Getting Started with Enterprise Risk Management
Risk can never be eliminated but it can be mitigated. In today’s post, we’ll take a look at how organizations can get started using Enterprise Risk Management (ERM) to reduce their exposure and improve their resilience.
Related on MHA Consulting: The ABCs of ERM: The Rise of Enterprise Risk Management
Introducing Enterprise Risk Management
In addition to being a business continuity consultant, I’m a business owner. As such, it would be hard for me to overstate the relief I experienced a few years ago when I got serious about applying ERM methodology to the risks faced by MHA. I’ll talk more about that in a moment. For now—for most of this blog post, in fact—I’d like to provide an introduction to ERM and suggest how organizations can get started in applying it.
Enterprise Risk Management is the activity of identifying and mitigating the hazards that threaten an organization (definition from Strong Language: The MHA Glossary of Essential Business Continuity Terminology, available for free download with registration).
Risk can never be completely removed, but it can be mitigated. ERM provides a framework for doing this in a systematic, results-oriented fashion.
ERM is all about reducing. It helps organizations reduce risk, outages, impacts, and costs, such as insurance costs.
ERM also increases a few things. It increases the organization’s chances of being able to carry on its most important and productive activities steadily and safely. (It also increases the chances the organization’s leaders will sleep soundly at night, but I’ll get to that in a moment.)
Putting Their Head in the Sand
Many organizations put their head in the sand when it comes to assessing the risks they face.
Many that do incorporate risk management in their operations do so in a half-hearted way. A lot of times, ERM is built and implemented and . . . neglected. This fritters away ERM’s potential to minimize risk and maximize business opportunities.
Organizations that follow this pattern might talk about risk with their staff once or twice a year then forget about it on all the other days. Such organizations don’t really practice ERM. They follow what I call the “Good luck, people” school of risk management. They wish their employees the best and leave the rest to chance.
The Telltale Signs of Good and Bad Risk Management
When I visit a client’s facility, whether it’s an office, manufacturing plant, data center, or something else, I can tell quickly whether they manage risk well or not. Usually, you can get a clear picture by walking around and asking some basic questions.
I look for such things as how the plant operates, what safety measures they follow, what sort of backup power supply the site has, whether they have network redundancy, and how they manage risks related to their control systems and critical suppliers. For a company that does a lot ofbusiness overseas, I might look at how they mitigate risks related to currency fluctuations and geopolitical events.
It’s at this level that ERM moves from the abstract to the specific. It all comes down to details. Successful ERM is about understanding the details, getting them right, and working on them consistently, rather than talking about risk management once or twice a year.
How to Succeed at ERM
An ERM program needs one thing to be good. It must become a truly active part of the business from the highest levels to the lowest. The companies that do the best at risk management apply ERM from the top down and consciously make it a part of their everyday business.
Companies that excel at risk management also have an ERM office that truly understands risk. They know how it affects the mission, which risks should be mitigated, and which can be lived with. They are well-versed in the four main risk mitigation strategies of risk avoidance, risk transfer, risk limitation, and risk acceptance. They also understand how an effective ERM program can be leveraged in discussions with insurers to reduce insurance costs and increase coverage.
Good ERM doesn’t stop at identifying risks. It prioritizes taking action and gives people the authority to do things that actively bring down exposure. ERM is about proactively applying the four risk mitigation strategies to bring the total risk faced by the company.
A Personal Account of Using ERM
I mentioned in the beginning that my experience with ERM is not limited to being a consultant talking about risk management to other people. I’m also a business owner running an organization that faces the same broad categories of risk—to people, facilities, suppliers, and technology—as other organizations.
Every organization’s risk profile is unique, but all face threats with the potential to interrupt their ability to carry out their critical operations, with potentially devastating quantitative and qualitative impacts.
In the early years of their existence, most organizations are focused on growth. As they mature, their leaders tend to begin thinking about preserving what they have built. MHA followed this pattern.
A few years ago, I decided to get serious about identifying the risks we faced as a company and systematically mitigating them following the principles of ERM. It took a lot of work, but with every new risk mitigation control we applied, I felt great satisfaction. It felt good to know I was protecting the company I had built through (as of this year) 25 years of hard work, as well as the interests of our clients and the livelihood of my team.
Risk management is not a project but an ongoing effort. The task of monitoring and mitigating risk at MHA will never be done. But once I had applied ERM methodology to MHA’s risks and established a framework to manage them regularly moving forward, I felt a tremendous sense of relief.
This feeling—and the sounder sleep that comes with it—is available to any organization, executive, or risk management office willing and able to take a proactive, comprehensive approach to managing enterprise risk.
Navigating Uncertainties with Confidence
Enterprise Risk Management offers a systematic approach to identifying and mitigating hazards that threaten organizations. While risk can never be fully eliminated, ERM provides a framework for reducing its impact in a systematic, results-oriented manner.
Successful ERM implementation requires a proactive and consistent approach from the highest levels of leadership down to everyday operations, ensuring that risks are actively managed and mitigated. By embracing ERM principles and making risk management an integral part of theirbusiness operations, organizations can safeguard their interests, enhance resilience, and navigate uncertainties with greater confidence.
Further Reading
- The ABCs of ERM: The Rise of Enterprise Risk Management
- The Evolution of ERM: Adapting Risk Management for a Disruptive Age
- Managing Enterprise Risk: Understanding the 8 Risk Domains
- Who’s the Boss? Successful Risk Mitigation Requires Centralized Leadership
- Checking It Twice: The Corporate Risk Mitigation Checklist
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
