Bonnie Hancock
Bonnie Hancock
Effective Enterprise Risk Management Starts With a Conversation

How to implement an effective ERM process.

September 3, 2009
by Bonnie Hancock

As policymakers assess the causes of the recent financial crisis, it is becoming clearer that improvements will need to be made both in the way that senior executives approach risk management activities within their organization and the role of their boards of directors in risk oversight. In July, the U.S. Securities and Exchange Commission (SEC) issued a proposed rule that would require public companies to disclose more information in their proxies about their board's risk management role and how compensation practices affect the company's overall risk profile. The SEC also indicated that additional proposed rules would be forthcoming with respect to a company’s disclosures in its Form 10-K about its risks and risk management practices. And last spring, Senator Charles Schumer, D-N.Y., introduced the Shareholder Bill of Rights Act of 2009 (now in a Senate Committee) that would require establishing a risk management committee comprised of independent directors.

While some may fear that the increasing calls for better risk management may result in additional compliance burdens with little value added, many companies have found that they can put in place effective processes for managing risks on an enterprise-wide basis that will improve strategic decision-making and support the achievement of organizational objectives. In order for enterprise risk management (ERM) to be seen as value-adding however, the board and senior executives of an organization must set the appropriate tone for an open dialogue about the risks an organization faces, its appetite for those risks and its plans for managing those risks.

Reader Note: Don’t miss AICPA’s upcoming The Board and Senior Executive Roles in Risk Oversight: Taking a Strategic View of the Enterprise conference, November 5-6, New York, NY.

Having an effective ERM process does not mean you must produce myriad checklists, models and dashboards. This misperception that ERM is a very complex process that involves a tremendous amount of resources and be a potential source of bureaucracy has been an impediment to ERM implementation in many organizations. In fact, an over-reliance on models and quantitative risk measures and reports has been cited as a contributing factor to the failure of risk management processes in some organization. And when the credit rating agency, Standard & Poor’s (S&P) began assessing ERM practices within the companies it rates, its initial focus was on the rated company’s risk management culture and strategic risk management. S&P explicitly recognized that ERM would not look the same at all organizations and that it would be open-minded about the form of the risk management structure.

ERM should be implemented in the way that works best for your organization to provide the information needed for management and the board to make better, more risk-informed, strategic decisions. Proponents of ERM stress that the goal of effective ERM is not to lower risk. Rather, ERM is designed to manage risks more effectively on an enterprise-wide, holistic basis so that stakeholder value is preserved and grows over time. In other words, ERM allows management and the board to appropriately weigh risks against potential rewards.

Implementing Effective ERM Processes

Many organizations are starting to consider implementing ERM or are in the beginning stages of implantation of an ERM process. The following are some keys to implementing an effective ERM process based upon “lessons learned” at organizations that have successfully implemented ERM:

  • Strong senior management support for enterprise risk management
    • Candid conversations about risk among senior managers and board members.
  • Simplicity at the outset — initially use qualitative measures, not complex quantitative measures
    • Start by creating risk awareness and probing for emerging risks.

  • Build on tools that are already in place
    • Value can be created and cost minimized when you connect existing “silos” of risk management (for example, health and safety, insurance and compliance functions) to leverage current efforts and build an enterprise-wide view of risks and approach to risk management.

  • Plan for your ERM process to evolve over time
    • ERM is not a project or a fad, but will evolve over time as your organization buys into the process and becomes more sophisticated in its approach to managing risks.


Increasingly organizations are realizing that their current processes are inadequate to manage the complexities of the global business environment. Managing risks informally or on an ad hoc basis may no longer be acceptable given the increased expectations for effective risk management processes being placed on senior managers and their boards. Adoption of ERM can address emerging expectations for improved risk management in a way that can also add value by improving risk awareness within the organization and focusing attention on the risk/reward relationship. Effective ERM implementation can start very simply, with a candid conversation about the risks the organization faces in pursuit of value.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Bonnie Hancock is the executive director of the Enterprise Risk Management (ERM) Initiative and is also a lecturer in accounting at NC State’s College of Management. She has served as president of Exploris and at Progress Energy, as well as being a president of Progress Fuels (a Progress Energy subsidiary with over $1 billion in assets), senior vice president of finance and information technology, vice president of strategy and vice president of accounting and controller. Hancock brings unique insights on boards and executive management as well as practical perspectives on managing risk across increasingly complex global enterprises. Her teaching focuses on financial management and business valuation.