I get asked two questions constantly;
1. What is the most important thing my organization can do when implementing ERM?
2. Are there any best practices, or benchmarks for doing ERM well?
Let me address the first one here, and I will look at the second in a later blog entry.
The most important thing you can do when implementing ERM is to just start doing it. I have seen many organizations contemplate, discuss, meet and devise action plans related to the implementation of risk management, only to get distracted by “regular business”. This is the biggest killer of ERM initiatives.
Why do people get stopped before they start? Typically, it is because they see the task of implementing ERM as too large, too complex, or needing too much of the organizations involvement to be effective. This doesn’t have to be the case. I will provide some practical advice, based on working with hundreds of customers, across almost every country and industry.
1. Find an area of the business which is most critical, or posing the biggest problem.
– You dont have to eat the whole elephant all at once. Instead, you should look to take small bites. If there is an area which is critical to your organizations success, say capital projects, then start there. Get some wins, show some success, and before you know it, the elephant is eaten.
2. Show how ERM is beneficial to the group you are working with.
– No one likes to be forced into something. An initiative from “corporate” is usually something people want to get away from, not support. If you are going to be successful, you will need to translate ERM into a benefit for the individuals involved. Is what you are implementing going to result in less work, easier work, better results, positive attention, a safer workplace, etc? If yes, then describe it like this. People want to do things which make THEIR lives easier. Helping the company do better is not by itself enough to get most people excited.
3. Reward and Show Success
– Implementing ERM in a business is critical, but not easy. If you want everyone to embrace it, you need to show success, reward the behavior you want, and reinforce the good points. If you complete a risk assessment, and find something good, communicate the finding. Shower the people with praise. They are doing what you want, you should tell them.
4. Communicate, Communicate, Communicate
– Do you like it when you dont know what is going on? Neither does anyone else. You cant just show up out of nowhere and say “ok guys, today we are going to start implementing ERM, and here is what I need you to start doing”…. that simply will not work. ERM is a process, and so is the implementation of it. You should look to communicate they Why, What, When, Where, How and Why again, on a regular basis. See point number 2 on keys to get across when communicating. Also, ensure the communication comes from all levels, not just the top. It’s important to know that your executives support it, but its also important to know the people you see everyday do too.
Finally, just get to it. There is no time like now to start. The world is changing. The demands on risk managers and organizations are greater now than any other point in history. We must do a better job, and start using ERM to its full potential. If you dont know how, start with the ERM Readiness Guide, which can be found on our website. This has great information in it, which any company, government, or group can use.
ERM can make a huge, positive impact on your organization, but only if you start doing it.