Cybersecurity risk management reporting framework can provide a key component of an organization’s risk management program

Authored by Cassandra Walsh and Corey Parker

The importance of ERM

Enterprise risk management (ERM) has long been a powerful tool for organizations looking to optimize their risk management functions. Now, more than ever before, we are seeing an uptick in organizations embracing and leveraging the risk-aware culture to move their ERM program forward.

ERM is the framework through which organizations proactively identify, assess, mitigate, monitor and respond to risks and opportunities. Integrating ERM into an organization’s daily culture and operations will provide a channel toward informed decision-making, coordination of risk-related activities and a link between the organization’s strategic plans/objectives and the enterprise risks, while flowing down to all risk-related activities and decisions.

Before embarking on the ERM journey, it is critical to develop a foundation that provides an ERM framework customized for the unique aspects of the organization.

The Why – why this approach can add value

While there is no one-size-fits-all or cookie cutter approach to ERM, an organization’s risk management activities can quickly become disconnected, inconsistent and/or siloed without a sound ERM framework. An integrated ERM framework will enhance decision-making and risk management activities, leading to a consistent and proactive approach across the organization. 

The creation of an ERM framework will drive not only accountability over time, but it will transform risk management into a sustainable business approach that integrates seamlessly into the daily routines across the organization and links to the strategic goals and objectives of the organization.

Developing a strong ERM foundation

Risk management activities are already an active component of most organizations. It can be challenging from the inside of an organization to conceptualize an ERM framework. In fact, this is where most stop: asking, “Where do I start?” A critical first step in laying the foundation for a sustainable ERM framework: Begin by identifying and inventorying the risk management activities already in existence.

A simple, yet valuable next step: convene an introductory educational ERM session for involved stakeholders. This educational session introduces the “basics” or “fundamentals” of ERM and establishes a common risk vocabulary in the process. Leverage this common risk vocabulary across the organization to create a consistent understanding of and approach to risk management, mitigation strategies and decision-making.

The introductory educational ERM session will create momentum and drive consistency of ERM concepts across the organization. Some of the concepts that should be introduced and defined in this initial session include:

  • Setting expectations (i.e., defining what ERM is and what ERM is not)
  • Defining the vision and mission of the ERM program
  • Clarifying roles and responsibilities for key stakeholders
  • Establishing a common risk vocabulary
  • Outlining existing risk management practices – leveraging existing content and documentation will increase each participant’s level of comfort and/or familiarity
  • Sharing the tools, templates and documentation that make up the ERM framework
  • Presenting an actionable timeline with key ERM milestones

Conclusion – okay, now what?

Everyone involved in the ERM program will have a different role and their perspectives on risk will likely vary. As the ERM framework matures, those differing backgrounds and experiences will shape the overall direction of the program and mold the organization’s appetite and tolerance for risk. This transformation will not take shape overnight; it will mature at a pace that fits the environment of the organization.

As your organization’s ERM framework continues taking shape and management begins transitioning beyond the introduction of ERM, other important considerations include:

  • Who is best suited for the ERM Champion role?
  • What roles will internal audit, compliance and other key stakeholders have (i.e., the three lines of defense model)?
  • Where does your organization want to align itself on the ERM maturity model?
  • What governance structure will best support ERM’s growth (e.g., reporting directly to the board or through a risk or audit committee)?
  • What reporting/communication tools will be used and how will they be presented (e.g., risk map, risk inventories, mitigation templates)?

Overall, your ERM framework will continue to evolve as the program matures and is integrated into daily risk management activities. Being in the midst of a pandemic or other crisis environment does not mean your organization should stop working to mitigate risk OR taking advantage of available opportunities. ERM is just one way to ensure this pandemic does not stop us from moving forward!

For more information on this topic, or to learn how Baker Tilly specialists can help with ERM at your organization, contact our team.

A cafe from above
Next up

Five ways to build and grow your network