Enterprise risk management application implementation case study
Risk management is one of the most important components in empowering an organization to achieve its ultimate vision. With proper risk management culture and knowledge, team members will be “speaking” the same language, and they will leverage common analytical abilities to identify and mitigate potential risks as well as exploit opportunities in a timely fashion. In order to consolidate efforts, the existence of an integrated framework is crucial.
This is why Enterprise Risk Management (ERM) is necessary to the fulfillment of any organization's goals and objectives. Sound risk management empowers not only project, program managers, and even executives but also units, departments, and sectors to perform timely and effective decision making.
Throughout the implementation of an ERM application in a public transport organization, we have started with the end in mind and worked according to ERM success factors in this organization. We tapped into the organization's risk awareness, we allied with the proper stakeholders, and we leveraged executive sponsorship toward the success of the project.
The involvement of all parties in the organization had a major impact on performing risk management. This paper will articulate the importance of proper role distribution. It will also highlight the importance of ERM, the necessary steps to succeed in such an endeavor, and the challenges that might arise through a compelling case study drawn from a project carried out in a reputable public organization in the Middle East region.
Risk management—at large—is not just an avoidance exercise. It involves taking the proper decisions to keep a safe balance between negative risks and potential opportunities. Enterprise Risk Management (ERM) needs to be applied and performed through solid steps taking into account the structure of the entire organization, its objectives, and all the stakeholders involved. It cannot be a formality. The mindset of risk management needs to be embedded in the company's planning and execution of tasks and projects. Since it is an iterative process, a proper integrating framework is needed.
What is ERM?
ERM translates simply into integrated risk management. It is a coordinating and coordinated activity that takes place across the entire organization and brings together all risk management activities in an appropriate framework. It is indeed about the entire organization, and it is about all activities involved.
ERM draws essentially from managing risks according to organizational objectives. At the organizational level, consolidation is then crucial through a proper framework. According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004), the ERM framework is geared to achieving an entity's objectives, set forth in four categories:
- Strategic—High-level goals, aligned with and supporting its mission
- Operations—Effective and efficient use of its resources
- Reporting—Reliability of reporting
- Compliance—Compliance with applicable laws and regulations
Risks are uncertainties that may have a significant impact on objectives. This is why it is imperative that objectives be clear to all stakeholders at all levels of the organization (see Exhibit 1).
Exhibit 1 – ERM and objectives.
An integrated perspective will take the guesswork out of what the risk appetite is in the organization. David Hillson, the Risk Doctor, defined risk appetite as a “tendency of an individual or group to take risk in a given situation,” and added “risk appetite expressed using thresholds, which are described against objectives and that can be measured externally” (Hillson, 2012).
In other words, risk appetite translates into the threshold of tolerance toward risk. This is usually defined by senior management and reflects their willingness to accept risk as derived from its risk capacity.
The following are three important factors to take into account as to risk “appetite” or tolerance:
- Risk appetite should focus on the portfolio of key risks facing the organization.
- It should be determined at each core business level, and wherever possible.
- It should be aggregated to the enterprise level (Hillson, 2012).
In this context, developing a risk plan or risk policy will help determine the roles and responsibilities of each member of the organization involved either directly or indirectly in the procedure. It actually boils down to one point: The entire organization will “speak” one risk language. This risk policy should be a sound guide on the how-to of managing risk across each unit, department, agency, and sector.
ISO 31000 has made it clear: Key risk principles create value and are—and should be—an inherent part of decision-making (ISO, 2009). Those organizations that are eager to bring risk knowledge to the forefront of decision-making processes ensure that all risk management activities are undertaken in order to mitigate negative impacts and allow exploitation of positive risk (or opportunities). ERM, in this case, will “guarantee” that risks are managed at a portfolio level.
“Portfolio risk management can assist in raising the profile and maturity of risk management, particularly if an organization operates a gated approval process,” and “Portfolio Risk Management can provide quick wins” (Jonas, 2011).
In our implementation, a portfolio risk management enabled the public transport organization to identify, assess, and treat risks across the organization, understand risk mutual links, allocate responsibilities, and provide senior management with an understanding of aggregated risk exposure.
The above included adopting ERM framework, establishing comprehensive categories, and specifying a centralized ERM function with defined roles and responsibilities.
Why Implementing ERM Application?
In our case, since risk management was culturally embedded in the organization, it was time for an upgrade from plain Excel spreadsheets in order to fulfill the strategic objectives (see Exhibit 2). Allowing senior management to have a snapshot perspective of the actual risk picture across the organization would not only be an enhancement, but a step-up that was unavoidable as for the maturity roadmap of the organization.
Exhibit 2 – A spreadsheet approach to ERM vs. ERM software application approach.
The new software application would be used by all units and departments across the organization's sectors, The risk data, once provided by all units and departments across the organization's sectors, would be presented through dynamic reports and interactive dashboards to the chairman for direction and decision-making (go and no-go decisions) on a daily, monthly, or quarterly basis.
The organization was also in need of an application that would integrate and consolidate risk data through departments and units and would reflect real-time data.
ERM Implementation Roadmap
We started the project by writing a project charter that documented the objective of this implementation, which purpose was to automate risk processes towards an improved implementation of the ERM framework across all units, departments, and sectors of the government transport organization.
The charter was developed based on information collected and gathered from key stakeholders, and the business case was prepared by a functional department that was aware of organizational objectives.
We then developed a scope of work document to provide more details of the work required to complete the implementation. The scope document reflected a framework on how the project would be managed and provided a roadmap to implement the ERM application using a phased approach, timescales for different phases, and change control procedures. The document then became a reference tool to all stakeholders throughout the project lifecycle.
Luckily for the project, the CEO had established a committee constituted of all departments. The committee met on a monthly basis to review project progress. This type of executive support gave us the ability to navigate stakeholders.
In addition, and through stakeholder analysis, we came to know that the human resources department was a prime stakeholder. Indeed, since we had the support of the department, we were able to proceed in specifying milestones, organize a baseline for different levels of training, and get buy-in with the various units to have their users attend training sessions.
We started on a strong foot as we were clear on organization's requirements and the intended us of the ERM application. Once we verified that we were indeed fulfilling all requirements, we then began to assess the technical readiness of the organization's environment before we proceeded with the technical installation of ERM application.
Once the software was installed, we noticed a knowledge gap in risk processes. We then worked with the team to gain understanding of their risk management processes and configured the application to support those processes.
We provided all the required customized training to facilitate a successful rollout according to both the training and the rollout strategy that had been devised. To ensure a proper flow, we implemented a closeout process with formal acceptance of both the implementation and configuration (see Exhibit 3).
Exhibit 3 – Project implementation framework.
The application was recognized as having the functionality needed, the flexibility and range of capabilities to meet business, governance, risk and compliance challenges, and it was acknowledged for being the right tool to be used by all units and departments across the organization's sectors for managing risks and improving performance through better decisionmaking. This was indeed a critical success factor. The involvement of all units, departments, and the support of the executive arm gave the project the context it needed to succeed.
ERM Application Implementation Key Challenges and Solutions
In such project, promoting a sound risk management culture is one of the key challenges in implementing ERM. The objective is to ensure risk management is everyone's responsibility. Promoting risk management culture has a very high impact towards achieving risk management objectives in the organization.
Often, organizations can be good at identifying risks but not at treating them. For a mature environment, all stakeholders need to assess, identify, and treat risks, as identifying risks only is not sufficient. A strong and consolidated framework on how to address risks will give the organization a definite edge. Role distribution and awareness are undeniable success factors.
In this context, promoting risk management culture needs to also draw from the following concept: Risk starts with uncertainty, and uncertainty results from a lack of information. The more people are involved, the more information gaps are filled. Once executives are involved and employees understand that their input is crucial, it is easier to perform risk management.
The CEO, for example, is not only to set the scene for risk management, but he/she should be an active part of the risk team and should attend various risk workshops with the team.
Another important fact of success in ERM is to develop an unsophisticated process. People tend to turn a blind eye to risks when they see that their involvement can lead to complex tasks and activities. In addition to top management support, the risk management process should not be complicated and the organizations are to develop a balanced risk process that can meet risk management objectives and able to get the buy-in of the good, the oblivious, and the reluctant in risk management activities.
Lessons Learned: What is Important for Effective ERM?
Organization leaders not only need to understand the importance of risk management, the importance of its processes, and the importance of their involvement, but they also need to ensure its continuity by championing a thorough but relatively simple framework. Once ERM is well implemented, it becomes an important tool of timely decision-making towards minimizing negative risks and creating value for future opportunities.
In addition, both leaders and employees manage risks. Employees of all levels need to be on constant lookout for hazards related to their specific knowledge area; especially that perspective towards risk changes from one person to the other and a consolidated input will bring precious value.
The organization should be aware of its ability (or not) to avoid, mitigate, transfer, and accept negative risks as well as exploit, enhance, and share positive risks, provided all of this is aligned with the strategic objectives of the organization.
Each risk must be identified, categorized, analyzed, and prioritized and then be treated or escalated to the appropriate management level. This process needs to encompass the risk score and its exposure using the adopted ERM framework in place.
Once identified—through regular risk workshops and other techniques—all risk registers should be aggregated and analyzed in a centralized risk office. That type of office by definition should be well aware of strategic objectives and will work on responses accordingly.
The purpose of aggregation is also to find potential links between various risks that would lead to potential leads between responses. This would save time and effort spent on the design of unnecessary and redundant responses. With one response, one might address several risks, even if those risks were documented by different units or sectors.
In addition, the centralized risk office should support all units, departments, and sectors in conducting risk workshops and should facilitate the required discussions and risk awareness exchanges to promote the culture of risk. It also plays a role in minimizing the threats and maximizing the benefits, in addition to its monitoring and controlling processes and overall ERM functions to ensure success.
All of this is a crucial step towards operational excellence. In this context, responsibility for the management of risk rests with line management in all sectors, sections, and initiatives. Those accountable for the management of risks are to also be accountable for ensuring that the necessary controls remain in place and are effective at all times.
Control assurance will then focus on improving the ability to manage risk effectively, so that risk owners or others can act on opportunities to improve and sustain the quality and continuity of supply, create value, and achieve sustained growth. The ultimate level of risk control will be balanced against continued encouragement of enterprise and innovation.
In addition, assurance of good corporate governance will be achieved through the regular measurement, reporting, and communication of risk management performance. For proper governance of risk, an ERM committee will monitor and review the risk management framework and performance (including compliance with the standards) and will report back to the board and chairman. The team will ensure that the necessary resources are available and that policies are adhered to.
In conclusion, ERM can offer exceptional value if it is soundly applied. It is not only a team effort, but also an organization effort and not a random one. It needs to be based on a strong risk culture, and it requires the sponsorship of the executives in the company or institution. In addition, the aggregation of risk information needs to be performed according to clear rules that everyone would understand and abide by. Besides, simplifying the complex can garner loyalty to risk in the company.
Committee of Sponsoring Organizations of the Treadway Commission. (2004, Sept.). Enterprise risk management – Integrated framework. New York.
Hillson, D. (2012). How much risk is too much risk? Understanding risk appetite. PMI Global Congress 2012, Marseille, France.
Jonas, V. (2011). Portfolio risk management: Aligning projects with business objectives to deliver value. PMI Global Congress 2011, Dublin Ireland.
International Organization for Standardization ISO 31000:2009. (2009). Risk management: principles and guidelines. Geneva, Switzerland: International Organization for Standardization.
©2013 Mohamad Boukhari
Originally published as a part of 2013 PMI Global Congress Proceedings – Istanbul, Turkey