Enterprise Risk Management - ERM - sounds great in theory, but what does it really mean in practice?
As organizations embark on this process, consider these questions:
1. What do we mean by Enterprise Risk Management?
To some, Enterprise Risk Management means protection against a computer crash or terrorist attack. To others, it may mean addressing reputational issues or fallout from losing key product lines to a competitor. Executives' perspectives may vary from what an IT specialist observes.
An overseas subsidiary may perceive risk much differently than domestic-based headquarters.
Note that the term is risk "management," meaning that some risk is inevitable and the key is to manage it. But, what may have seemed like a risk at the time - remember Y2K? - may not be a risk today. And our children no doubt have a much better handle on the risks of the future than we do!
2. How do we figure out what the risks are?
Organizations have implemented various approaches; there is no one answer. An ERM program may be part of an internal risk management group or under the auspices of the legal department, or be the purview of an audit committee or a special committee of the board.
What is helpful is to have an interdisciplinary team identify or vet potential risks - and an appropriate program to combat them. For example, representatives from IT, internal audit, risk and compliance, insurance, operations, and legal, potentially aided by outside consultants or advisors, may be best able to initially identify risks. A process may be as simple as brainstorming and listing them on an easel in a small group meeting. What emerges as a risk may be amazing to the organization. For example, the risk to an organization of key producers leaving or lack of a solid integration plan upon a merger may be just as large as an inadvertent disclosure of customer data. Thinking broadly and deeply about what truly are risks can be eye-opening.
Balancing risks is also difficult. Should the organization focus on risks likely to occur but that may have a modest impact, or laser in on the event that, although unlikely, would be devastating if it occurs?
Healthy debate typically leads to prioritizing risks. Perhaps focus on the top 10 or 15 risks rather than a laundry list of issues that, although worth noting, are not likely to impact the organization in a material way.
Once the smaller group or committee has identified the risks, it's important to verify whether others in the organization agree - or not. Getting input from select or representative constituencies can be helpful when later seeking a "buy in" to the plan to mitigate risks.
3. What do we do once we identify the risks?
Once the top risks are identified, they should be written down in ways everyone can understand. The goal is then to do something about them. This involves looking at each risk and realistically assessing steps that may reduce risk, and noting who will be responsible for monitoring and implementing these measures. That may involve a group of people in the company or in partnership with legal or other outside advisors. The plan itself should identify the basic steps, even if they involve exploring more about the issue or watching the risk over time.
As an example, one virtually universal concern is the safeguarding of confidential or private information, whether generated internally or brought into the company's possession. The steps taken to mitigate that risk might involve 1) identifying the categories and sources of the information; 2) legal requirements for protecting the information; 3) client or customer requirements for protecting information; 4) practices of those in similar industries or positions; 5) developing an information management policy; 6) determining any indemnification or insurance issues or protection that may be available; and 7) implementing a pre-set game plan on how to react if a loss of information actually occurs. Each of those steps may be on a different timeline and may involve tapping a variety of resources. Someone needs to supervise and make sure the pieces are put in play in a manageable timeframe.
Some risks may be more urgent than others. Some may have more gradual solutions. For example, if large-scale mergers of foreign operations may create risk, and cultural integration is key, then one response may be to identify integration teams or mentors or secondments to assist on the ground in the epicenters of those transactions.
Companies can also routinely take some measures to potentially mitigate risk. Review of vendor agreements as a whole to minimize inconsistencies or include additional protections (as well as save costs) may be of value. An annual "audit" or review of insurance programs, from directors' and officers' liability to commercial general liability insurance to newer data privacy and cyber liability policies, and negotiation of coverage enhancements, may cushion exposure.
Analysis of indemnity agreements may provide a better handle on obligations and exposure, as well as reveal gaps between what may be indemnifiable or insurable.
4. Now can we rest?
No! Two additional items are essential: first, the plan needs to be communicated in an appropriate way to those within the organization. The goal is not to use scare tactics. Rather, if done well, the discussion of risk and the steps to implement a plan should instill confidence, not fear, and empower people in the organization to do more. The messaging can be communicated by top management with the help of key leaders in all aspects of the company. Familiarity with and approval of the plan by the board or audit or other committees is extremely useful.
Second, the plan can't sit on the shelf. Re-assessment of risks should be done on a regular basis, perhaps every six months. Moreover, communicating changes in risks and progress in implementing risk management needs to be reported back to the committee and kept on the front burner of the organization.
Thus, while many in the marketplace may be talking about ERM, organizations that confront the challenges will have a good story to tell, both internally and externally.
Carolyn Rosenberg is a senior partner in the Insurance Recovery Group of Reed Smith and a member of the firm's Executive Committee and Chair of its Audit Committee. She counsels clients on insurance, indemnification and risk management issues. Carl Krasik is the Chief Legal Officer of Reed Smith and former General Counsel of BNY Mellon.
This article is presented for informational purposes only and is not intended to constitute legal advice.