ERM stands for enterprise-wide risk management. ERM is recognized as risk management best practice because there is considerable evidence that organizations using ERM achieve their objectives more often than organizations that use more traditional risk management approaches. As a result, organizations using ERM are more highly valued by stock and stakeholders, pay less for their debt, appear to have fewer and less expensive negative events, and have higher reputations than other organizations.
Why is this?
If you ask 10 risk managers why they like ERM, you will get at least 10 different answers. Mind you, if you ask each of the same risk managers to define ERM, you will likely also get more than 10 answers. This isn’t just a cheap way of saying the beauty of ERM is in the eye of the beholder but there is something to that.
As BOKRIM uses the term, ERM is a way for risk managers to understand their organization well enough to appreciate where they are trying to get to, the environment they are moving through, how they have configured their resources and activities to achieve their objectives and, therefore, to readily understand the biggest risks to the achievement of those objectives.
By understanding its risks in context, the organization can also understand why it is managing risk, set risk management priorities, measure and appreciate the value of risk management, and so can see both risk and its management positively. Given many risks are rare, and risk management is too often seen as a burdensome expense, understanding and tying its value to the achievement of the organization’s objectives establishes a framework where risk management is no longer a burdensome expense but has a direct return.
ERM is not easy to do. Again, there are many reasons but here are five, any one of which could derail an ERM initiative:
- Cost: ERM can be expensive, which is why it is most often used by larger organizations that can afford it.
- Time: Related to cost, it can take time to develop and implement an ERM strategy, and for many organizations – particularly smaller ones – time is not a luxury they ever have enough of.
- Expertise: Like anything, ERM is much easier to do the second or third time you do it; many organizations cannot afford the expertise to develop an ERM system.
- Data: To be really effective, ERM needs reliable information and, unless your organization is large enough to develop and analyze data of sufficient quantity and quality, ERM will likely be tough to do successfully.
- Top-level buy-in: Given all the previous challenges, ERM succeeds when the senior leadership of an organization not just buys into the concept but is also visibly supportive.
BOKRIM sets SAM risk management in an ERM-like framework. This is so that SAM risk is managed with a considered approach to why an organization should think beyond compliance in addressing something (SAM) that is fortunately inherently rare, to prioritize SAM risk with the organization’s other risks, and to ensure SAM risk management decisions are aligned with the organization’s most important objectives.
By embedding SAM risk management into its ERM-based risk management system, tied as that system is to the other components of the BOKRIM platform, BOKRIM overcomes the other challenges noted above to effective ERM. Any organization can manage SAM risk using ERM – risk management best practice.