ERM Value: Building the Business Case
Steven Minsky | July. 29, 2013
The role of the enterprise risk manager has finally become clear: close the gap between strategic level risks and the operational risks faced at the activity level. Despite being a relatively new corporate discipline, expectations for ERM value are already very high. A recent poll shows us why corporations are desperate for ERM managers to be successful.
The poll, conducted by Harris Interactive of 23,000 corporate full-time employees within key industries and in key functional areas1 highlights some the challenges ERM is up against, namely, the inability of corporations to focus on and execute their highest priorities. Consider a few of their most stunning findings:
- Only 37% have a clear understanding of what their organization is trying to achieve and why.
- Only one in five was enthusiastic about their team’s and organization’s goals.
- Only one in five said they have a clear “line of sight” between their tasks and their team’s and organization’s goals.
- Only 15% felt that their organization fully enables them to execute key goals.
- Only 20% fully trusted the organization they work for.
If, say, a soccer team had these same scores, only four of the 11 players on the field would know which goal is theirs. Only two of the 11 would care. Only two of the 11 would know what position they play and know exactly what they are supposed to do. And all but two players would, in some way, be competing against their own team members rather than the opponent.
Getting an accurate pulse on strategic objectives is challenging, as these goals are cross-functional and effect oriented in nature, and as such are extremely useful for the board and senior executives, but are impossible to take action on without first breaking them down into root-cause, actionable, silo specific activities within an operational processes. This is where risk management plays a pivotal role.
To create value through ERM, organizations need to build a robust risk taxonomy, which provides a holistic view of all information and relationships across the organization. The risk manager is responsible for setting the standards, practices and procedures for effective risk management and embedding them in all existing business processes. Formalized risk assessments allow risk managers to leverage existing activities in an objective, quantifiable, repeatable manner to show how risks and activities at the business process level are impacting business goals, along with the priority and importance of these risks, activities, and goals.
A formalized risk taxonomy framework is a mechanism to collect risk information at the activity level, where most operational risks materialize, and aggregate this risk information to a level and format senior management cares about.