Is There a Doctor in the House? Your Annual ERM Checkup

NutcrackerI’ve been working these last few weeks helping a consulting client review this year’s performance of its Enterprise Risk Management System (ERM); the system was extended a few years ago beyond the company’s financial business processes to all 150 of the remaining business processes of the enterprise.  This “annual physical” is as important for the maintenance of the health of a risk management system as it is for the physical health of your doctor’s patients, since both represent on-going, process dependent,  projects.  There are many well-documented benefits of performing such an annual project review across all your client’s ERM component business processes, including enterprise wide integration of updated risk evaluation, review standardization, enhanced fraud prevention, and the streamlined reporting of review results to upper management.

The annual ERM health check typically features interviews with key business process owners and a review of ERM documentation to determine if key related controls are functioning as intended, whether project related tasks are being completed on time and within budget, if ERM objectives are being achieved and if the risks related to those business processes critical to the ongoing success of the business are being managed effectively.

Your review should also determine if key annual prerequisites have been defined for the ERM project (e.g., business ownership, governance, and project definition).  Has the organization identified a single point of accountability for its ERM project…the answer to this questions often isn’t obvious…I’ve found that precise, overall responsibility for the ERM project is often fragmented,  constituting a significant control weakness for the organization.

You should also look for a quality assurance process for the ERM project; what mechanisms are in place to ensure that on-going risk updates and related items of critical documentation are of consistent quality; this can only be determined by some kind of consistently occurring, concurrent,  quality assurance process.

Are the right people, devoting the right amount of time, to work involving the ERM project?  Often, by necessity, the on-going completion of ERM related tasks is assigned as one or more collateral projects to business process owners whose primary jobs are something else; that’s fine if the product is ultimately reviewed by some higher level of management.  I look for some kind of competency frame-work to assure that those working on ERM related assignments represent the best human capital the company can muster given the risk expertise related requirements of the assignments.

Is there evidence that the enterprise even manages change well enough generally to be able to identify changing risks to its business processes?  Change management is a professional discipline and risk assessment is a major component of that discipline.  The discipline of change management is now well established and must be somehow integrated into your client’s ERM project by someone having authority with both the ERM project team and with senior levels of client management; this is critical for the success of the project.

With the foregoing as general background, your annual check-up of the health of your client’s (or employer’s) ERM project might include getting answers to the following (or similar) general questions:

–Is the ERM project properly sponsored by the highest levels of management?
–Is there a business case and defined budget for ERM?
–Is there a documented, formal approach to manage ERM included risks, risk scenarios, fraud scenarios and related issues and communications?
–Is there a detailed ERM annual work plan that is actively monitored by business process owners and by compliance professionals like internal auditors, fraud examiners and fiscal controllers?
–Are ERM human resource related roles and responsibilities defined clearly?
–Is the ERM project delivering what was requested of it by management at its inception?
–Is infrastructure in place to support daily project operation?
–Have all ERM project milestones been achieved to date?

When the check up is complete, be sure to evaluate the performance of the check-up itself by performing and documenting a short check-up critique.  This step is important since, hopefully,  you’ll being doing another check up next year.  What went well with the check up and thus could be leveraged to improve the process in the future?  What process related issues were encountered and how were they resolved?

Your annual ERM checkup will provide independent  corporate governance oversight to help keep the ERM project on track and, ultimately, could make the difference between long term ERM project success or failure.

Comments are closed.