STRIVE July 2017 | Page 28

The Trouble with ERM By Erin Sedor Enterprise Risk Management. It is a not-so-sexy phrase too often bandied-about the upper echelons of management with little appreciation for the true meaning of the term, and quite frankly, little desire to pursue any comprehension beyond the ability to say “Yes! We do ERM!” While I’ve enjoyed many a Dilbert© cartoon on the sub- ject, the fact of the matter is that ERM is as much about strate- gy as it is risk management, and can be a game-changer easily within the grasp of the even the most modest operations. The secret is understanding that ERM is a discipline, not a function, that requires integration across strategy, risk and resilience programs traditionally built and operated in silos. Unfortunately, while most best-practice models, standards and frameworks point to this interoperability, none of them spell out how to make it happen. And that, my friend, is the trouble with ERM. When I first entered the world of risk management, I was incredibly frustrated at the lack of clarity in the voluminous materials that existed on the subject. Being a typical corpo- rate manager pressed with too much work and not enough resources, I was looking for step-by-step manuals. I was naïve, and I came to learn that al ong with the science, there is an art ...Stable organizations are proactive and nimble. They seize upon growth or quality opportunities because they have the time to look for them, they have the resources to pursue them, and they know how to execute their plans successfully. 28 July 2017 to designing, implementing and sustaining broad organiza- tional programs such as risk management, strategic planning and business continuity. Integrating said programs is yet another basket of worms, primarily because different departments are comfortable in their own silos. However, if you look at the entity as a whole and consider the type and timeliness of information its leaders need to create success, you will see clearly the foundation for building integrated programs that cross functional silos and allow a vertical flow of information. If you aggregate this data in a meaningful way and add C-Suite expertise and experi- ence, you will have an environment for strategy development, balanced risk-taking, and leveraged opportunities. This scenario, which would give the organization an incredible advantage over their competitors, cannot be ac- complished with a traditional risk management program. It requires an ERM discipline. Organizations seeking to establish and mature into a true ERM capability can find the process daunting. There is a myr- iad of frameworks, theories and best practice standards based on industry, business model and public/private/non-profit sector. The risk management process itself is straightforward. Identify, evaluate, assess and treat risk. What is not so clear is how to successfully operationalize such a program in a way that creates synergy across the organization. I know what you’re thinking: “We need to be selling, building, designing for and serv- ing customers! That’s where the value is! That’s what keeps us in business!” You are right, until your controller unwittingly sends a half-million dollars to a cyber thief posing as your CFO with valid email credentials and various other identification sourc- es because the pesky security upgrade project was just not a