Enterprise Risk Management: What Is It? Should You Care? Where to Start?

Author: Lenin Lopez

Corporate scandals and failures are ever-present. The last few years have provided us with examples from healthcare providers,¹ life science,² banking,³ cryptocurrency⁴ and automotive manufacturing.⁵ With the benefit of hindsight, it's easy to see the root-cause risks associated with these scandals and failures. A lack of oversight, gaps in controls or bad actors may have been to blame. The common theme is poor corporate governance and risk management.

Board-level monitoring of company risks is essential, and boards should identify their company's most important risks and ensure they have sufficient board-level compliance and reporting systems in place for the company's central risk and compliance issues. This article will peel back a few layers of that onion.

Specifically, this article will:

• Describe challenges associated with the risk assessment process.
• Explain what an ERM program is.
• Provide steps for developing your company's first ERM program.

Assessing risks

A clear understanding of your company's risk profile will help you make informed decisions about how to allocate resources and develop strategies to manage risk.

Easier said than done.

For example, consider life science companies. Top risks inherent in that industry may include product safety, data privacy, patent protection, cyber risks, changing or increased legislation and the cost of litigation. The challenge comes when you attempt to assess the likelihood and potential impact of those risks, along with any other internal and external risks.

Every company with current operations performs some form of risk assessment. Internal audit, legal, treasury, compliance and human resources are just a few of the functions that assess risk. While each is likely focused on the common goal of ensuring the success of the business, they're likely looking at risk through their own rubrics.

Early-stage companies may find that ad-hoc risk assessment works. As companies grow, so do complexities and the chance that employees are performing risk assessment and management within silos. This is all well and good, except when risks materialize and become a significant issue — and the matter continues to be addressed within those same silos. Risks abound in these situations, including delayed reporting to other relevant functions within the organization or regulators, as well as failure to elevate the issue to the board and management. This is where an ERM program can help.

Enterprise risk management: A team sport

Even though ERM programs and compliance programs tend to be spoken of interchangeably, they're not the same thing. A company's compliance program is generally focused on ensuring compliance with applicable laws, rules and regulations. A compliance program — or at least identifying the laws, rules and regulations applicable to your company — is a necessary predicate to an ERM program.

A company's ERM program is generally focused on identifying, assessing, and managing risks that may lead to non-compliance with applicable laws, rules and regulations, as well as other risks that may negatively impact the business.

They sound similar, but here's how they're different. For example, for healthcare providers, compliance programs will typically focus on implementing the policies, procedures and standards of conduct associated with ensuring compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). An ERM program, in contrast, can help identify risks that may impact the company's ability to comply with HIPAA (e.g., threats to information systems, third-party access to company data), assess the degree of each of those risks and recommend how those risks can be prevented and more easily detected and managed should they materialize. It will also, among other things, evaluate the company's level of preparedness, identify opportunities to enhance its risk management process and develop action plans to mitigate risks.

Collaboration between the compliance function and the ERM function can go a long way in a company's ability to identify and manage risks. For example, working together and sharing information can help to avoid redundancies and limit blind spots. For a further discussion of compliance programs, the Department of Justice (DOJ) has published what it views as an effective compliance and ethics program for purposes of criminal investigations and has updated guidance on the subject over the years.⁶

As noted above, some companies manage risk in silos. Unfortunately, in the absence of thoughtful intervention, these companies typically end up approaching risk on an informal and uncoordinated basis. While these companies will be able to identify operational and compliance-related risks, they'll likely lack the enterprise-wide view of risks that may impact their business. This enterprise-wide view of risks is imperative for the board and management in terms of their decision-making process and oversight responsibilities.

Developing your first ERM program

Most large private companies and all public companies want to implement and maintain an ERM program. The barrier to entry for many, however, may be the perceived cost and resources necessary to implement such a program. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a thought paper discussing the importance and need for an ERM process in all types of organizations. The paper also provides steps that a company can take in its effort to develop and implement its first ERM program. It's a good starting point given that COSO — which develops guidelines for businesses to evaluate internal controls, risk management and fraud deterrence — also developed the COSO ERM — Integrated Framework, one of the most widely recognized and applied risk management frameworks in the world.

Below are a few keys to success and initial action steps associated with developing and implementing a tailored ERM program, adapted from the COSO thought paper.

Don't try to boil the ocean

Out of the gate, avoid the trap of attempting to copy a company's mature ERM program. That should be a long-term goal rather than a company's first ERM initiative. Generally, the goal of a company's first ERM initiative should be to enhance existing risk management processes. That may mean improving the risk assessment process, identifying a few critical risks within the company that can be managed and building upon that. An iterative approach works best, allowing you to enhance and/or develop processes around these risks and then expand them to include other risks.

Secure board and management support

The board and management set the tone for a company's culture, including compliance and risk. Without their support, it's unlikely an initiative to develop an ERM program will receive the necessary attention, resources or buy-in from others within the company. Reasons for boards and management teams to support an ERM program are plentiful, including helping to improve decision-making and reducing the frequency and severity of loss.

Perhaps one of the most compelling reasons for board and management teams to support an ERM program is that it can help them carry out their duty of corporate oversight more effectively — by helping to ensure that risks are identified, assessed and managed appropriately.

Establish a working group and a leader to drive the ERM initiative

An ERM program will require cooperation across the organization. Establishing a working group, as well as a leader or leaders to drive the initiative, will help ensure the project receives the appropriate attention and support within the organization.

For example, a pharmaceutical company may be best served by including representatives from each of the following functions within its ERM working group: compliance, human resources, legal, IT, supply chain, finance, manufacturing, R&D and investor relations.

Your company can approach the assignment of an ERM initiative leader or leaders in various ways. Consider appointing an existing officer (e.g., chief financial officer or general counsel) or one of their direct reports. If it's a direct report, it's best that they're senior enough to be viewed as having authority within the organization and having the presence to present confidently to the board. For an overview of ERM practices, including different approaches to the assignment of risk management leadership, see The State of Risk Oversight, 13^th Edition from the ERM Initiative in the Poole College of Management at North Carolina State University.⁷

Leverage existing risk management processes

As noted earlier, many companies that lack an ERM program manage risk on an informal and uncoordinated basis. In other words, companies launching an ERM initiative typically don't start from scratch. Leveraging existing risk management processes and pulling them into the company's ERM initiative will allow the company to harmonize disparate processes and improve upon them.

Conduct an enterprise-wide risk assessment

With an ERM initiative leader and working group in place, companies are in a prime position to begin identifying their strategic business objectives and risks that could impair each of those strategies. This assessment will go beyond what many are familiar with when it comes to risk factors included in a company's annual report, which is generally focused on the probability and impact of risks. An ERM program risk assessment will also, among other things, consider the company's level of preparedness, identify opportunities to enhance the risk management process and develop action plans to mitigate risks.

Develop initial risk reporting

Companies will also need to develop an approach to ERM program risk reporting, including how risks will be socialized within the organization, target audiences for the report and reporting format. The format can be a simple list, tabular spreadsheet, scorecards or a heatmap. All said, the process of distilling multiple risks to those that are most pertinent to the board and management can be complex. For examples of common practices used by companies to communicate risks to the board, see Reporting Key Risk Information to the Board of Directors from North Carolina State University's ERM Initiative.⁸ Companies will also want to consider how to report on tracking and monitoring progress on action plans.

Develop the next phase of the ERM program

Once an ERM program is established, your company will need to maintain and continuously improve upon it. That may mean restructuring working groups, changing risk management leaders, modifying reporting processes, appointing a chief risk officer or having members of the board and management team participate in ongoing education offerings specifically focused on ERM.

Boards and management teams should engage in ongoing discussions regarding the effectiveness of their ERM program.

Some questions worth asking might be:

• Does management view the ERM program as important to the company's success? If not, what steps can be taken to change that view?
• What assumptions are being made in the context of the company's ability to manage risks?
• Do those assumptions hold true?

Parting thoughts

Implementing an ERM program may seem daunting, but it's manageable. Taking a proactive approach to risk management on an enterprise level can help mitigate risk — and enhance the company's reputation with stakeholders and regulators by showing its commitment to responsible risk management practices. The alternative is rife with risk.

Published April 2023