Business growth. How bad do you want it?

For most business, the holy grail of business is one where the company never stops growing. Money is flowing in all directions, and salaries rise faster and higher than Old Faithful. But, what are the critical elements for such growth?

One is ERM or “Enterprise Risk Management”. While you might have heard of it before, here’s what you missed in business school.

What Is Enterprise Risk Management

ERM refers to risks that a corporation takes on which aren’t always obvious.

The Casualty Actuarial Society originally defined it as “the process by which organizations in all industries assess, control, exploit, finance, and monitor risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.”

The Association for Federal Enterprise Risk Management (AFERM) has defined it as “a discipline that addresses the full spectrum of an organization’s risks, including challenges and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view. ERM contributes to improved decision-making and supports the achievement of an organization’s mission, goals and objectives.”

One defining characteristic is the fact that the risk isn’t necessarily known, and that the company must plan for it.

That they aren’t expected is what is so risky. Often, the risk that hits an organization isn’t one the company was expecting to have to deal with. This is why business often take measures to mitigate unforeseeable risks.

But, more traditional approaches to managing risks aren’t working like they used to. This has led to an ongoing progress in developing new principles for ERM.

What Are Common Characteristics Of ERM?

The Risk and Insurance Management Society defines seven characteristics that are common in ERM:

● A strategy that deals with all areas of organizational exposure to risk, including operational reporting, financial, governance, strategic, reputational, and compliance.

● A strategy that prioritizes and then manages these exposures holistically, rather than as individual risks.

● A system that evaluates the risk of everything in the full context of all significant internal and external environments.

● A system that integrates risks and manages them appropriately.

● A system that looks at the effect of management risk as a competitive advantage.

● A system that integrates risk management into the company’s culture.

Does that sound comprehensive? It is.

However, a system like that can’t be built from a “bottom-up” approach. It needs to incorporate risk management into the planning process and make it part of the company’s culture.

Another aspect of ERM is that it’s not an end in itself but rather a means to an end.

ERM In The Government

One institution that many companies model when it comes to risk management is government. Although the concepts of ERM have been built in the private sector, the public sector has done a lot to refine them. In 2004, FSA (Office of Federal Student Aid ) hired a chief risk officer who was the first person in the federal government to have such a position. Stan Dore, the individual tasked with ERM implementation for FSA has helped define and implement ERM solutions at the federal level and continues to be a driving force to reduce risk for the FSA.

How To Get Started In Your Own Organization

And, while it’s easy to talk about implementing an ERM solution, at the end of the day you need concrete steps for implementation. The first step is to create a working group. Next, you need to brainstorm events and scenarios. Next, you must rank the risks your corporation may face. Then, you must implement controls and solutions. You also need to appoint a point person who will be responsible for implementation and establish metrics for the ERM system you put into place.

So, starting with the workshop. This is where you form a group that includes a representative from every department. Each person plays a pivotal role in internal investigations. This might include, for example, an HR person, head of corporate security, IT administrators, your CFO, and head of legal department.

The purpose of the group is to brainstorm and come up with a set of challenges or risks that the company faces. For example, a brainstorming session might reveal information leaks in a department, or security risks in IT or HR personnel.

Next, rank those risks and the likelihood of them occurring. You don’t need to be very precise, but you do need relative risk and an understanding of how each might impact your operations. Once that’s done, think of controls and solutions to those problems so that the risks don’t undermine your company.

The last steps involve appointing a person who can oversee and manage this strategy and then establish a way to measure and monitor it.