Ways to Strengthen Enterprise Risk Management Programs
A robust Enterprise Risk Management (ERM) program is based on the core premise of anticipating, predicting and mitigating the impact of adverse events.1 Consider the following practical, effective tips to strengthen your ERM program.
It starts at the top, but engages the entire organization. An effective governance model clearly defines who is accountable for the overall success of the program and fosters a risk management culture. Most organizations have a senior executive accountable for ERM.2 Involve members from key functional areas: Administration, Ethics & Compliance, Finance, Human Resources, Information
- Technology, Internal Audit, Research, Risk Management & Safety.3
- Ensure each area has a true subject matter expert with at least a basic knowledge of ERM principles.2
- Risk registers are effective tools for identifying risks. They don’t need to be built from scratch. Sample risk registers already exist, and are intended to be copied and modified to fit an organization’s needs.2 Travelers provides resources like this Business Risk Assessment that may help.
- Focusing on too many risks impedes progress. Research has indicated that organizations with hundreds of risks identified lack progress because they don’t have the resources to follow through on thorough assessments and mitigation plans.2
- Invert the 80/20 rule. Organizations tend to spend 80% of time just identifying risks, leaving only 20% of time to do something about them. Spend no more than 20% identifying key risks. Save the remaining time for risk assessment, mitigation and reporting.2
- Assess likelihood and impact. Consider starting simple by using a high, medium, low categorization. Mature organizations may use a Likert scale by assigning risks on Impact and Likelihood Score and then multiplying them to derive a Total Risk Score, which should be subject to further professional judgment to evaluate the ranking.3
- Assess risks on both an inherent and a residual basis.
- Risk aggregation is not a simple exercise. It’s a complex analysis of the correlation between risks.
- Prioritization is key. Prioritize risks that have the most potential impact, but shed light on the complete cost associated with a mitigation strategy as an important consideration. Be realistic about how to prioritize these risks.3
- Keep up with emerging and evolving industry risks. Involvement in internal risk committees, networking with industry peers and monitoring industry events are great sources for keeping up with emerging risks. Leverage the annual Travelers Risk Index survey results to see what risks concern businesses, and how those businesses are managing with those risks.
- Occupational health and safety are foundational to ERM programs. We know what impacts workers compensations costs and what contributes to employee accidents. Travelers offers its customers comprehensive tools, which may include on-site consultations, to promote health and safety throughout your organization.
- Follow through on mitigation plans and evolve plans as needed for optimal improvements. Incorporate ERM into your organization’s strategic planning process to align risks with important strategic objectives to foster implementation.
- Conduct regular program reviews. Involve all stakeholders. The goal is to assess strengths, weaknesses and opportunities. Hold administration accountable and identify gaps in plans.2 The ERM framework should evolve with the risks.
- Regularly reporting progress is a critical, but often overlooked step. Create compelling and clear ERM program updates for senior leadership to show how well the organization is prepared to respond to issues/events that could derail its mission.
1 URMIA Conference 2017. 2016 Enterprise Risk Benchmark Study of 29 Private Liberal Arts: Priorities and Learnings. Ed Hanna. RCM&D.
2 Risk Management: An Accountability Guide for University and College Boards. Janice M. Abraham. 2013.
3 University Risk Management & Insurance Association Conference 2018. A Case Study: Establishing and Implementing an ERM Program in Higher Education. Julie Zobel & Joyce French. George Mason University
More Prepare & Prevent
What could your company be doing to better manage cyber risk? Take our four-part questionnaire to find out.
Creating a safety culture in the workplace can help keep employees safe and prevent workplace accidents.