Jonathan Blackhurst discusses the cultural change that may be necessary to embed ERM

A company's culture, particularly its management style and level of buy-in to enterprise risk management (ERM), continues to create the most significant challenges in promoting and embedding risk management within an organisation. As reported in the Protiviti Enterprise Risk Management survey, conducted by StrategicRISK, three-quarters of firms surveyed identified culture and buy-in as the main blocks to achieving ERM.

As outlined in the COSO ERM framework, one of the components that drives ERM in an organisation is internal environment and company culture. It is the company culture (management philosophy, appetite for risk, board oversight, business integrity and values, management style, competence and values, and authorities and responsibilities) that provides the foundation on which an ERM programme is to be built. Culture shapes how strategy and objectives are determined, how business activities are structured and how risks are identified, assessed and acted upon. It influences the design and implementation of control activities, information and communication systems and monitoring activities.

Therefore, failure to engrain ERM into a company's culture can mean that it becomes a major obstacle rather than a benefit. So how does an organisation go about getting buy-in to ERM in order to begin the cultural change that embeds risk management into the behaviour and activity of all staff? We suggest you concentrate on the following key areas.

Top level commitment

The risk management process starts at the top of any organisation, with a committed executive management who need to demonstrate their support for ERM. Without the sponsorship and influence of the board and senior management, the work of embedding risk management into a company culture and getting buy-in further down the management chain will not get anywhere. The senior management team needs to lead by example through consistent actions towards risk management, and model the risk culture that the organisation will then work to embed.

A committed board of directors must be prepared to question and scrutinise activities relating to strategy, business planning and performance, present alternative views and act against any areas that do not perpetrate ERM-focused cultural changes.

The board must also do more than just pay lip-service to the need for good risk management and must take firm actions on the matter. Its comprehensive commitment to installing and maintaining ERM must be reflected in the time and resource it makes available to the initiative.

In order to achieve the best results, the ERM initiative must be integrated into existing management processes and linked to the significant issues that are on the senior management agenda. If risk management is seen as an appendage rather than an integrated element of the business it will not receive sustained commitment from the executive management of any organisation.

Shared vision

It is important that, once the underlying need for ERM is understood and is being led by the senior management, the organisation provides a compelling, shared vision for the future business environment. Focus should be placed on the big picture, in order that the confidence and attention span of senior and operating management is retained. If this focus is lost, the initiative may deteriorate to the point where risk assessments get over-involved in the process level of an organisation, rather than being implemented across the enterprise. There is nothing like wading through lengthy lists of risk factors to sap management commitment.

Clear, realistic goals

When setting the objectives for risk management, firms must ensure they do not exceed their capacity to actually execute the risk management activities. In short, goals should be understandable, measurable and actionable.

A well-defined plan for ERM provides an organisation with a roadmap with clear milestones to monitor progress. Within the plan, management checkpoints can be put in place to serve many purposes. Most importantly, they keep the programme on-plan and on-strategy, serving as both a reality check and a reaffirmation of management support. They can also provide needed motivation to move the activities along the route to meeting the outlined goals.

ERM should not be about sophisticated risk modelling capabilities if the organisation is not ready for or able to understand them. Implementing complex frameworks without establishing a solid foundation is a recipe for failure. A key challenge to organisations with embedded frameworks is to determine whether the current risk management capabilities are set at the right level.

Stakeholder involvement

Identifying key personnel across an organisation and gaining their support for ERM implementation is an important early step in affecting the organisation's culture. If there is inadequate attention given to risk management and keeping people engaged, the initiative will falter. Working with these stakeholders and providing them with the route from awareness to buy-in and ultimately to ownership will mean successful transition into an ERM approach to risk management.

An understanding of the organisation's accountability issues is one of the most vital steps in the ERM buy-in process. One goal of ERM is to incorporate risk management into the daily agenda and decision-making processes of the organisation. This means that ultimately, every manager is responsible for risk management. This can only happen if goals are clearly articulated, and the appropriate individuals are held accountable for results.

Operational management

One specific group of stakeholders is operational management. Operational managers have many roles and responsibilities. They manage inventories, plants, equipment and other physical assets, products and processes, brands, external relationships with customers and suppliers and staffing resources. These sources of value are affected by many uncertainties. It is clear therefore, that operational management can benefit from thinking about the risks they face in the future and the alternatives available to managing those risks.

Buy-in of operational management is vitally important for any ERM initiative. This buy-in is obtained from operating managers through the focused senior management support and by making sure that operational management are convinced that ERM will assist them in managing their business units and divisions more effectively.

Focus on the human side

All too often, businesses engaged in implementing ERM limit their efforts to technical matters such as policies, processes, measures, reports, systems and data, all of which define the infrastructure for a risk response. While important, these are not the only objects of cultural change. A common language, effective communications, risk awareness and effective knowledge-sharing also require attention.

Strong implementation

The ERM implementation process must be supported with dedicated resources, appropriate standards, best practices, measures and feedback mechanisms. The use of piloting, as well as clear communications regarding the purpose of ERM, are vital in empowering key personnel to do what they need in order to be successful.

Senior and operational management can buy in to the ERM initiative. But there will not be change in the company if it cannot change how people think, how they work and how they use the resources around them. It is therefore important for firms to focus on creating awareness among all employees and on communicating the need for change, the possible outcomes and the plan being used to reach the end solution. Critically, all staff must understand their own roles in the process.

Extensive training and awareness on risk management need to be carried out. Employees need to understand that the changes being made will make the company more resilient against failure, but they must also be assured that risk management is not an added on burden. If employees are not fully aware of the need for change and do not understand the extent to which ERM embeds risk management into a business, they are more likely to resist the change or worse still, only offer half-hearted acceptance.

Integrate carefully

ERM cannot be seen as an independent initiative but must become an integral part of existing business processes. Management must build on current practices that support the risk management vision and develop new or improved procedures, tools and techniques that will be accepted within the organisation. By integrating these procedures, tools and techniques into already established processes, management achieves true embedding of ERM rather than implementing just another programme of work and expectation on business management.

Identify pay-off

Behaviour is strongly influenced when accountability for results is linked to a reward system. Accordingly, in risk management, it is important that performance expectations create incentives for balanced results, in other words, that management have strong incentives to set realistic business targets, understand the risks to those targets and adopt the most appropriate mitigation or control measures.

Making the effort to developing tangible outputs from the evaluation and reporting mechanisms rewards management and other interested parties with informative and relevant feedback, the result of which is to ensure that ERM is effective beyond its initial impetus. If well managed, reporting back and appropriately rewarding those who have put in the effort, reinforces commitment, facilitates learning and improves decision-making. For ERM to be effective, expectations and performance and reward systems must be aligned. Therefore organisations must constantly strive to sustain a high quality of feedback in order for ERM to be a pivotal 'selling-point' to those made accountable for risk management.

Support and foster the new culture

Understandably, once the new culture is established, businesses might believe they have arrived at their intended goal, but the internal environment needs continuous management.

Management of risks must continue to be an integral aspect of strategic reviews, budget reviews, project planning and business performance evaluation. Business reports to the board need to include analysis of any identified risk.

Any hint that risks are insufficiently under control needs senior management attention, must be discussed in a positive environment and outcomes shared across the business. If it is clear there is any weakness in the control environment, this should be addressed without delay.

The board must continue to lead the culture of risk management and ensure they actively assess the risks when taking decisions.

Conclusion:

Even with the right policies, the best processes, and with the most robust risk management systems in place, if an organisation's people are not actively in tune and supporting the risk culture, then any framework will be built on shaky ground. We therefore believe that the process of implementing ERM must combine education, building awareness, developing buy-in and ultimately assigning accountability and accepting ownership. Taking this approach will certainly help any organisation overcome the main challenges it faces in the implementation of ERM.

With this guidance in mind however, it is important to understand that ERM cannot be seen as a one size fits all solution. Management must decide upon its approach to achieving ERM and the nature of the end state, based on the organisation's size, objectives, structure, and management style; and perhaps most importantly it must be aligned to the organisation's culture.

The main challenge for business then will be to develop a dynamic ERM framework that clearly articulates its purpose, continuously anticipates and meets the needs of all its stakeholders and achieves buy-in across the entire management spectrum while achieving the strategic goals of the organisation.

- Jonathan Blackhurst is a senior consultant with Protiviti, E-mail: jonathan.blackhurst@protiviti.com