For the foundation, the critical element to making its integration successful was buy-in from leadership, Bolger said. From the start, she and her team procured feedback from nearly 50 stakeholders. They also created a cross-functional ERM committee that meets on a regular basis.
In the beginning of its journey, the foundation had identified its top risks but lost momentum after a certain period. Bolger said once it started working with Baker Tilly, the foundation refreshed its risks and priorities, clarifying whether they were in the correct categories as far as impact and likelihood.
Her team then focused on the most important key enterprise risks from its enterprise risk assessment and assigned risk sponsors to each key enterprise risk to develop risk summaries that included documentation of current state and future state risk mitigation capabilities. These capabilities were in the context of policies, procedures, controls, competencies, reporting, methodologies and technologies. And they stay accountable thanks to quarterly reports to the audit committee.
Establishing that cadence and the expectation that the leaders responsible for ERM are regularly communicating has built a framework in which management functions are viewed in terms of risk and risk mitigation strategies. They recognize the importance of ongoing discussions with stakeholders, and it has established an environment of accountability and transparency.
Bolger acknowledged that the foundation’s path may have been smoother than others since it had support from the beginning, but she said education was key for those on the board who were not as familiar with ERM and its benefits. Being able to share with stakeholders why they should care about risk in addition to why they should be embedding risk and risk mitigation into their day-to-day activities was important.
She and her team also didn’t want to make the process onerous, so they set small, incremental goals. Bolger said it wasn’t realistic to believe the foundation could accomplish a fully developed ERM program in one or even two years. Instead, they have used their goals to develop a long-term road map, with the understanding that the foundation will refresh its goals along with their mitigation plans every 18 to 24 months.
What the necessary factors are for a successful ERM program
One of the essential factors in the foundation’s progress, as previously mentioned, was starting with the buy-in of leadership and stakeholders. That is the first and most critical step, Reierson said. Setting the overall culture and tone at the top has a direct impact on the attitudes about the need for and benefits of a robust risk management process. He said when there are cultural barriers, it inevitably leads to resistance to spending time and energy on risk management.
However, an ERM program works best when all key managers contribute as they all participate in the organization’s decision-making process.
It is also helpful to integrate the ERM process into existing management processes, taking inventory of current risk management activities so it’s not viewed as an appendage or overlay, and it’s not some “add-on” work to do. An ERM plan should address the internal and external pressure points that created the need for change, and it should articulate to leadership the state of readiness for moving forward with such a program.
The business should be grounded in the priority of risks and gaps as well as capabilities around managing those risks. From the beginning, stakeholders should understand that it is a continuous and evolving process, not something that could be accomplished in a year or two, Reierson said.
Again, a successful ERM program will have realistic objectives that don’t exceed the organization’s capacity for executing against the plan, and it should establish periodic check-ins with management to keep the program on track and on strategy.
That has been key to the foundation’s ERM success. Now that Bolger and her team are regularly communicating its ERM activities with the audit committee and board, the foundation is in the development stages for a dashboard that will highlight top risks, current mitigation plans and gaps.
It's just the latest step for the foundation, but as Reierson said, ERM is a means to an end, but not an end in itself. It’s a commitment to continuous improvement as opposed to a project with a specific start and end date, and it’s building confidence, enhancing corporate governance, and aligning strategy and culture.