A Practitioner's Take on ERM Strategy: Rethinking your lines of defense
Enterprise risk management (ERM) is becoming a buzzword. In a post-financial crisis world of increased regulation and cyber risk, the value of having an effective ERM framework is increasingly obvious.
And that's great.
However, we live in a time of internal auditors, ERM specialists, compliance officers, internal control specialists, fraud investigators, and a multitude of additional risk and control professionals—all of whom are usually spread across the entire organization. These roles are all integral to effectively managing and mitigating risk across the organization. But, how do we get all of these people to share information in a way that promotes more effective business decisions?
In 10 years as an ERM and controls management practitioner, I encountered a lot of theories on how to realize the enterprise part of ERM. While the majority of these theories were insightful and played out effectively on paper, they were exactly that—theories. The complex process of applying a comprehensive ERM strategy to an organization of any size typically requires more effort than is feasible or cost-effective.
What I, and many of my practitioner peers, discovered was that while complete frameworks rarely translate directly to your specific risk culture, pieces of these theories can be useful in practice. The challenge then becomes how to analyze and implement the right pieces that make sense in building your best risk management environment.
One strategy emphasized by most ERM thought leaders is getting open and meaningful communication across all lines of defense. This is definitely something every organization should be working toward, but the strategies offered, in theory, too often fall into the category of "that would be great...in a perfect world."
With that being said, the right strategy can be found within these comprehensive frameworks. Below are two ERM strategies that I, as a practitioner, was able to pull tangible value from in my pursuit of achieving communication across all lines of defense.
Transforming the first line of defense
My first step in the right direction was to start looking at the lines of defense in a different way. Traditionally, the first line of defense was treated as a contributor of data into the risk control process. However, I learned that by treating the first line as an equal stakeholder, I was able to get the most involvement from them. This meant taking steps to include them in the big-picture conversation around risk.
The initial step in empowering the first line was to let them truly own their risks. So, what does this look like in practice? We started by giving first line risk owners exposure to documentation, risk metrics, and ample opportunity to take part in the conversations around risk processes. These opportunities helped the first line better understand how the risks they reported on impacted the entire risk profile. With this view inside the process, many in the first line took ownership of their risks beyond simply providing data for a spreadsheet.
So, where before it was enough to provide the data, the business units began to understand how those specific data points helped the business mitigate risk and build a cohesive risk governance. We began to see that by treating the first line of defense not only as the input providers but also as stakeholders, we were able to more effectively address gaps in risk coverage and identify interdependencies of risk elements.
When the first line understands enterprise risk and its impacts, the rest of the organization is bound to follow. This is the true meaning of risk culture—a company so permeated with risk awareness that no one can help but be involved in the subject.
Engaging the board and executives
Another concept championed by thought leaders is a top-down approach for risk management. By adopting a shared approach to risk management, an organization can increase engagement with risk across all lines of defense.
Traditionally, t,he board and executives act as overseers who use risk data to make decisions that best benefit the company. But, by shifting some of the control to the first and second lines, it both frees up executives for other decisions and requires the rest of the company to become more involved in the risk culture. While simple in theory, the ability to get the board and executives to willingly change their roles is not a simple thing to do. So, do the benefits of having this layer of oversight adjust their input in the risk process outweigh the amount of energy needed to convince them? The short answer is yes.
Typically, the role of the board and executives is so high-level that they lose sight of the risk process. Increased involvement of this group in the risk processes will likely reduce business fatigue and provide more transparency in the risk framework. It will also help them be more in touch with the business units and see up close how the risk assessment and oversight process operates.
This helps to build a centralized, standard practice across the entire organization. Typically, management has one view of an organization’s risk profile, while risk functions have a different view. Consequently, risk activity runs in many different directions without realizing any true value. Active feedback from management and the board in risk assessments and engagement in the emerging risk discussions will create a transparent picture of each risk function. And this makes everyone's life much easier.
Overall, redefining the roles of the lines of defense around risk will allow for a greater part of the risk management picture to be seen at all different levels of the company. While you're here, get a quick gut check on your risk governance structure.