Kezia Farnham

Senior Manager

ERM strategy: 7 best practices for better performance

According to the American Institute of CPAs, 65% of senior leaders agree that the volume and complexity of corporate risk have greatly changed over recent years. Yet, that same report found that only 33% of organizations had complete enterprise risk management (ERM) processes.

Bridging that gap depends on strategy: understanding what enterprise risk management is and adopting a strategy to put that understanding into practice. To help, we’ll explain:

• The role of strategy in ERM (with an example)
• The two strategic approaches to start with
• Seven key best practices
• Features to look for in ERM software

What is strategy in ERM?

Strategy is the first component of ERM. It sets the stage for all other aspects of ERM because the strategy defines how the company will approach risk. When a company sets a strategy to assess risk based on the opportunity it presents, they’re setting an ERM strategy. Every other component that follows is the tactics that see the strategy through.

ERM strategy example

An ERM strategy statement might read something like: “To enhance firm performance by optimizing operations based on potential future risks.”

How the organization goes on to identify and respond to risk are actions that put that strategy in motion. In this example, the organization would identify risks that may threaten firm performance and then strategically adapt operations to avoid or even capitalize on them.

2 common approaches to ERM strategy

There are many different ways to structure an ERM strategy and just as many components that strategy can include. Building an ERM framework can come down to how mature the ERM program is, whether or not the organization uses ERM software or simply the size of the organization and the resources it can reasonably dedicate to risk.

Two of the most common approaches are:

1. Three lines of defense: This model splits responsibility for ERM into three functions: those that own and manage risk, those that oversee it and those that offer independent assurance. A divide-and-conquer approach like this one can help even smaller organizations implement a more comprehensive program.
2. Action-oriented: This model helps organizations use resources more effectively. It categorizes risks into tolerate, operate, improve and monitor, so risk teams can quickly identify which risks warrant more attention than others.

7 ERM strategy best practices

We walk you through how to develop an ERM framework in another article. Those steps are essential, but they’re also only the beginning. Sustainable ERM performance starts with commitment at all levels and requires different people and practices to work together.

To do that, organizations should:

1. Develop a single vision of risk: The board may see risk one way, the CEO may see it another way, and the CFO may have yet another perspective. This can create competing priorities, which is the enemy of effective ERM. Engage in strategic collaboration between the board, executives and management and recruit plenty of risk data to form a unified approach.
2. Think outside the box: Traditional risk management thinks more linearly about risk, e.g., digital properties are at risk of hackers. But modern risk is ever-evolving, so organizations need to think as creatively as bad actors do. Brainstorm as many risks as possible so you can form a response plan for any threat imaginable.
3. Design a communication plan: Good ERM isn’t privileged information. The more employees know about and understand the organization’s approach to risk, the better. Develop a plan to communicate the initial ERM strategy, then have a second plan to quickly give notice in the event of a crisis so everyone knows how to proceed.
4. Have clear roles and responsibilities: In addition to your communication plan, take the time to clearly define who is responsible for what. This ensures that no mission-critical tasks fall through the cracks, and everyone knows what they’re responsible for should a potential risk evolve into a tangible event.
5. Be nimble: ERM is supposed to be flexible. Yet, many organizations struggle to adapt to risk. Don’t be afraid to recategorize a risk or develop a new protocol; as with anything, change is the only constant in ERM.
6. Be always on: Risks exist both during and outside of business hours. Organizations should get in the habit of continual monitoring so no critical events go undetected or unmitigated. Always-on also means tracking the progress of the program so risk teams can tighten practices that work and improve those that don’t.
7. Use real-time data: There is no ERM without data. Some data helps detect risk (e.g., auditing financial statements), while others track how effective the ERM strategy is (e.g. the number of risks detected). Keep these metrics close to create reports that verify the program is on the right track.

Using ERM software to strengthen your strategy

As corporations look to adopt an ERM strategy, integrating software is a natural next step. Today’s ERM software can do everything from centralizing ERM metrics to managing internal controls. While not every solution can do it all, it’s also important to consider that more isn’t always better.

“According to Forrester, on average, Fortune 500 companies have six risk management platforms. And that’s after the last few years, where we’ve all been consolidating solutions and vendors. The biggest issue here is that with six solutions, you don’t communicate properly, and when you don’t communicate properly, it’s impossible to see the bigger picture,” says Renee Murphy, distinguished evangelist at Diligent.

Companies looking to sidestep the pitfalls of juggling different solutions should look for a single ERM software that:

1. Offers strategic risk insights: Getting insight into each area of the organization is a common pain point for risk officers implementing an ERM strategy. Software solutions can centralized insights, offering customizable insights and one-click reports that make it easier to take action on the most pressing issues.
2. Detects, evaluates and monitors risk: Software can use real-time analytics to not only monitor and detect risk but also predict future threats. You can also automate monitoring to implement an always-on strategy more quickly.
3. Facilitates collaboration: ERM isn’t a one-team effort. It requires cross-functional collaboration that’s much easier with the right software solution. Quickly get a view of risk across the enterprise.
4. Is customizable: Every organization is different, both in how they’re structured and how they’ll approach ERM. Look for software with workflows you can configure to meet your specific needs without departing from best practices.

Enhance your performance through ERM

The risk landscape is evolving by the day, which is why there’s no time like the present for jumpstarting your ERM strategy. Whether you’re just starting or ready to mature your approach, there are steps you can take to turn risk management into your competitive advantage.

In this guide, we’ll walk you through the seven steps businesses can take to get a more comprehensive view of risk and use that view to make better decisions. Download it here.