When we are new to something, our natural tendency is to seek out well-established, reputable sources for guidance.
As a yummy example, once upon a time, I decided I wanted to make my own homemade chocolate chip cookies. My first step was to refer to the recipe on the back of the bag of Nestle-brand chocolate chips. While this recipe was helpful in making delicious cookies, it was just a start.
When I began my ERM journey, my first step was to check out established standards like ISO 31000, COSO, and others. After much deliberation, we ended up settling on the AS/NZS 4360 ERM Standard because it seemed like a good fit for the quasi-governmental, nonprofit organization I was working for at the time.
But like so many others…
We soon learned that ERM standards, especially at the time, did not help us identify and assess enterprise risks to better inform OUR ORGANIZATION’s decisions.
Like my chocolate chip cookie recipe, I soon learned that ERM standards were just a start. When it comes to my cookies, the recipe as written was sufficient, but I felt the cookies could be better. In order to make them even more ooey, gooey, I would add mini-chocolate chips, melt the butter in the microwave, and use premium ingredients like organically grown sugar and flour.
This story shares a few similarities to my experience as a budding ERM practitioner at Florida’s property insurance carrier of last resort.
Now I want to make clear that we were using older ERM standards that have since been revised. As explained in this previous article on ISO 31000, the original standards were very process-oriented and not focused so much on decision-making. They were, and many would argue still are, too cumbersome, labor-intensive and documentation heavy to be incorporated into decision-making.
The standards provide very explicit instructions as to what you should do but would not provide guidance on any adjustments to make based on your company or situation…ERM standards (…even the latest versions) attempt to make a one-size-fits-all approach work for everyone.
As Alexei Sidorenko explains in this webinar comparing the latest versions of ISO 31000 vs COSO, ERM standards outline a very traditional risk process, when in reality, there is a “different sequence of events” when making decisions.
As I eventually learned at my former employer and have carried forward with me into my ERM consulting career, developing a company’s risk process takes experimentation, much like manufacturing a new product.
Also, simply copying and pasting the terminology these standards use would lead to a lot of confusion.
In order to use ERM standards effectively, you have to begin with the end in mind.
It’s a natural impulse to go in guns blazing; believe me, I know. You’re excited about the possibilities of ERM that you simply pull a standard off the shelf and get to building a framework and process for your organization.
However, if you do not take the time to consider the end-game, your efforts will likely go down in flames, which is why it’s so important that you and your company’s leaders should be crystal clear on the outcomes you are hoping to achieve.
And this is not just outcomes for the company’s goals and objectives, but for the ERM process itself.
Once you are clear on this, you can then examine different ERM standards. There are elements within each ERM standard that may be helpful in understanding specific areas you should be looking at. As Julian Talbot explains:
Having a consistent (and internationally recognized) framework means that when it comes to prioritizing resources, the executive team should be able to compare any two or more risks to see where the resources are best applied.
To add to Julian’s remarks, ERM standards can provide insight into which topics to cover, but these may occur in a different order than it does in the standard.
Unlike other consultants, I don’t choose a standard and make my client fit the standard. In many cases, when we need a standard, we use elements from each if it makes sense for the organization I’m working with. The lesson here – don’t assume you can’t mix and match. If it makes sense and works for your organization, then go for it!
Also, ERM standards can help you sketch out a rough framework for your organization, similar to an architect sketching out a rough draft for a project. Nothing is permanent or set in stone, it’s just a start. It helps to at least get something down on paper and then go from there.
Contrary to what many will say, ERM standards are not the end all be all of understanding threats and opportunities to achieving strategic objectives. However, they can be useful if they are approached with caution and with the understanding that not all elements of a particular standard will apply to your specific situation.
Has your organization experienced roadblocks when using ERM standards? Did you have to re-start from scratch?
Many practitioners I speak with or read about struggle with how to make ERM standards work for their organization’s needs. To share your thoughts, please feel free to leave a comment below or join the conversation on LinkedIn.
And if your organization is struggling to better understand risks and their impact on goals and objectives, please don’t hesitate to reach out to me to discuss your specific situation today!
Featured image courtesy of Oscar Chevillard via Unsplash.com
