ERM Fundamentals

You have to start somewhere.

My suggestion it that rather than starting with someone else’s idea of ERM, you start with what YOUR COMPANY is already doing.

In that spirit, I offer up these eight Fundamental ERM Practices.  So to follow my suggestion, you would start in each of these eight areas with a self assessment.  Identify what you already have in these eight areas.  THEN start to think about what to build.  If there are gaping holes, plan to fill those in with new practices.  If there are areas where your company already has a rich vein of existing practice build gently on that foundation.  Much better to use ERM to enhance existing good practice than to tear down existing systems that are already working.  Making significant improvement to existing good practices should be one of your lowest priorities.

  1. Risk Identification: Systematic identification of principal risks – Identify and classify risks to which the firm is exposed and understand the important characteristics of the key risks

  2. Risk Language: Explicit firm-wide words for risk – A risk definition that can be applied to all exposures, that helps to clarify the range of size of potential loss that is of concern to management and that identifies the likelihood range of potential losses that is of concern. Common definitions of the usual terms used to describe risk management roles and activities.

  3. Risk Measurement: What gets measured gets managed – Includes: Gathering data, risk models, multiple views of risk and standards for data and models.

  4. Policies and Standards: Clear and comprehensive documentation – Clearly documented the firm’s policies and standards regarding how the firm will take risks and how and when the firm will look to offset, transfer or retain risks. Definitions of risk-taking authorities; definitions of risks to be always avoided; underlying approach to risk management; measurement of risk; validation of risk models; approach to best practice standards.

  5. Risk Organization: Roles & responsibilities – Coordination of ERM through: High-level risk committees; risk owners; Chief Risk Officer; corporate risk department; business unit management; business unit staff; internal audit. Assignment of responsibility, authority and expectations.

  6. Risk Limits and Controlling: Set, track, enforce – Comprehensively clarifying expectations and limits regarding authority, concentration, size, quality; a distribution of risk targets

    and limits, as well as plans for resolution of limit breaches and consequences of those breaches.

  7. Risk Management Culture: ERM & the staff – ERM can be much more effective if there is risk awareness throughout the firm. This is accomplished via a multi-stage training program, targeting universal understanding of how the firm is addressing risk management best practices.

  8. Risk Learning: Commitment to constant improvement – A learning and improvement environment that encourages staff to make improvements to company practices based on unfavorable and favorable experiences with risk management and losses, both within the firm and from outside the firm.

Explore posts in the same categories: risk assessment, Risk Culture, Risk Identification, Risk Learning, Risk Limits, Risk Management System, Risk Treatment


You can comment below, or link to this permanent URL from your own site.

2 Comments on “ERM Fundamentals”

  1. Andrew Howe Says:

    As usual, a very strong article: short and to the point. Given this, it’s easy to focus without losing the thread. Several things occur to me.

    First, the items might be usefully re-ordered, both to group the most related items and – at least by putting the culture at the top – to suggest some prioritisation. My order would be:

    1. Risk Management Culture
    2. Risk Learning
    3. Risk Organization
    4. Risk Language
    5. Policies and Standards

    6. Risk Identification
    7. Risk Limits and Controlling
    8. Risk Measurement

    The break between 1-5 and 6-8 is intentional and hopefully comes through. Partly the distinction (in my mind at least) is that 6-8 are the more technical aspects.

    Second an important aspect is the (typical!) level of difficulty of 1-8 (I’m looking forward to re-reading the 8 links to find out more). In my experience 3-5 can be relatively straightforward given a cooperative organisation – or even a couple of individuals with sufficient interest. What’s more, most of the effort is up front. IMHO 3-5 typically get too much attention in books, conferences etc.

    1-2 are linked and, given the right behavioural aspects – including sufficient humility – shouldn’t be overly hard. They are not technically difficult. But (as you’ve said) “culture is the most fundamental fundamental”. See and for some horrible things that happen when culture is weak.

    Risk identification tends to get quite a lot of coverage in the literature without actually saying very much! The link to the core business is often very weak, with too much emphasis on a brainstorming approach, backed up by risk registers.

    I wasn’t sure of the order in which to put 7 and 8. Certainly the idea of limits and control still has substantial value, even without a deep development of risk measurement. Having said that, bad measurement can badly mislead, giving false assurance and leading to poor resource allocation. Again the naive “probability * impact” beloved of risk registers is partly to blame.

    Thirdly / lastly, what doesn’t really come through is what an organisation wants to achieve through its risk management. In principle this could be included in the “policies and standards”, though an explicit statement regarding what RM is intended to achieve is often absent.

    The aim could be just a traditional focus on the downside or a more enlightened approach to uncertainty management, extending to strategic aspects. In any case, setting this out clearly has to be a prerequisite for any attempt to measure how much value risk management has yielded – and how much it could potentially yield if implemented more broadly.

    • riskviews Says:

      Usually, when I work with a company, they choose from a longer list that I have. Recently, a company choose to start with five of these:

      Risk Identification
      Risk Measurement
      Risk Limits and Controlling
      Risk Organization
      Risk Policies and Standards

      Their primary goal was to build an ERM program that would satisfy regulators and rating agencies and they felt that these were more tangible.

      Interestingly, Risk Language does not turn up on anyone’s list of things that are needed for ERM. But in my experiences, everyone struggles over it. Better to acknowledge that it is a real and important task.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: