What is ERM?
The “ERM” abbreviation for Enterprise Risk Management has a firm place in the management practices of larger business organizations. There may be some variation in specific objectives across ERM programs, or in the key process steps of the program, but all ERM frameworks involve identifying and naming risks impacting a business, understanding those risks, and deciding what (if any) action to take to mitigate them. With elements of financial, operational, strategic, and legal/compliance risk, in a larger company the ERM process involves a multi-disciplinary team and a significant allocation of resources. In most cases, a small or medium-sized business (SMB) cannot afford that kind of dedicated ERM effort. But SMBs should apply the same methodology in a scaled down way.
All SMB owners probably have the most critical business risks on their radar. But they may have overlooked or not fully understood some of the important risks. Or they may not have rigorously assessed the magnitude of the risks or identified, developed, implemented or monitored the risk mitigation steps. A robust ERM review almost always identifies some important risks in need of better recognition, assessment and mitigation.
ERM is more than a conversation with your insurance agents (although they are an important member of the team). It is worth a two-hour exercise with your legal, insurance, and accounting advisors, along with your business team, to identify and name the key risks, assess their likelihood and consequence, and follow a written plan to mitigate them. And the more business team leaders you include, the more likely you are to get a full picture of the business risk environment and establish common vision and objectives for the ERM process.
The ERM Program
A senior manager should “own” the ERM process and start by creating a written framework to provide structure for categorizing risks and quantifying their likelihood and consequences. For many SMBs, this should be the CEO. In other cases, especially where attorney-client privilege might be important for robust discussion of sensitive risks, legal counsel should manage the ERM process. All of the team members should collect their thoughts within this framework and be ready for a thorough and efficient discussion. The “owner”, in consultation with legal counsel when involved, should document the meeting results and revisit the analysis at a suitable interval. Depending on the risks the team identified and the gaps in understanding, assessing or mitigating those risks, regular quarterly reviews might be appropriate initially. Once documented, an annual or semiannual review routine might be sufficient.
When the process is sufficiently underway, you should report to your company’s board of directors on ERM efforts and results, and ideally incorporate annual ERM reports in the board calendar.
As you start the ERM process, consider some of these risk categories:
- environmental and regulatory
- raw material, utility and infrastructure
- business and competition
- intellectual property
- legal liability
- technology change
- information technology
Assign a specific team member to identify and lead a discussion of the risks in each particular category.
It is often useful to construct a risk matrix, with the likelihood of the risk occurring on one axis and the consequence of the risk (on cash flow, business value, etc.) on the other axis. The team can focus its attention on the risks having a higher likelihood of occurrence and a more significant consequence. Then the team can consider the other important risks in detail later in the process.
Finally, establish a sequence of regular meetings to periodically discuss and update the risk management analysis.