I am amazed at the number of risk management programs I encounter that lack an organized structure and approach. So often what we know as ERM (enterprise risk management) is a hodge-podge of processes and assessments that somebody tagged the ERM label on without much thought for what they were doing. In fact, most of the ERM processes I encounter are nothing more than a slightly expanded view of SOX and financial controls: they are not truly an enterprise view of risk across the organization and its operations that aligns and supports performance management and strategy.

One of the best research pieces I have seen on Risk Culture is from the Institute of Risk Management, which I am delighted to be an honorary life member and love participating in their research and events. Every organization has a culture that defines and influences how risks are understood and managed. How integrated or disintegrated risk management is with strategic planning and performance.

Most ERM programs lack the fundamental building blocks for a risk management program, and that is established in an enterprise risk management charter and policy (or something similar if you do not like the term risk as some risk pundits do not). I will be presenting on this in detail in the upcoming webinar: PART 2: Developing an Enterprise Risk Management Strategy & Policy

I worked with one Fortune 100 firm that asked me what the main components of an ERM policy are and then asked me to review and comment on theirs. Here is what I provided.

MY ANSWER: ERM policies are organization specific; no two ERM policies are identical. However, there is a logical structure that works well as a starting block for most organizations. These include the following structural components for an ERM policy:

  • Objective/Purpose. As with any policy it is necessary that the policy begin with the organization and purpose of the policy. This is nothing more than writing out the charter for ERM and establishing the authority of this policy to establish and govern the ERM program.
  • Risk Governance Structure. It is critical that the organization establish the governance structure for risk management and specifically how it is aligned with strategic planning and objective/performance management. This is a big area of failure for most ERM programs when it is often the case that risk management operates as an island with very little to know interaction with the board and executives or with organization strategy and objectives. A solid ERM policy will identify how the board and its committees interact with ERM as well as senior executives.
  • Roles & Responsibilities. Once the governance structure is in place, the policy should get into specific roles and responsibilities for ERM. This includes a clear understanding of the roles of a Chief Risk Officer, executive management, business operations, risk owners across the business, risk management staff, and the role of audit in the assurance oversight of risk management.
  • Risk Culture. The single greatest hurdle to successful ERM is articulating and integrating risk management into the organization’s culture. In one sense risk management is part of the culture no matter what is articulated in policy – an organization can have a cavalier approach to risk taking, a structured approach to risk taking and oversight thereof, or anywhere in between. The organization needs to clearly spell out how the organization approaches risk taking, ownership, management, and ongoing monitoring of risk in the organization.
  • Risk Strategy. Following on the heels of risk culture, the ERM policy should next deal with how ERM aligns and integrates with corporate performance, objective, and strategy management. ERM often is disconnected from these areas which makes it of little practical use to the organization.
  • Risk Tolerance & Appetite. The next logical sequence in the ERM policy is to establish the boundaries of risk taking in articulating the organization’s approach and boundaries to risk tolerance and appetite (yes, I acknowledge that some I respect hate the term appetite, but this is where you would include it). It is hear that the policy discusses what is acceptable and unacceptable risk. This provides the high-level boundaries and approach to risk taking, though most of the specifics on these boundaries will be found in supporting policies (e.g., credit risk policy).
  • Risk Taxonomy. The ERM policy needs to authorize and give authority to the development and ongoing maintenance of the organization’s risk taxonomy. The highest level structure for risk management should be included in the policy – such as the establishment of risk oversight for areas such as strategic, financial/treasury, operational, and legal/compliance risks. The policy should reference and give authority to the establishment of another document that defines the depth of the structure of risk categories that the organization recognizes and manages.
  • Risk Ownership. You cannot hold anyone accountable for risk unless clear ownership of risk is defined. While specific ownership of individual risks are found in supporting risk management policies (e.g., vendor risk policy, privacy policy, credit risk policy, information risk policy) – the ERM policy should state the ownership of risk at the high-level categories defined in the risk taxonomy. It should also be clear on the point that the risk management function does not own risk, the business and process owners are the ones that own risk. The ERM process is there to communicate and provide the infrastructure to manage and monitor risk to support the risk owners across the business.
  • Risk Assessment Process. The ERM policy is to authorize the formation of risk assessment processes in the organization. The policy itself should outline the expectations of required periodic assessments such as an annual ERM assessment process, and is to authorize the establishment of more specific risk assessments that are established in supporting risk management policies. This section of the policy should identify the approval needed to establish a risk assessment, what structure is provided, and how the assessment gets communicated and integrated into the ERM structure.
  • Risk Infrastructure, Documentation. & Communication. Documentation of risk, risk taking, risk acceptance and ownership, as well as assessment, management, and monitoring activities for risk are critical to a successful ERM program. An organization cannot hold individuals accountable for risk taking if there is not clear documentation on the risk. This section should authorize the establishment of an enterprise platform to monitor ongoing risk management processes across the organization. It should also establish a warning against the use of technologies such as spreadsheets for risk assessments that lack proper audit trails and a system of record of risk activities.
  • Mitigation & Response. The ERM policy should articulate the proper response plans to risk such as risk transfer, risk acceptance, risk mitigation, and risk avoidance. While much of the details of this will be worked out in supporting risk policies, it is in the ERM policy that the are defined at a high level.
  • Key Risk Indicators. Ongoing monitoring for risk is critical to a successful ERM program. This involves the authorization and establishment of a process to gather metrics on Key Risk Indicators that are further defined in supporting policies. The ERM policy should provide guidance on how KRI information is collected, how often, and establish that KRI’s are to be relevant to the business and mapped to Key Performance Indicators of the business.
  • Risk Training. Individuals throughout the organization has some role in risk management as part of their day to day oversight, management, and activities – it is necessary that risk culture, risk taking, and risk responsibilities be clearly understood at all levels of the business for the various business roles and the risks they encounter and manage. The ERM policy establishes an ongoing risk training and awareness program to communicate and educate risk to employees, stakeholders, and business partners.
  • Risk Budgets/Funding. The ERM policy should establish and authorize the financing for risk management and oversight activities. This ties into other sections of the ERM policy as well as supporting policies to clearly define what budget areas various risk activities will be financed from.
  • Risk Activities (calendar). The ERM policy should establish what activities are required of ERM on an ongoing/calendar basis. This should include monthly/quarterly/annual reports and assessments, the individuals responsible for them, and who they get communicated to. One of the best examples I have seen of this is at Microsoft in what they have called ‘The Rhythm of Risk’ in which risk management is aligned to the needs of the board and executives based on their quarterly and monthly calendars.
  • Definitions. Finally, as with all policies, a section is needed that clearly defines definitions related to risk and risk management. I encourage the use of standard definitions such as those in ISO 31000 and ISO:IEC 73.

As I stated before, no two risk management policies are alike. What I have provided here is some guidance on the sections I most often include in developing an ERM policy (as well as supporting risk policies). There are other standard sections to policies such as revision history I have not included for the sake of simplicity.

I would love to hear your thoughts on the topic of ERM policies. Please feel free to comment in this forum, or send me an e-mail. If anyone seeks further help in writing, reviewing, and/or revising their risk policies please do not hesitate to contact me.

Upcoming Risk Management Webinar Series

The Evolution of Risk: Impacting Change Across the Organization

Upcoming Risk Management by Design Workshops

Other GRC 20/20 by Design Workshops

1 comment

  1. Hi Michael
    Would having policies and/or sub-policies not result in significant detail on organisational processes providing an overload of operational information to the governing body?
    The governing body should set the tone and provide oversight without getting operationally involved.
    Would it not be more appropriate if a Policy is a ‘one pager’ where the governing body sets the tone. Then a framework (of which the Policy is significant element) details the structure of a process, including the risk management process, and procedures define the workflow steps.
    If a policy is well designed, it would capture the essence of the framework resulting in the governing body guiding and approving the key requirements for the operational management structure of the organisation.
    Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *