ERM
ERM is a practical, objective and valuable management tool. I am defining management tool as something that supports and/or enhances management’s ability to successfully lead the organization.
ERM is an excellent tool to review the functionality and importance of each department. First Senior management should review and clarify the goals of the organization. Remember that, “Mission, values and purpose precede policies, procedures and practices.” ERM is an important process that should be initially completed by the organization and reviewed annually.
The process should include senior management and have the support of the Board. Once the top 5 to 10 goals of the organization have been clarified and documented then each department should identify, clarify and document their top 3 to 5 goals and objectives. This annual review of the top organizational and departmental goals and objectives is something that most organizations are already doing. It is a review of the basics, a kind of, “spring training” for the annual planning process.
The next step is critical and requires the involvement and commitment of department heads, senior management and the Board. After each department documents their top 3 to 5 goals and objectives, each department must thoughtfully identify the critical functions that must be successfully executed for the department to meet its specific goals and objectives. During the annual performance planning process for department heads, your organization may already be tracking the success of the department head in identifying and successfully completing the critical tasks that must be accomplished. Again, the foundation of the ERM is an objective, practical and valuable management tool.
The next process in ERM; investigate and identify risks that might negatively impact the critical tasks/functions of a department, is perhaps where most organizations fail to implement a winning ERM. John Rebelo, former CEO of PBSD used to say that banking was a four letter word, ‘risk’, and the goal was not to avoid risk but to understand and manage risk as best that you can.
It is at this process where it may be appropriate for an organization to engage a consultant to help identify what are meaningful risks, what is the likelihood of an event and what is the possible impact of specific risks. These risks are categorized using a, ‘Heat Map” from the highest priority risks to medium and low level risks. This Enterprise Risk Assessment can provide management a very effective and efficient tool for managing risk.
After identifying risks that can negatively impact operations, the department must identify existing controls that are in place to mitigate these specific risks to specific critical functions/tasks of the organization. As in other Risk Assessments, the effectiveness of existing controls should be tested.