Just like self confidence is a key ingredient in a strong leader, enterprise risk management (ERM) has become over time a fundamental requirement in prospering organizations. However, just the term of enterprise risk management alone is enough to give organizations the feeling that it is a monumental and difficult undertaking to implement. Loren Padelford writes in an article how that is not the case at all, and she provides six simple steps to bringing ERM to your organization:
- Identify your risks.
- Analyze your risks.
- Control your risks.
- Monitor your risks.
- Improve your risk management.
- Report on your progress.
The first step is as basic as asking people across the organizations what risks they themselves face, ranging from minor to severe. If you find the opportunity to get multiple people in the same room, their concerns for risk will start to intersect at common points, yielding a more comprehensive list of risks. Once the final list has been made, risks can then be analyzed for general likelihood and predicted ramifications. Impact not just to budgets but to schedules, brand perception, and customer loyalty as well should be considered. This is another task that should help to show how seemingly disparate risks are really related. When all risks are properly understood in their relation to each other, you can begin to control them:
Once your risks have been analyzed, you can determine the best course of action for managing each of them. This involves considering the business impact versus the likelihood of an occurrence and the cost of controlling or mitigating the risk. Where corrective action makes sense, options to review include possible steps for risk reduction, risk transfer and insurance. By the end of this process, you should have a clear picture of all relevant risks, how they interrelate to one another and how they will be managed moving forward.
Control should occur through assigning accountability for various risks to individual people or groups. This can be thought of as the follow through on the system set up in the control phase, and it is where real success or failure is found. Afterward, each of the aforementioned steps can be reviewed for education and to see what did or did not work well, such as determining if the right people were utilized or if new risks have been identified. Sharing risk information should be a virtue within organizations, not pushed under a rug. Then finally, a formal report of results should be made for management and stakeholders, ideally by building it into your organization’s management meeting cycle according to Padelford.
Organizations that want to stay competitive need ERM. Breaking it down into these six steps will help you acquire it. And once you have implemented it, celebrate with some McDonald’s. By the time you develop diabetes, science will have come up with a cure anyway.