates—value for the organization.
By implementing ERM, you personally will be able to deliver results with both tangible and intangible
benefits.”
Reprinted with permission from Risk Management Magazine. Copyright 2012 Risk and Insurance Management Society, Inc. All rights reserved.

About the Author

Carol Fox, ARM, is Vice President of Strategic Initiatives at RIMS, the risk
management society. A Miami University graduate, she has held progressively
responsible risk management positions in the customer care,
telecommunications, manufacturing, defense and insurance industries, at the
same time serving as an active RIMS member and volunteer. Carol served as the
chair of the U.S. ISO 31000 Technical Advisory Group on risk management
standards from 2015 to 2018, was a participant on the COSO ERM Advisory
Council for the 2017 revision, and serves on the Advisory Board for Miami
University Isaac and Oxley Center for Business Leadership. Known for her risk management
experience and writing, in 2011, Treasury and Risk named her as one of the 100 Most Influential
People in Finance.
SoftExpert ERM software enables organizations to identify, analyze, evaluate, monitor, and
manage their enterprise risks using an integrated approach. It brings together all risk
management related data in a single and comprehensive environment, including a reusable
library of risks and their corresponding controls and assessments, events such as losses and
non-conformities, key risk indicators, issues and treatment plans.

Process-oriented risk identification Risk repository

The software serves as the foundation for the company’s enterprise risk management efforts
through its ability to unite and support different risk categories like strategic, financial, security,
compliance, environmental, assets, products, processes and projects. These categories can
be part of broader applications and risk family solutions, such as Operational Risk
Management, IT Risk Management and General Compliance Management.

Risk assessment Risk response planning and monitoring

SoftExpert ERM is designed to be flexible and configurable, supporting whether the risk
management standards defined by ISO 31000, COSO and PMBOK, as well the company’s
unique requirements.

Tests and Control Self-Assessments Risk monitoring portals

Learn More at:

https://www.softexpert.com/enterprise-risk-management-erm/
 Manage business process change with checklists
About SoftExpert
SoftExpert is a market leader in software and services for enterprise-wide business process
improvement and compliance management, providing the most comprehensive application suite to
empower organizations to increase business performance at all levels and to maximize industry-
mandated compliance and corporate governance programs.
Founded in 1995 and currently with more than 2,000 customers and 300,000 users worldwide,
SoftExpert solutions are used by leading corporations in all kinds of industries, including
manufacturing, automotive, life sciences, food and beverage, mining and metals, oil and gas, high-
tech and IT, energy and utilities, government and public sector, financial services, transportation and
logistics, and healthcare.
SoftExpert, along with its extensive network of international partners, provides hosting,
implementation, post-sales support and validation services for all solutions to ensure that
customers get the maximum value from their investments.

SoftExpert Excellence Suite

The Roadmap for Business Excellence and Enterprise Compliance

More information: www.softexpert.com | [email protected]

Disclaimer: The content of this publication may not, in whole or in part, be copied or reproduced without prior authorization from SoftExpert Software. This
publication is provided by SoftExpert and/or its network of affiliates strictly for informational purposes, without any guarantee of any kind. The only guarantees
related to SoftExpert products and services are those contained within a contract. Some product functionalities and characteristics presented herein may be
optional or may depend on the makeup of the offer(s) acquired. The content of this material is subject to change without prior notice.