Even with limited resources, ERM and BCM programs can still succeed.
“Boards are quickly creating risk committees focused on crisis planning and remote work data privacy—and they want a chief risk officer on speed dial,” writes Arianne Cohen in Risk Manager is Suddenly a Hot Job, a Bloomberg Businessweek article published in April that examines how the COVID-19 pandemic has brought the role (and responsibilities) of risk manager front and center. Interviewed by Cohen for the article, crisis management specialist Jonathan Bernstein sums the role up this way: “The job is about managing ‘wars you didn’t start, which will require immense resources to win, with domino-like consequences that contain a whole list of potential subcrises.’”
Over the coming weeks and months, as states relax stay-at-home orders and businesses work to resume full operations, the spotlight will only increase in intensity. Given the unfortunate reality of the furloughing of employees or the elimination of jobs altogether, it is not a given that the resources of which Bernstein speaks will be available to those responsible for getting Enterprise Risk Management (ERM) and Business Continuity Management (BCM) programs up and running.
Whether by choice or not, many will be working as solopreneurs—essentially setting up and running businesses on their own. Yet even without extensive support, ERM and/or BCM efforts can be made to succeed. Doing so will require an approach in which the initial focus is on clearly defined components, the delivery of quick “wins” (without losing sight of larger, more long-term goals), and leveraging the power of technology to help to lessen the load.
1. Eliminate ambiguity and focus on strategic objectives
The language employed around ERM programs can cause issues right out of the gate. “ERM is all too often shrouded in ambiguous, confusing terminology that provides little clarity as to what, exactly, ERM programs do,” states Demystifying ERM. “It is no wonder then, that many stakeholders remain confused or highly skeptical about the effectiveness of ERM programs, even as they recognize the pressing need to do something about emerging risks.”
Rather than focusing on ERM as a concept—one that mitigates risk as if by magic—ERM can be broken down into three points that apply to all types of risks:
- A process where data tells a story leading to action
- The action is one the organization would not otherwise take
- The action is related to the business’s strategic objectives
The initial point, which is all-too-often the sole focus of many programs, focuses on gathering data for the specific purposes of informing and taking action.
With the second point, collected data is used to determine what specific actions are needed. Risk is mitigated because these actions would not have otherwise been taken without the review of that data.
The final element ensures program relevance. If the actions driven by data aren’t tied to strategic objectives, the program will, ultimately, not benefit the organization.
2. Gather momentum with quick wins
In Risk Manager is Suddenly a Hot Job, Arianne Cohen outlines the complexity of the chief risk officer role and the skills it demands.
Chief risk officers need the analytical might to evaluate everything from supply chains to staffing; the ability to maintain many relationships (to law firms, insurance brokers, industry peers); the power of persuasion to sway fellow executives; the communication savvy to handle employees and media in a crisis; and financial literacy to understand not only a company’s balance sheet but also how much money would be lost if, say, the parts factory in Turkey closed for a week. All this while answering to the government regulators and investors who risk managers say are inquiring about preparations for global catastrophes.
It’s easy to see how one might be overwhelmed by all that needs to be accomplished. To take steps toward the overall goal, Looking to launch an ERM program? Borrow ideas from startups suggests pursuing an approach that aims at starting with a minimum viable product (MVP), in other words, the most scaled-down version of a product that is still usable.
Citing Technopedia, the article lays out three central components of the MVP approach:
- It has enough value that people are willing to use it or buy it initially
- It demonstrates enough future benefit to retain early adopters
- It provides a feedback loop to guide future development
As an example, instead of mapping out a program across an entire organization, an initial rollout may involve a single department. In doing so, the development of effective controls can wait until after the language and procedures for communicating risk status and severity have been somewhat established, reducing the likelihood of wasted effort. As the article puts it, “By focusing on just the R portion of ERM initially, you’ll be able to ensure the MVP remains at a manageable size, while gaining insight that informs the E and M components later on.”
3. Deliver on the initial promise before pivoting to longer-term efforts
The earliest stages of launching a business are what many entrepreneurs (and solopreneurs) live for: putting together business plans, raising initial capital, developing prototypes. Eventually, however, one must land the first client and successfully deliver the product or service, as promised.
For the ERM (or BCM) solopreneur, success means delivering on the initial promise made to the board. By starting with a strategic directive in mind and focusing initially on quick wins that allow for refining elements of a program without having to do so for users across the enterprise, the foundation is laid for giving stakeholders the ability to see real-world results—and clearly envision how that could apply to the larger enterprise as the program is expanded.
4. Make technology your ally
From the early stages to the delivery of the initial product (and beyond), technology can benefit significantly those tasked with planning for the risks that will inevitably come. However, it needs to be focused in the right areas.
The right technology solution can help the solopreneur or small team get a running start by providing access to frameworks and risk assessment tools. It can also help to reduce the administrative burden of the solopreneur (or a small team) by simplifying the data collection processes. Automation functionality can be used to drive real-time communication and reduce administrative overload. And data analytics functionality can provide actionable insight.
Download An Integrated Software Solution for more information about ERM functionality available in Origami Risk’s GRC solution.
How the ERM/BCM Solopreneur Can Get the Credit They Deserve
As Arianne Cohen points out in Risk Manager is Suddenly a Hot Job, along with the newfound prominence of the risk manager brought about by the COVID-19 pandemic comes the opportunity for those who fill this role to finally get the credit they deserve. For now, at least, those accolades reside somewhere in the future. Over the coming weeks, we will follow with additional articles on ERM and BCM that provide best practices and tips for defining processes and getting them up and running, even for those operating as solopreneurs.
In the meantime, view the webinar ERM in a Hurry to learn more about how with the right planning and tools, even the efforts of a single person can deliver much-needed insight at a time when it is needed the most.