Enterprise Risk Management (ERM) is how enterprises identify and manage a broad portfolio of significant risks in an integrated way. It’s a fast-growing discipline. Even the best organizations don’t escape risk: More than half of executives we surveyed said they had a high-impact risk occur within the last two years that they had not previously identified (excluding the COVID-19 pandemic). When risk becomes a reality, it can cause damage that goes well beyond the bottom line.
The ability of a business to remain competitive is also at stake. ERM is not just about averting risk; it’s also about seizing an opportunity. Some risks are worth taking because they can result in new products or services that separate a business from the competition.
Identifying, assessing, and appropriately responding to threats will be essential for business continuity and resilience as the global economy moves on from the chaos of 2020. To understand current practices and tools for ERM and how these are evolving, APQC recently conducted a global study with Dr. Paul Walker, Schiro/Zurich Chair in ERM at St. John’s University.
The study included a survey with 229 respondents at organizations of all sizes from a diverse range of industries and regions. We also interviewed senior ERM practitioners at eight organizations across industries and sizes to get a sense for how the daily work of ERM on the frontlines.
While known and unknown risks will always be part of business, we found that leading organizations have developed systematic approaches for managing enterprise-level risk. These efforts lower an organization’s risk exposure and drive value through benefits like better decision-making, highly targeted business strategies, and faster responses to disruption.
An enterprise view of risk is critical for effective ERM. Without it, risk management lacks a comprehensive outlook and is more likely to be siloed. That can lead to redundant or disjointed efforts across an organization.
As one vice-president of organizational risk told us, “Having an enterprise view of risk helps ensure that lines of business are defining risk in similar ways and taking advantage of best practices in a programmatic manner.”
The inclusion of this enterprise view through solid governance, standardized risk analysis, and a risk-aware business culture allows organizations to develop a more holistic approach to risk management, putting the “enterprise” in ERM.
Many organizations still have an opportunity to develop their approach to ERM and achieve this integrated view of risk. While 37% of survey participants said they had defined ERM processes in place, only about 25% said their ERM process was fully optimized. Many organizations haven’t been practicing ERM for very long either. About one-quarter said their ERM program was less than three years old, and a majority have been practicing ERM for less than five years.
Nearly all participants in the survey (96%) said their ERM program is facilitated by a dedicated ERM team. While the size of the team can vary based on organizational size and industry, we found that the teams tend to be small: the median number of ERM team members across all companies is five full-time equivalents.
Rather than managing every risk, the role of the core ERM team is generally to facilitate the process and provide advisory support and guidance to the business.
For example, John Siminerio, director of decision and capital analysis at Highmark Health, said that while “some complex, enterprise-level risks need to be managed and monitored directly by the ERM team,” in many cases the ERM team’s goal is simply “to provide business owners with the right know-how, skills, and tools to manage their risks.”
“Having a C-suite sponsor and advocate can change how quickly ERM is adopted and embedded within the organization.”
— Joe Pugh, enterprise risk management and compliance director, AARP
In many organizations, embedded risk partners are responsible for risks in their specific business areas and report these risks to the core ERM team. The ERM team then reports to an executive like a chief risk officer.
Numerous ERM practitioners said support from leadership is critical to make this program structure work effectively. Executives and management not only help set the tone at the top but also help secure necessary enterprise-wide resources and support.
As Joe Pugh, enterprise risk management and compliance director at AARP, noted, “Having a C-suite sponsor and advocate can change how quickly ERM is adopted and embedded within the organization.”
Executive support for ERM also means that executives, including CFOs, play an active role in coordinating risk management processes and activities. They can act as risk champions or help to identify risk champions across the business. Here are some examples:
These governance roles are effective at driving support for ERM from top to bottom and coordinating risk assessment. But more than half of respondents — and in some cases, two-thirds — are missing opportunities to leverage them for ERM.
Risk partners in the business often identify and track many risks. That doesn’t mean executives or the core ERM team will prioritize all of them. As HHS Deputy assistant secretary for operations and management Christine Jones noted, “Not everything can be a high-priority risk. ERM means making tradeoffs and balancing what makes sense to the enterprise as a whole.”
Instead of actively tracking and planning for every risk, organizations focus on a portfolio of the highest priority risks.
Organizations take a broad and inclusive view of risk during risk identification. For example, the top three risk categories for top enterprise risks are strategic, operational, and financial risks, although cyber risk, reputational risk, and other categories aren’t far behind (Figure 3).
Organizations spend about a quarter of their risk identification and assessment time focusing specifically on strategic risks, which makes sense. This category encompasses risks that could potentially spell the end of the business if they materialize, so they’re worth taking the extra time to identify and plan for.
One of the most common ERM activities is risk assessment. Survey respondents typically conduct assessments on a monthly or quarterly basis.
The most common approach is assigning scores to or ranking each risk based on criteria such as likelihood and impact. That allows an organization to sort risks as high, medium, or low. Organizations might use various techniques or combinations of methods to analyze and assess risks, including brainstorming (used by 54%) and considering business impact (used by 50%).
In many cases, risk assessment is a collaborative endeavor carried out through group discussion and consensus.
Risk assessment at HHS, for example, begins with an annual staff-level survey that helps to identify risks across the enterprise. After the survey, the ERM team takes the risk portfolio to the ERM council, which uses facilitated discussions and a real-time mobile phone voting app to rate each risk. Although voting is anonymous, members of the ERM council have enough rapport to openly discuss their rankings and work together to compile a comprehensive portfolio of top risks.
Leading ERM programs also work to identify and assess emerging risks — those further out on the horizon. For Michael Zuraw, senior director of global ERM at ON Semiconductor, these risks may be harder to identify, but he believes few emerging risks are truly unforeseeable.
“I don’t believe in the phrase ‘black swan’ because I think it’s too convenient to say that no one could have seen these risks coming. Many of these are obvious risks that we just choose to ignore, not black swans.”
ON Semiconductor holds annual scenario planning exercises that look 10 to 20 years into the future to identify and track these risks. The exercises deal with macro-level threats like global climate change, artificial intelligence, and geopolitical tensions.
ON Semiconductor is making the right moves regarding emerging risk: Our analysis found that organizations that identify and assess emerging risks are statistically more likely to rate their ERM programs as more effective and valuable than organizations that do not.
Ideally, visualization and reporting for risk should be flexible and dynamic, accounting for a variety of scenarios and possible outcomes. As Siminerio told us, “The future isn’t singular, it’s plural — there are many different outcomes that are within and outside our control.”
Leading organizations use heatmaps or risk scorecards to make risk reporting easy for leaders to read and understand. For example, ON Semiconductor produces heatmaps that consider the current risk level of each risk (based on the risk’s likelihood and impact) and sets a target risk level based on the organization’s risk appetite. Risks that go beyond the target risk level are prioritized for mitigation. In areas related to innovation, the ERM team may determine that the organization is being too conservative and may need to take a bigger risk.
Organizations draw from a broad range of measures to track ERM program performance, including the impact of ERM on business results (the top measure used by half of those surveyed) and ERM program cost measures (used by 46%). Along with those quantitative measures, the best ERM teams also get feedback from a wide range of stakeholders.
AARP, for example, asks its board to evaluate the ERM program as part of its annual self-assessment. The results provide management with critical insights around enterprise risk from the board members’ perspectives. These efforts have created a more thoughtful risk-taking culture and created a more risk-savvy board of directors, AARP says.
Mature ERM programs also actively invest in training and continuous improvement. As one vice president for organizational risk said: “Good enterprise risk management requires everyone to understand their role in risk management and for everyone to perform that role in the same way using the same definitions. That’s an enterprise-wide challenge and a daunting task because it requires everyone to be working toward the same goal.”
To rally the entire enterprise around ERM, organizations typically conduct training, drive awareness campaigns, and provide practical tools or templates that employees use in daily workflow. For example:
Some organizations go a step further by forming communities of practice that spread ERM guidance and best practices broadly. For example, working with the Organization for Economic Cooperation and Development, the IRS plays a leadership role in helping tax administrators from other countries learn ERM principles. The organization’s work with the OECD has also led to developing an “Introduction to ERM” course, a virtual forum on ERM during COVID-19, and an ERM maturity model explicitly designed for tax administrators.
While they can’t completely avoid risk, organizations that have evolved their ERM efforts are better prepared to respond when risk becomes a reality. Beyond better preparedness for trouble, we found these organizations also benefit from improved executive decision-making, risk avoidance, reduced insurance costs, and more.
As Katie Bolling, director of finance at Chillicothe Municipal Utilities, said, “I don’t see ERM ever going away — it’s good for the organization, good for the community, and good for the employees.”
Rachele Collins, Ph.D., is the principal research lead for financial management at APQC, Nathanael Vlachos, Ph.D., is a writer and analyst for APQC, and Paul Walker, Ph.D. is Schiro/Zurich Chair in enterprise risk management and executive director of the Center of Excellence in ERM at St. John’s University.