Michael D. Moberly February 8, 2010
Not unlike other enterprise-wide (business) initiatives, advocates of, and those charged with implementing an enterprise risk management program will likely encounter some internal obstacles and resistance.
Initially, ERM advocates should strive to achieve acceptance and consensus on the following two points, (1.) business risks are real, pervasive, and asymmetric, and (2.) business risks today extend well beyond financial risks to include intangible assets.
Its also essential for ERM advocates to recognize the importance of bringing a wide range of business and operational units to the (ERM) table’, all-the-while recognizing they will be inclined to conceive and portray (enterprise) risks narrowly to fit their interests, perspectives, and operating ‘turf’ as being the lynchpins to the company’s sustainability. Entering initial ERM planning discussions absent a clear, respectful, and well articulated repertoire of dialogue geared toward elevating awareness and achieving consensus will likely exacerbate, not mitigate or ameliorate those obstacles, that resistance, and/or their ‘turf protection’ inclinations.
The initial ERM planning discussions should especially focus on team member recognition that today’s business risks are seldom subject to compartmentalization or containment to single (targeted) business units. Instead, business risks today are internally inter-connected and will likely produce cascading effects that ripple throughout a company posing particularly adverse affects on a company’s intangible assets, i.e., brand, reputation, image, goodwill, internal/exteral relationships, know how, etc.
An especially prudent (ERM) strategy is to avoid the common (risk management) pitfalls, i.e., subjective, and often times argumentative ‘dark hole’ types of questions, i.e., proving a negative. This can be best avoided by preparing business focused responses to the proverbial, (a.) if it (the/a risk) hasn’t materialized yet and adversely affected the company, why do you think it will now?, (b.) why should the company assign resources (beyond the very minimum) to try to mitigate risks that have yet, and may not ever materialize?, and (c.) if a risk does materialize, demonstrate how it will have the dramatic-adverse (enterprise-wide) affects suggested.
An equally important preparatory responsibility for the ERM team is to integrate respectful and well articulated business plans in the initial ERM planning. This cannot be underestimated. These plans should clearly (a.) demonstrate how ERM will favorably affect each business unit, (b.) objectively and dispassionately describe business operating options should ERM be rejected, and (c.) provide plausible return-on-investment metrics for decision makers should they elect to undertake-execute an ERM program,
A key to successfully intergrating an ERM program, is getting the ERM team, business unit management, and company leadership to reflect on and recognize the universality of business risks and their rapidly cascading elements (ripple effects) as constituting the primary business rationale for ERM. That is, converging business risks (enterprise-wide) to achieve collaborative, coordinated, and timely responses to truly prevent some risks from materializing, and effectively and rapidly mitigating other risks that do materialize!
(This post was adapted by Michael D. Moberly from a document produced by ASIS Internationals’ CSO Roundtable titled ‘Enterprise Security Risk Management: How Great Risks Lead To Great Deeds’.)