How to Build a Successful Enterprise Risk Management Program

Presented by SAS Institute 60 Minutes

An enterprise risk management (ERM) program is more than a collection of organizational functions. ERM integrates all risk efforts under one set of common definitions, process framework, and system solutions. Join a banking/security leader to hear how she developed and grew her institution's ERM program, including how to:

Determine your organization's risk appetite;
Initiate an ERM program;
Monitor on an ongoing basis your alignment of strategy, risks, controls, compliance, incentives and people

Background

Enterprise risk management is not just a function of an organization. It's a culture that can be developed and enhanced. Each leader already plays a risk management role for its organization. ERM is the organization's umbrella effort of risk management, and it is three dimensional because it:

Integrates all risk efforts under one set of common definitions, process framework, and system solutions;
Brings together the different types of risks, the time spectrum and the organization's decision frame;
Is a continuous process and evolves and matures with the organization.

A common set of definitions, process framework and system solutions allows the ERM team to bring all risk management efforts together to: (1) set the appropriate risk tolerance levels for the organization and each functions (2) bring transparency on risk management efforts and resource allocations (3) create synergy in risk management efforts and renders more effectiveness.

Each function will identify and treat risks associated with its functional orientation. There is a benefit in synchronizing the risk types, with its time character and the organization's decision frame to provide a more holistic and integrated coverage.

And finally, risk management is a process, not a project. Thus, should be customized to your organization's culture and risk appetite. Just like any process, it needs to continuously refine and revaluate its approaches, seek feedback, be supported by a common system solution, and celebrate successes along its journey.

A GRC program is designed to support a holistic view of governance, risk, compliance and business strategy execution to minimize redundancy while anticipating future circumstances and heading off any conflicts to meeting goals. GRC programs promote the timely, consistent and accurate capture and maintenance of all material issues, arising during the course of business, in an auditable system of record. GRC, like ERM, is three dimensional, and is comprised of:

Performance management, which addresses reliable achievement of objectives through effective management of business processes that are visibly and objectively measured
Risk management, which addresses managing the uncertainty associated with the pursuit of objectives
Compliance, which addresses voluntary promises that must be kept and laws and regulations that must be obeyed as objective are pursued

Together, ERM and GRC promote transparency, contingency, and risk appetite aspects of the corporate planning and strategy process by:

Addressing considerations that fall beyond the boundaries of business/economic scenarios;
Substantiating, or eliminating, any contingencies;
Helping to accurately shape objectives to ensure the Board-directed risk return trade-offs are reflected.