Whatever we do personally, organizationally, or as a society, there is risk associated with it. If we take no risks, there will be no progress. And if we take risks without considering the consequences, the outcomes could be disastrous. Intelligent risk management requires a system to decide when and how risks should be taken and managed. Intelligent risk management by enterprises can mean the difference between extinction, survival, or role-model performance. Therefore, intelligent enterprise risk management requires a framework that considers the direct and indirect benefits and consequences of taking risks. The Baldrige Excellence Framework (including the Criteria for Performance Excellence) provides such a systems perspective and a mechanism for taking intelligent risks.
With all the literature and current discussion about enterprise risk management—and given the upcoming revisions to the Baldrige Criteria for Performance Excellence—I thought this would be a good time to take a closer look at enterprise risk management (ERM). What does ERM fully entail, and are there revisions to the Criteria that would be appropriate?
In its simplest terms, ERM helps an organization get where it wants to go while avoiding pitfalls and surprises and while complying with laws and regulations. According to the Risk Management Association, ERM should provide answers to three basic questions:
- Should we do it? (Is it aligned with our organization’s business strategy, risk appetite, culture values, and ethics?)
- Can we do it? (Do we have the people, processes, structure, and technology capabilities?)
- Did we do it? (Did we achieve the expected results, are we continuously learning, and do we have a robust system of checks and balances?)
Considering these three questions, ERM is really about taking a systems approach to overall organizational performance, the exact intent of the Baldrige Framework.
To explore the system for ERM, let’s t examine the topic more deeply, through a look at ERM’s definition and characteristics, ERM’s purposes and drivers, elements of an ERM process, ERM benefits, and finally the relationship to the Baldrige Criteria for Performance Excellence.
ERM Definition and Characteristics
The best and simplest definition of ERM is an adaptation of the definition in the international voluntary standard, ISO 31000: Risk Management ̶ Principles and Guidelines:
An organization’s coordinated activities to direct and control the effect of uncertainty on achieving its objectives.
The operative word in enterprise risk management is management. ERM is about managing risk, not about being risk-free. A good risk management process becomes part of overall organizational performance management. ERM should be a component embedded in an organization’s culture, practices, and processes. ERM responsibilities start at the CEO and governance board (or equivalent structural) level. The CEO and board have to determine the overall strategic approach to risk and the organization’s level of risk appetite, that is, how much volatility the organization is willing to assume in pursuing its strategy. The CEO and board must fully understand and accept responsibility for the most significant risks being undertaken and are responsible for leading the organization in a crisis.
Once strategy is set, risk management occurs at multiple levels and touchpoints within an organization:
- Strategic: the high-level goals, aligned with the organization’s mission and vision
- Operational: the use of the organization’s resources
- Reporting: the reliability and accuracy of results reporting
- Compliance: obeying applicable laws, regulations, and ethical practices
The achievement of strategic and operational objectives is subject to both internal and external events and therefore requires guidance, monitoring, and oversight. The reporting and compliance objectives are totally in the control of the organization and therefore these aspects of ERM should be regularly achieved.
Purpose and Drivers of ERM
According to the Committee of Sponsoring Organizations of the Treadway Commission, the main purpose of ERM is in setting an organization’s strategy and objectives to achieve the appropriate balance between growth and return goals and related risks. It encompasses the following:
- Aligning risk appetite and strategy to evaluate strategic alternatives
- Making key decisions on risk avoidance, risk reduction, and risk acceptance
- Enhancing the organization’s capabilities to identify potential events and establish responses
- Identifying and managing cross-enterprise inter-related risks and impacts
- Seizing opportunities in a proactive manner
- Improving the deployment of people and capital resources
The drivers for integrating ERM into an organization’s performance management are both external and internal. A good general framework for considering these drivers is articulated by the joint effort of several risk management associations. Externally risks and opportunities can be derived from the financial and political climate (e.g., currency exchange rates and interest rates, terrorism, and social/political instability), infrastructural considerations (e.g., supply chain and natural disasters), marketplace considerations (e.g., technology developments, competition, customer desires, and regulatory changes), and reputational considerations (e.g., product recalls and social responsibility challenges and opportunities). Likewise, internally these factors can be drivers of decisions. The decisions can be derived from the financial and political climate (e.g., investment returns, liquidity, and cash flow; leadership and governance changes), infrastructural considerations (e.g., facilities, people skills and availability, and health and safety), marketplace considerations (e.g., research and development breakthroughs and innovations, mergers and acquisitions, and partnerships), and reputational considerations (e.g., brand recognition and extensions).
Elements of an ERM Process
While any ERM process must be embedded in an overall performance management process, there are numerous process topics to be considered in relation to risk. Based on several published approaches and relying heavily on those documents already cited above, I have compiled the following list of process considerations for effective ERM. This list does not necessarily outline a linear process, although the steps are loosely sequential, with various internal feedback places likely:
- Governance risk policy decisions and communication
- Decision on acceptable levels of risk (risk appetite)
- Statement of overall organizational risk strategy
- Risk management infrastructure (organizational responsibility assignments)
- Identification of current risks (both opportunities and threats)
- Analysis of risks
- Evaluation of risks and decisions to engage
- Allocation of resources
- Development and implementation of risk protocols
- Risk management training
- Monitoring of performance
- Evaluation and improvement
Benefits of ERM
To a large extent, the benefits of an effective ERM system parallel those of an effective overall organizational performance management system. However, many organizations do not immediately see the overlap. In regard to the following benefits I’ve compiled from reading a cross-section of the ERM literature, I ask that you view this list in terms of the overall attributes of a high-performing organization:
- Improved strategic decision making
- Successful organizational change achieved
- Improved resource allocation
- Increased operational efficiency
- Increased likelihood of achieving objectives
- Competitive advantage built
- Prioritized and managed risks as part of an integrated organizational portfolio
- System relationships and interdependencies recognized
- Encouragement of proactive management
- Improved timely identification of opportunities and threats
- Improved controls
- Losses minimized
- Enhanced health and safety
- Compliance with legal, regulatory, and ethical requirements
- Improved mandatory and voluntary reporting
- Improved stakeholder trust
- Brand image built
What Does This Mean for Baldrige?
In my opinion, the Baldrige framework already addresses all these important aspects of ERM. For people who have been pursuing a systems perspective of organizational performance management, this is good news. For those who have not, please treat this column as an invitation to take a holistic view of everything that is important to guiding an enterprise, whether large or small. In regard to how Baldrige Criteria revisions for 2017 might be impacted, some additional emphasis or commentary may be appropriate, but ERM is already covered in the Baldrige systems perspective. The possible key point for some additional emphasis is that risk is inherent in all we do. Total risk avoidance is not an acceptable answer. The challenge is to balance the level of risk taken with the sustainability of the organization and the opportunity for innovation. The future competitive advantage that will flow from good ERM is based not on the analysis of risk alone but, rather, on the holistic addressing of risk and the actions taken—including the pursuit of intelligent risks—as part of an overall strategic approach to managing organizational performance.
While “ERM” may be a current buzzword, in the end it is all about how organizational insights and knowledge are turned into strategic insights and advantage.
Baldrige Excellence Framework
Baldrige Excellence Builder
Blogrige (link is external)
If You Want to Build Trust, Collect Trash (February/March 2015)
People, Process, and Plentiful Passion (April/May 2015)
It Is 2015. Is Your CEO Thinking about Current Issues? (June/July 2015)
Leadership Behaviors That Count (and Can Benefit All Organizations) (August/September)
Effective Communication Requires Caring, Explaining, Listening, and Living the Role (October/November)
In Search of (Workforce Performance) Excellence Winter 2016
The 28th Quest for Excellence in Eight Words and Phrases (Spring 2016)