Recently I wrote a column on enterprise risk management (ERM), which is an integrated approach to risk management increasingly popular in the
Fuller worked in multinational conglomerates and spent time in professional services with PricewaterhouseCoopers completing compliance audits and offering technical expertise. He recently presented in
1. Management must accept and choose a risk management framework like The Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO helped to build a risk management framework for organizations after high- profile business failures like Enron drove calls for increased risk management governance. Using a framework like COSO’s ERM framework is, “The start of a communication tool using common language throughout the organization,” Fuller said and important to ERM success in any organization.
2. Lack of senior management commitment. “Any initiative will fail if senior management is not committed,” Fuller said. Personally, I don’t know any risk management professionals who would disagree with this statement.
3. No designated risk management and change-process owners at the senior level or in each business unit. According to Fuller, “There needs to be ownership within the organization at senior- level management with clearly defined roles and responsibilities.”
4. Organizations must have a plan to move from the current state to the desired state. “With that plan, there must be tasks, roles, resources and time lines. It’s not just a plan that says, ‘Yes, we’re going to do this,’ but steps must be clearly outlined with a way to monitor progress,” according to Fuller.
5. Fuller believes that measurement tools will facilitate the alignment of activities to the overall business objectives. Then, match resource allocations (capital, operating expenses, people) to those objectives. “Put your dollars where they should be placed based on the risks,” Fuller said.
6. An organization should formally roll out a communication plan and training curriculum to develop risk management awareness and core competencies in the company. Training to those core competencies is needed, as well.
7. When a risk management program is in place, reinforce its use by aligning human resource mechanisms to that program. Fuller recommends incentivizing employee participation. Begin the process with qualitative measurements like meeting attendance, Fuller recommends, then add quantitative measures later.
8. Organizations must develop an ongoing monitoring mechanism to ensure the risk management mandate is implemented. “Every time you identify risks, the organization must develop a strategy to mitigate those risks. These are nothing more than action plans. Someone has to monitor the action plans and report to management and company governance. This is typically internal audit teams.”
Fuller helps clients identify and assess their risk and develop risk management strategies. He can be reached at Hudson or at firstname.lastname@example.org