Top Management Tool or Administrative Nightmare?

We have seen many organisations implement an Enterprise-wide Risk Management Process during the last few years. Yet very few have derived any practical value from this process.

The most common reasons why most ERM processes effectively fail during the first year, are discussed below.

1.  An incomplete Risk Register.
 
Most risk registers do not provide a full picture of all the risks facing the organisation, which defeats the purpose of a risk register and erodes virtually all value from the ERM process.
 
2.  Identifying risks on different levels.
 
Risks, like objectives, flow and cascade.  The risk of “Not making money” cannot be identified on the same level as the “Risk of product x being considered too expensive”, within the Risk Register.
 
3.  Not achieving buy-in from all levels.
 
If this is not in place, the ERM process is doomed from the start.  The CEO and Board of the organisation have to be clear, as a collective, in exactly what their objectives and requirements are from the ERM process. Why exactly are we willing to spend hundreds of man-hours on its implementation?
 
4.  Feedback to oversight committees exposing them to an inappropriate level of detail.
 
The directors of an organisation assume responsibility for ensuring an effective control framework:  In other words, they ensure that every key risk within their company is being managed appropriately.   In today’s complex and legalised environment, this is a daunting task for even the most experienced executive directors, not to mention non-executive directors appointed for their expertise in a specific area.  In our experience, directors spend a large amount of their very limited time on controls and activities that support the operations rather than on those complex operational and strategic activities that allow them to maximise their contribution. Exposing the directors to a very high level of detailed information is counterproductive, and one of the major reasons their limited time is not maximised.
 
Fundamental to unlocking the benefits of an ERM process is keeping it very simple.   Start off with the key objectives of the organisation from the very top (i.e. “We want to maximise value for our shareholders”), and cascade your objectives and risks to ensure that the detailed risks in the Risk Register are generated per process (always referring to and flowing from the overall objective of each process).  Involve as many levels of personnel as possible in generating the Risk Register.
 
The true value of the process is not in identifying the risks, but rather the discussions around the prioritisation, as well as the most effective and efficient manner in which to mitigate each risk.