Seven Key Steps to Successful ERM Implementation

Step 1: Decide:

Decide that you want an organization that minimizes uncertainty and all the fruit of it. If this decision is not supported at the highest level of the organization do not proceed. Click here for a quick assessment to determine if enterprise risk management is right for your financial institution.

Step 2: Manage the Culture:

Culture exists whether we manage it or not. A culture that is focused on minimizing uncertainty and maximizing execution can be created. In a financial institution cultural change can begin to take place with the establishment of a risk management policy that cuts across the organization. Create a risk policy that clearly but broadly defines five key requirements of your risk management culture:

  • (a) Define the vision and mission of the organization. Why do we do what we do? All future decisions (i.e. the management or risk) must support the mission and vision of the organization.
  • (b) Define the core values of the organization. Future decisions that do not support the values of the financial institution should get stopped early on.
  • (c) Define risk tolerances for every key area of the bank. For treasury, operational, lending, retail, trust, etc. divisions identify generally the returns required and the risks that can be taken at both the management level and the board of director level. These policies don’t replace existing risk management policies, but rather pull them together in one place ensuring consistency in application and approach for managing risk across the organization.
  • (d) Define the decision making process. In one place identify how decisions that put the company at risk will be made. Identify who can approve these decisions and at what level decisions may be approved.
  • (e) Establish responsibility for implementing this policy. Risk management policies can be implemented in a multiple of ways. Probably the most effective is to bring the senior leaders of the organization together in what we call an ERM Committee. Bringing these key leaders together to make decisions about risk management across the enterprise generally brings immediate value to the improved perspective, communication and project prioritization.

Step 3: Prioritize strategic action steps:

There is no reason to create an enterprise risk management process without first establishing a strategic plan, identifying key prioritized strategic action steps and allocating responsibility for these action steps.

Step 4: Perform an initial risk assessment:

This should consist of an interview of senior management for the purpose of identifying key and immediate business risks or threats to the organization. Click here to obtain an example of some of the questions you might ask during this interview process. Summarize, risk rank and prioritize your findings.

Step 5: Prioritize and allocate resources:

You should now have two fundamental data elements to begin the ERM process. First, you should have a summary of key strategic action items. Secondly, you have a list of prioritized risks that could materially alter or slow the execution of strategy taken from the initial risk assessment. Bring these two lists together to the individual and/or entity you created to manage ERM in your risk management policy. Ask this group to prioritize and allocate resources to (a) ensure strategies are executed and (b) ensure business risks are reduced to an acceptable level and in priority order to ensure strategy is executed.

Step 6: Measure and re-adjust priorities:

The organization should provide the individual or body responsible for managing enterprise risks a status of strategic implementation and risk management reduction strategies on an ongoing basis. Also, this body should receive ongoing reporting of objective measurements of “key risk indicators” from throughout the organization. These KRI’s should be delivered to this managing body routinely. The ERM governing body should utilize these key risk indicators and status updates to determine resource allocations and management priorities on a routine basis.

Step 7: Document and communicate:

The ERM governing body should document the strategies, risks and priorities established across the enterprise for the board of directors for review and approval on an ongoing basis.