Risk management is not a separate module or product - Instead, it is an approach that adds value to both top-down and bottom up activities within the organization.
Risk management is in everyone's job description and ERM is all about how to identify the aspect of risk management in every role and connect the dots automatically using the "Six Degrees of Separation Theory" that I discussed in my last blog to get right to the people who know the risk and are responsible for the risk.
Business areas have a large amount of interdependencies and therefore overlap of activities that cannot be identified today because of the heavily silo'd nature of most organizations. ERM is all about getting cross-functional transparency across the organization so the organization can make more strategic risk/reward decisions by being able to see the complete picture, enabling better business performance and more efficient corporate governance. A structured ERM framework, or a risk taxonomy, identifies the valuable information that is reusable across business areas and eliminates the unnecessary redundancies.
Many parts of governance activities, like insurance and compliance management, are things that we have to do, but few enjoy doing it! Such activities tend to be tedious, repetitive and due to the pressures of business, are often done in form without the substance. In the best case, such activities are a never ending chase-and-remind activity to match operational activities to requirements and in the worst, a checkbox activity with no way of determining if operations is actually doing what it is supposed to be doing. This is somewhat like having two separate processes. Those that run the business and those that answer requirement or compliance questions as best they can without the assurance that operations is actually run that way. What if there was another way? What if you could focus on generating business value and helping operations achieve goals while automating compliance with no additional effort? That's where ERM software tools become a game changer.
ERM can be applied anywhere--to any business area, project, division, and so on, you just have to start somewhere!--so let's explore an example of how ERM software using the Six Degrees of Separation theory presents in a real world solution.
Many risk managers are also responsible for managing insurance at their organizations so let's use an insurance example to illustrate the risk management solution for insurance. In E&O insurance for example, insurance companies require seemingly innocuous assertions about how your organization's operations and governance are managed, such as operational controls, management of content and privacy exposures, computer systems controls, computer system access protection, data back-up procedures, data encryption procedures, among others. Although it is very easy to check the box on the application that procedures exist at your organization and are followed, the risk is that, should the insurer determine those representations on procedures were not correct or notifications on changes in those procedures were not made to the insurer, they have no obligation to pay any claims on the policy. Of course they have no motivation to verify this information at the time of the application or renewal--the time they will check this information is when a claim by your organization is made.
ERM Software unlike Risk Management Insurance Systems (RMIS), using the six degrees of separation theory, already knows all the material relationships between all business processes, activities, and the resources they rely upon to get their job done. This is called a "risk taxonomy". Manually this is a near impossible task to manage all these dimensions and connections. However, an ERM software system allows you to quickly and easily start connecting the dots for you and automating all types of compliance. Since all the work needed for compliance is already being done by someone in your organization (remember you checked the box on the insurance application that the policy exists and the procedures are being followed), so your ERM software will now automatically determine the responsible person in the organization and prompt them to confirm their responsibility. Next, your ERM Software will then automatically reconfirm with each risk owner each year and automatically notify you at the moment things change. Currently, all these things are being done locked away in spreadsheets where nobody knows or can "see" this work. An ERM software system just makes this work easier for everyone involved by connecting the dots for you!
The risk owner of the control gets an automated and structured ability to automate tasks they hate doing and you no longer need to spend your time chasing and reminding them to give you their work or evidence that this work was done. Since the ERM System is helping them get the work done, you both get compliance with no additional effort and a quality of performance superior to anything that can be done manually.
Although this example was about applying ERM to a traditional risk management, insurance and safety role, risk is in every job description. A key to success is to get some experience applying ERM to your current job description where you spend a majority of your time and then spread that success story to other areas less familiar to you.
Check out this ERM/GRC Success Story of how it works.