p Od około dwóch lat w środowisku risk managerów coraz intensywniej dyskutuje się o korzyściach jakie przynosi przedsiębiorstwom ERM em Enterprise Risk Management em . Ten optymizm zostaje jednak przygaszony pytaniami CEO i członków zarz…

I can’t thank you enough for your insight with respect to deployment of the ERM process in a company. I have recently adopted an ERM approach for onsite implementation of controls that I’ve previously installed as individual services to shore up deficient policies, procedures, decision making, etc. Now that I have converted to ERM after years of experience implementing such controls in the old manner, I undoubtedly would run into the dynamics you spoke of.

My appreciation of your insight is actually tied to my own experiences delivering services when a complete turn-around is required. I found after years of experience that it is better to first address deficiencies that involve corporate, otherwise I could be on the engagement for months having a significant impact but corporate would not take notice. If that happens, corporate can then lose confidence that they have chosen the right turn-around artist even though significant improvements are being made in the trenches. It then becomes necessary to shore up confidence by showing corporate the improvements that have been made, even though corporate has not yet seen any improvements that they could immediately benefit from.

In other words the primary concern of corporate is number one, and it is important to first install controls that improve their day to day activities and provide them an immediate benefit. Then you can go about the work in the trenches with total buy-in from corporate because they have experienced a benefit first-hand. I’ve been through those iterations as you have experienced similar “political” obstacles to overcome. It would be nicer if we could get down in the trenches and just fix things and have everyone up above show appreciation, but it just doesn’t work that way. Your insight is of great value. Thank you.

Dave

Actually, I am soon going to write a bit wider text on my blog (http://ryzyko.blox.pl) why companies fail on implementation of ERM. Although I did not fail (rather the opposite), I identified a number of project killers on the way.

With a ‘clean” bottom-up approach you get a number of benefits, of which most substantial are:
- you get the line managers and key skill bearers engaged – they understand ERM, risk and start to enjoy it
- the tools and models developed are very well fitting the company and market character.

However, once you go up with intention to have middle managers engaged in the ERM thinking (= duties, more management discipline and control over them) you encounter problems, namely:
- the medium level manages say “it has not been sufficiently consulted with me, I do not like it” (”it” may be the scope of duties, tools and procedures, whatever)
- that is where you need either risk manager of a very stron personality, or/and strong support from C-suite.
Pls note that at this point you are kind of sitting on two horses: the line managers (who now feel that their direct bosses are not as supportive of ERM as was expected) and the C-suite (who at this stage has vey well managed to forget most of the ERM benefits and commitments they did a year ago and start to listen intensely to the middle managers that try to defend their positions).

Provided you manage to win this battle, you have to then approach the c-suite with THEIR duties as risk owners of the highest caliber risks. The story as above repeats, with exception that you now have no “C plus” suite to call for help (unless you are major shareholder or supervisory board member, what is rare for risk manager). How it sounds ? Mostly at this stage c-suit either turns the whole project down, or finds necessity to re-think and re-construct the whole approach to ERM to make it less burdensome for them.

This is quite OK, because you are a learning organisation and you improve all the time, but this finally ends up with drawing new policies and procedures, new risk ownership and reporting structure, altering some risk analysis and evaluation tools – and off we go, starting almost from scratch.

You approach operational managers explaining that what we enjoyed doing so far was found by C-suit not the best approach so let us change it. That is the moment you as a risk manager and your gospel are instanly loosing a part of respect. You then go up to middle management and explain again that the previous fight was not quite necessary and let us ease it up a bit. At this point you make a bit of idiot of yourselves as risk manager. Hopefully, if after another half year you reach C-suite again you do not hear “let us change it”.

I made it on purpose sound so bad to emphasize how the soft issueas may be crucial. Actually, the ideal approach would be to have an army of risk mnagers who at the same time sweep the whole orgtanisation – a true viking conquer. However, realistically it is not realistic

Therefore I think that the best (of bad options) is to start with C-suite and only highest ranking risks, make sure C-suite feels comfortable with a specific approach (policies, duties and reporting, tools etc). Then having their complete understanding of ERM and support, you may relatively easy get middle management involved (if C-suite is doing it fine, they are not supposed to ask questioins). The line managers are more difficult then, but at that stage you as a risk manager have tremendous organisation-wide exerience and can easily win their respect and hearts.

Of course, with that approach you will need at some stages to work with temporary teams of middle management or line management to work-out realistic tools and techniques. This is how I would do it today.

Rafal

Dave

I have introduced ERM to a group of ca dozen companies spanning in 9 countries and I am convinced that down the road it always takes some experimenting to fine tune the tools, policies, procedures and risk rating measures. I took a bottom-up approach but if I were to do it again I would take top-bottom approach as this would mean less mistakes on the way and less steps backwards.

Rafal