Bonnie Hancock
Bonnie Hancock

Effective Enterprise Risk Management ≠ Bureaucracy

How to implement a simple, effective ERM process.

March 3, 2011
by Bonnie Hancock

Now that we have completed a U.S. Securities and Exchange Commission (SEC) filing season with the new proxy rules requiring disclosure of the board's role in the organization's risk management process, many management teams are facing increasing demands from board members for more robust reporting and discussion of the risks the organization faces and the steps management is taking to respond to those risks. Even in organizations not subject to SEC reporting requirements, board members are showing an increased interest in risk-related issues. While some are wondering whether cumbersome, non-value-adding new processes will need to be adopted in order to satisfy demands from board members and other stakeholders, many companies have found that they can put in place effective processes for managing risks on an enterprise-wide basis that will improve strategic decision-making and support the achievement of organizational objectives. In order for enterprise risk management (ERM) to be seen as value-adding however, the board and senior executives of an organization must set the appropriate tone for an open dialogue about the risks an organization faces, its appetite for those risks and its plans for managing them.

Having an effective ERM process does not mean you must produce myriad checklists, models and dashboards. This misperception that ERM is a very complex process that involves a tremendous amount of resources and can be a potential source of bureaucracy has been an impediment to ERM implementation in many organizations. In fact, an over-reliance on models and quantitative risk measures and reports has been cited as a contributing factor to the failure of risk management processes in some organization. And when the credit rating agency, Standard & Poor's (S&P) began assessing ERM practices within the companies it rates, its initial focus was on the rated company's risk management culture and strategic risk management, good places for an organization to begin implementation of an ERM process. As ERM assessments have become a part of the credit rating process, S&P has explicitly recognized that ERM will not look the same at all organizations and has been open-minded about the form of the risk-management structure.

ERM should be implemented in the way that works best for your organization to provide the information needed for management and the board to make better, more risk-informed, strategic decisions. Proponents of ERM stress that the goal of effective ERM is not to lower risk. Rather, ERM is designed to manage risks more effectively on an enterprise-wide, holistic basis so that stakeholder value is preserved and grows over time. In other words, ERM allows management and the board to appropriately weigh risks against potential rewards.

Implementing Effective ERM Processes

Many organizations are starting to consider implementing ERM or are in the beginning stages of implantation of an ERM process. The following are some keys to implementing an effective ERM process based upon "lessons learned" at organizations that have successfully implemented ERM:

  • Strong senior management support for enterprise risk management
    • Candid conversations about risk among senior managers and board members.
  • Simplicity at the outset — initially use qualitative measures, not complex quantitative measures
    • Start by creating risk awareness and probing for emerging risks. Don't try to capture all risks facing the organization; start with the top risks and those risks that are just beginning to emerge.
  • Build on tools that are already in place
    • Value can be created and cost minimized when you connect existing silos of risk management (for example, health and safety, insurance and compliance functions) to leverage current efforts and build an enterprise-wide view of risks and approach to risk management.
  • Plan for your ERM process to evolve over time
    • ERM is not a project or a fad, but will evolve over time as your organization buys into the process and becomes more sophisticated in its approach to managing risks.


Increasingly organizations are realizing that their current processes are inadequate to manage the complexities of the global business environment. Managing risks informally or on an ad hoc basis may no longer be acceptable given the increased expectations for effective risk management processes being placed on senior managers and their boards. Adoption of ERM can address emerging expectations for improved risk management in a way that can also add value by improving risk awareness within the organization and focusing attention on the risk/reward relationship. Effective ERM implementation can start very simply, with a candid conversation about the risks the organization faces in pursuit of value.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Bonnie Hancock is the executive director of the Enterprise Risk Management (ERM) Initiative and is also a lecturer in accounting at NC State's College of Management. She has served as president of Exploris and at Progress Energy, as well as being a president of Progress Fuels (a Progress Energy subsidiary with over $1 billion in assets), senior vice president of finance and information technology, vice president of strategy and vice president of accounting and controller. Hancock brings unique insights on boards and executive management as well as practical perspectives on managing risk across increasingly complex global enterprises. Her teaching focuses on financial management and business valuation.