The development process for a new Enterprise Risk Management (ERM) system is often disconcerting to experienced business managers. With most new projects the standard approach is to completely define a project in advance and them implement the plan. When that approach is used for installing an ERM system, the result is often an awkward and soon discarded failure.
Continuous Improvement of Risk Management
For a new ERM system to be successful, it needs to be developed by a step-by-step trial and error process. Largely, that is because most companies already have several good risk management processes in place and the ERM program must be carefully tailored to fit around those processes – adding to the organization’s risk management effectiveness without disturbing what is already working right.
In addition, ERM also involves the first time look at a comprehensive risk profile. In many organizations, their first look at their risk profile produces some change in direction for the ERM program development.
But even after the initial development project ends ERM needs to be on a course of continuous improvement. The risks to an organization are constantly changing and the effectiveness of prior approaches to risk management is also changing all of the time.
Risk Learning Process
Many organizations include a risk learning process as a part of their ERM program. One firm made risk learning a regular part of their risk committee meetings. The first 15 minutes of each meeting is taken up by a risk management lesson brought to the group by a member on a rotating basis. We suggested that they look in four directions for the stories to turn into lessons.
- Inward – one of the most important attitudes that develops with an ERM program is that an organization must learn from its experiences, especially from those times when things go wrong. This will be a drastic shift from some firms where they like to dwell on the positive and put bad experiences behind them quickly.
- Outward – while learning from you own experience is important, it is very expensive. It is much less expensive to learn from others’ mistakes. But it takes a disciplined approach to find the things that your organization can learn, instead of celebrating the superiority of your approach.
- Backwards – when looking for lessons, we of course look to the past. When looking backwards, we need to make sure that we are clear on which things are repeatable and which are particular to the past situation.
- Forwards – sometimes, it seems that we are spending all of our risk management time preparing for the last big problem. When looking for things to learn, one place that we need to concentrate is on the future. We need to look at new situations that might arise in the future and the ways that we might prepare for them.
ERM will never be successful as a fixed, unchanging system because risk in the world will constantly be changing, and usually changing in ways that will gradually render old ERM processes ineffective. That is not a failure of those who build ERM systems, it is part of the nature of risk.