5 Tips for Developing a Successful Enterprise Risk Management Program
Imagine being able to use real time data and analytical tools to help identify and track potential risks that could impact your organization. At IBM, analytics is the next big frontier of risk management, as technology sophistication, coupled with an abundance of data, continues to provide insight into actions.
Effective enterprise risk management programs continually capture, evaluate, analyze and respond to risks arising from changing internal operations such as systems failure or turnover; shifting external markets resulting from political turmoil, a recession or natural disasters; or changing regulations. Risk management requires an organization to align its assets, people, activities and goals, thereby leading to good organizational governance.
IBM has been weaving solid risk management practices into the fabric of our business for nearly a decade. Our program focuses on creating business value and competitive advantage through enhanced risk identification. We embed risk management into the day-to-day operations of our business units and instill a culture that promotes accountability and provides processes and mechanisms for reporting risks.
Is your organization looking to enhance its enterprise risk management program? Following is some advice to help you get started.
- Gain buy-in from upper management and ensure that the board backs the initiative. When it comes to risk management, the tone from the top is very important, especially at the onset. When IBM started its program back in 2006, our CEO, Sam Palmisano, was fully supportive and we met regularly with the appropriate Committee of the Board and periodically with the full Board of Directors.
- Identify risk owners. Each of our enterprise risks is owned by a senior executive who is responsible for managing the risk across the company. This helps prevent “silo” mentalities from getting in the way.
- Build a risk-aware culture across the organization. At IBM, we offer education, forums and tools to build risk awareness and cultivate a risk-savvy culture. This is in addition to the annual business conduct guideline training and affirmation process that are mandatory for all employees and sub-contractors.
- Prepare teams across the organization, not just the core team. Successful enterprise risk management programs require the participation of all staff. It is not possible to detect and evaluate risks if all teams are operating in silos. For this reason, our ERM program closely collaborates with corporate internal audit, business controls, compliance and others operating within and across our global business units. Instituting a governance forum is an additional way of ensuring a cross-enterprise perspective.
- Understand that enterprise risk management is an ongoing process. It is not enough to jot down your organization’s risks once and say you’re finished until the next time. An effective enterprise risk management program utilizes continuous data collection and monitoring to illustrate the big picture. Because a successful program is not “one and done,” it is important to allocate resources appropriately.
The future of enterprise risk management remains bright. At IBM, our program’s journey began with enhancements to our governance and practices and has since evolved to focus on leveraging risk analytics, which will improve decision making going forward. The best analytics are simple and fully integrated as part of the management system. Analytics have the potential to describe what happened, what might happen, the best action to take based on that knowledge and lastly what the best course of action is. Analytics will allow us to make data-driven business decisions that will lead to improved outcomes. While the evolution of cognitive computing, big data applications and related tools continues to drive value to IBM and the customers we serve, we recognize that information has become the world’s most precious technical resource and, therefore, we are making strides to exploit technical innovations for our own use and that of our customers.
For more information on risk management tools and technologies, read The Use of Information Technology in Risk Management white paper. When it comes to enterprise risk management, CPAs can also play an important role in providing independent evaluations of the effectiveness of an entity’s enterprise risk management program. Enterprise Risk Management: Guidance for Practical Implementation and Assessment offers additional information on implementing or evaluation existing ERM programs.
Tom Patterson, CPA, Associate Partner, IBM Global Business Services.
ERM image courtesy of Shutterstock