Enterprise risk management
Risk can be created by any event or outcome that has the potential to interfere with an agency’s ability to achieve its mission on time.
Enterprise Risk Management (ERM) is the discipline and its associated processes of applying a risk evaluation to each agency goal, identifying root causes of these risks, determining—as an enterprise—what changes (i.e. risk treatments) are best to address the root causes, and then monitoring the success of the risk treatments. Treatments can include:
- Transferring the risk
- Minimizing the negative outcome
- Preventing the outcome
- Eliminating the activity associated with the risk
For example, insurance transfers the possible cost of risk to the insurance company. An early resolution program minimizes the cost of negligence by resolving claims before they become lawsuits. Changing a policy and procedure so that employees know what to do in certain situations can prevent negative outcomes. Abandoning an activity that had resulted in injury eliminates the risk posed by the activity.
How do you get there?
- Gather a focus group consisting of a risk savvy person from each area (division, department or function) of your agency.
- Brainstorm and list any event (risk) that could interfere with the ability to carry out your agency's mission.
- Prioritize the risks from high to low.
- Identify and develop responses for the high risks first.
- Establish an aggressive time line and designate accountable personnel to help ensure the risk responses are carried out.
- Identify and develop responses for the moderate and low risks and carry out step 5 above for them.
When you have completed steps 1 through 6 you have started the ERM process
What else can be done to move closer to ERM?
- Successful ERM must have the support of top management. Before starting the process above seek the absolute commitment from your agency director and assistant directors.
- Establish an ongoing ERM steering committee. Have the committee meet on a regular basis to discuss losses and identify new risks.
- Develop an annual risk assessment questionnaire process to be completed by all employees.
- If possible create a full-time position for the agency risk manager. ERM requires attention.
- Have a process in place to ensure accountability for losses. Require the accountable people to respond to losses with a report on "why did this happen?" and "how can it be prevented from happening again?"
- Concentrate on helping the entire organization shift its focus away from crisis response and toward preventative action.
Useful resources
- Pitfalls and Pratfalls of Implementing ERM - Public Risk Magazine
- Risk and Insurance Management Society, Inc. (RIMS)
- ERM in the Trenches - August 2008, Risk Management Article by Mark Bigelow
- Implementing ERM in Washington State Government - Oct. 2008 ERM Presentation to the North Carolina State ERM Initiative by Drew Zavatsky
- ERM Best Practice Highlights – A compiled list of agency best practices provided to OFM. This list highlights some agencies’ ERM program efforts and is provided in an effort to share news about these best practices with all agencies.
