Are you getting the expected value from your ERM implementation?
There is a growing focus on Enterprise Risk Management (ERM) as a framework for effective management decision making to optimise business results. We observe 3 major challenges to making ERM work in an organization;
- Common Understanding and Purpose
- Process Definition/Enablement
- Technology Enablement/Optimization
Common Understanding & Purpose
In the English language, the words ‘risk’ and ‘risky’ have very negative connotations, despite the fact that risk is present in the face of every decision, whether to cross the road, conduct a marketing campaign, engage a new customer, launch a new product or start a company.
“Opportunity” and “Risk” (“threat”) can be seen as two sides of the same coin – the ‘thinking hats’ required to acquire and assess all the relevant information needed to make key decisions, effectively and in a timely manner.
‘Risks’ cannot be regarded as isolated concepts, but things that can affect achievement of desired outcomes or objectives.
We need to socialise the concept that ‘risk management’, and the consideration of potential consequences/implications, both positive and negative, is a natural part of all decision making. This needs to be applied to all decisions, whether in respect of corporate objectives and strategy, annual plans, new initiatives, new markets, new products, new organisation structures etc.
The priority is in creating a culture where everyone factors ‘risk’/’threat’ and ‘opportunity’ into their decision making, by considering all the available facts and evidence, not just those elements that support the outcome we desire.
In many ERM implementations we observe that the purpose is not universally understood and that ERM is rather regarded as “yet another admin-burden imposed by HQ”. Drilling down to the root causes for this we see mainly a lack of clarity of purpose and effective communication on the “why”and “what’s in it for me” and insufficient focus on managing the adoption throughout the organisation.
- ERM is first and foremost a PROCESS
- We need to understand the BUSINESS activities related to risk management, policy management, compliance management etc.
- We need to confirm desired OUTCOMES: objectives, goals and measurable results.
- We need to understand REAL working practices as they relate to risk management and response.
- We use this to understand and design/refine a process THAT WORKS.
- We need to drive alignment between stakeholders for successful ADOPTION and support the effective implementation of a BUSINESS AS USUAL process. We need to implement GOVERNANCE around the process and it’s continuous improvement
As observed in practice, when one or more of the elements are not addressed or not correctly orchestrated, both Value and Adoption suffer.
In any communication on the ERM Process, it must be clear that ERM is a journey that the organisation embarks upon. We need to avoid the temptation to treat ERM as a discrete ‘project’. Growing understanding and maturity, changing business, priorities and risk appetite and ever changing external regulations and demands, make a continuous evolutionary refinement a necessary approach. But whilst ERM is a journey, we need a roadmap of key milestones along the way, to avoid ambiguity and to keep stakeholders and participants aligned on value delivered along the way and the eventual destination.
Without purpose, understanding and a process, technology implementations fail. However good the eGRC solution for ERM, Policy Management, Regulatory Compliance, etc, we achieve nothing without integrating these streams of activity with effective stakeholder engagement.
An effective eGRC solution, such as Metricstream (MSI) can help drive process adoption, understanding, collaboration and faster, better decision making. By having a single source of truth, constantly available across the organization, through smart search and discovery, an effective eGRC implementation can enable rapid analysis, diagnosis, decision making, planning and risk response.
When the Purpose, Understanding and Process issues are poorly planned and executed it is common for the tool to get the blame. Combined with technical implementation failings, this results in frustration across the process, technology avoidance and even sabotage of the overall purpose, process and tool.
Restart or Repair?
Is it ever too late to address deficits in a current ERM implementation? A lot of time, effort and money has been invested. Restarting from scratch is both a waste of money and resources and politically unacceptable in most organisations. When you look at and assess all the key elements, including purpose, common understanding, process, technology, discover what is working and what isn’t, this can stimulate a plan to achieve roadmap milestones more smoothly.
We can help you with this assessment and, where suitable, support you in implementing both quick wins and a longer term roadmap with a supporting continuous improvement model. Our services range from business consultancy around ERM content, change management to improve adoption and process and technical consultancy on optimising the Metricstream modules in support of desired ERM outcomes.
What is your situation?
Does any of the above sound familiar?
If your ERM implementation is well on its way towards the intended destination, you may purely want an independent assessment.
If you are experiencing any of these challenges, you may want to talk to us and have an exploratory conversation.