Article
ERM essentials: Building a strong foundation
The very first Summer Olympics took place in Athens, Greece, in 1896. Nearly 280 athletes from over a dozen countries participated in roughly 40 events across nine days.
Almost 125 years later, those same Olympic Games have grown to monumental proportions. This year—in the 2024 Summer Olympics—nearly 11,000 athletes from more than 200 nations will participate in over 320 events spread out over 17 days of competition.
That growth (and stability) does not happen by accident. It requires years of intentional planning, thorough communication, global buy-in, committed resilience, ongoing evaluation and continuous dedication to improvement.
The same is true with Enterprise Risk Management (ERM). Whether you are orchestrating a centuries old global phenomenon like the Olympic Games, or building/optimizing your organization’s ERM framework, it is essential to construct the proper foundation.
To that end, watch our on-demand webinar and delve into ERM essentials with experienced leaders from Baker Tilly’s Risk Advisory practice. Gain a comprehensive understanding of ERM’s foundational concepts and principles, and how they can be effectively utilized to manage both risk and opportunity. Through practical examples and case studies, explore the common tools, techniques and processes used to create a sustainable risk management framework. Examine the importance of ERM and its strategic intersection between internal audit and compliance. Whether you are a seasoned risk professional or just starting your journey, this session will deliver valuable takeaways.
First things first—what is ERM?
Before examining the key considerations for a successful ERM approach, it’s helpful to begin with the basics—in this case, a definition. So, what is ERM?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as, “The culture, capabilities and practices integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving and realizing value.”
Additionally, the International Organization for Standardization (ISO) defines risk management itself as, “Coordinated activities to direct and control an organization with regard to risk.”
Both widely accepted and utilized definitions serve as guidelines to help organizations implement their own risk management strategies.
COSO provides a holistic approach to risk management by integrating ERM into existing organizational processes and governance structures and outlining 20 core principles—organized into five interrelated components—which help organizations manage risks aligned with strategy, goals and objectives. COSO is well suited for organizations seeking a structured and comprehensive approach to enterprise risk management.
ISO, meanwhile, provides a similar, flexible and adaptable approach designed to enable agile responses to evolving risks and opportunities. ISO is based on eight principles that provide guidance on the characteristics of value creation and protection. The principles help organizations manage effects of uncertainty on strategic objectives and are the foundation for establishing the organization’s risk management framework and process. ISO is typically well suited for companies that operate in diverse industries or geographies (e.g., international organizations).
Many organizations utilize one of the above risk management standards (whichever is more closely aligned with their internal structure, operations/business model, marketplace needs, etc.) when building and optimizing their ERM frameworks. Others sometimes take an a la carte approach, selecting various principles or components from both frameworks that align with their unique organizational needs or stakeholder expectations. As you consider a defining framework for your ERM strategy, the goal is to build and use standards that are appropriately suited for optimizing your organization’s risk management approach.
Five key considerations for a successful ERM approach
Once you’ve laid your ERM foundation with a definition and framework that best aligns with your existing business processes, industry needs and organizational structure, the next question becomes: what are the key considerations necessary for orchestrating a successful ERM approach? And while the answer to that question is not one-size-fits-all (see our webinar above!) and includes numerous topics worth exploring, successful ERM approaches almost always incorporate the five basic elements below:
- 1. Planning and coordination
- 2. Diverse competitors and risks
- 3. Performance and resilience
- 4. Teamwork and collaboration
- 5. Continuous improvement
Planning and coordination
ERM is all about identifying, assessing and managing risks across all aspects of an organization. While this process impacts every corner of your business, it must begin with buy-in from the top of your organization. Without the commitment, endorsement and active participation of senior management, it is exponentially more challenging to foster the right culture, allocate the necessary resources and coordinate effective risk management. We often say that ERM embraces a crawl-walk-run approach due to the various complexities and interconnectedness of the risk landscape. Starting at the crawl stage (with extensive planning, coordination and communication) is not as exciting as running the race itself. But not a single Olympic runner reached such pinnacles of success without first learning how to crawl. With intentional planning and coordination, you help ensure that your risk management efforts are comprehensive, consistent and aligned with your organization’s overall strategy, goals and objectives.
Diverse competitors and risks
Diversity should not only be a defining feature of the stakeholders you bring to the table. It should also guide your approach to risk assessment beyond the most notable and obvious. Yes, priority should be given to the most immediate and/or most impactful risks facing your organization, but successful ERM programs broaden that area of focus to identify risks of all shapes, sizes and characteristics—including financial, operational, strategic, regulatory, reputational, environmental, extended enterprise, technological risks and more.
Performance and resilience
Risk environments are dynamic. As you counter present and known risks, emerging risks can always appear and/or evolve in new ways. Well-designed ERM frameworks can help enhance an organization’s performance by proactively identifying, responding to and managing these ever-evolving and emerging risks—all the while leveraging the collective knowledge and capabilities of the organization’s stakeholders.
Teamwork and collaboration
To the point above, a successful and truly enterprise-level approach to risk management requires substantial coordination and collaboration by stakeholders at all levels and hinges on clearly defined roles and responsibilities. It necessitates an organization-wide understanding of your risk management playbook (who does what, when and why?). It requires identifying and equipping your ERM champions—those tasked with leading the charge and pushing the team and process forward. It’s about bringing together stakeholders from across the organization to help design and implement the ERM process, provide clear instructions and guidance for the ERM function and promote a risk-aware culture across every level of the organization.
Continuous improvement
ERM is not a one-time risk assessment. It’s not something you can check off from a to-do list. It’s not a tool that you can buy to solve your organizational issues. It’s an ongoing process that continuously integrates risk management into your daily operations and long-term strategies. Remember the expansion of the Olympic Games noted above? That did not happen overnight—or by accident. The sheer size and prestige of the 2024 Summer Olympics is the result of 125 years of continuous growth and improvement. The same rings true for ERM—it’s about evolving your strategies and adapting to changing environmental factors (both internally and externally).
When considering the depth of successful ERM programs, this list only scratches the surface. Nevertheless, the five elements noted above are essential building blocks for every ERM approach and should not be overlooked either when building an ERM strategy from the ground-up or optimizing an existing framework.
The bottom line: Why ERM matters
Developing and implementing an effective ERM program is complex. It requires a coordinated focus on planning, communication and collaboration just to get going. Then it requires regular and ongoing evaluations, reviews, assessments and adjustments to keep things consistently and collectively moving in the right direction. So, why go through all the trouble?
The marathon answer: ERM programs help to develop a holistic and comprehensive view of risks that pose critical threats to the achievement of an organization’s mission and objectives, manage those risks to an appropriate level, identify and incorporate ongoing risk management activities into a sustainable, intentional and repeatable process, and promote a risk-aware culture in order to improve the focus on risks, enhance decision-making and achieve efficiency and optimization.
The sprint version? Effective ERM programs:
- Create proactive, structured processes to validate that organizational risks are being identified and managed
- Increase management’s accountability for identifying, managing and reporting enterprise risks
- Enhance risk awareness, transparency and dialogue across the organization
- Reduce volatility and help mitigate financial and operational surprises
- Elevate the ability to anticipate risks and take appropriate actions
- Promote a common understanding of risks
- Allow for relevant and timely reporting
- Improve decision making
