Transformation means “a marked change, as in appearance or character, usually for the better”. When we apply this to Enterprise Risk Management (ERM) within an organisation, it requires some refinement. We would suggest “transforming your risk management through maturity” means to “develop your risk management towards being fully grown by making a marked change for the better in both appearance and character”.
In order to do this successfully, there are a number of key ingredients to get right. The following are 7 of the most critical.
Your management’s and staff’s awareness, knowledge, attitude and culture is the most critical ingredient for successful ERM maturity. The key elements are that management and staff must:
In turn, this can best be achieved by:
Type “ERM Methodology” into Google and you will be swamped with thousands of opinions on different methodologies, frameworks and standards on risk management. It can be so daunting that “doing nothing” can seem the attractive option!
Unless you have a very strong opinion of what methodology you want it pays to find a trusted partner, one that resonates with you, speaks your language and demonstrates practical risk management that can help you sift through the sea of guidance and show you the methodology that is right for you and your organisation.
You must have a governance structure that:
Like any new and evolving discipline, risk management has and is developing a language full of lingo and acronyms. Some may be inevitable but be aware that at times, as Bob Geldof once said, “lingo is the invented language to imply expertise”.
Subsequently, we should use “real” language that staff can relate to. Similarly, we should minimise the use of acronyms.
Type “ERM Systems” into Google and you will get almost as many results as there are for ERM methodologies. Where do you start in selecting the right system for you? Some thoughts:
In many ERM processes, the majority of effort is put into collecting data and less on turning that data into intelligence and reporting it to management and staff in a usable, relevant way which adds value. You should be able to work with the receivers of risk information and specify what information and in what format it is required.
Your ERM process should be able to deliver that information quickly and in the exact format that is required. Reports and dashboards should be tailorable by the user so that they can make adjustments as and when required.
Too many risk management processes seem to focus on completion of the process and the administration rather than achieving the end result. You can feel like you are just filling up forms and collecting and posting data, rather than adding value. Administration and process should be kept to a minimum and the time spent on the visualisation of the output and the action that that triggers.
This requires your risk management processes to be as streamlined as possible. The data collection to be tailored and easy and a minimum focus on “why you do it“, and not “do it because you have to”.
Once you have formed a view that you wish to transform your ERM to begin reaping the true benefits that it can offer, prepare a “blueprint” for what maturity looks like for you and over what period you wish to mature.
All steps from that point onwards should be moving you towards that blueprint.
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).