IN THIS ISSUE
Q&A With Dave Harmon
"We have a variety of narrowly-focused enterprisewide control monitoring activities that need to be addressed. My initial suggestions of implementing ERM are viewed as just extra work, and I'm getting a lot of resistance from management. What suggestions do you have to help me achieve buy-in for implementing ERM in my organization?"
DAVE HARMON, CIA, CCSA, CPA, CISA
DIRECTOR OF FINANCIAL MANAGEMENT PROGRAMS
UNIVERSITY OF CALIFORNIA
I will begin by saying that you're not alone. Your comments are more than likely echoed by many of your colleagues. It seems to me that the issue with enterprise risk management (ERM) is not so much how to do it. Generally, the ERM implementation process is pretty well understood. It's determining how to adapt ERM to the existing organizational culture that poses the biggest problem.
If you already have a variety of enterprisewide control monitoring activities in place that are effective in terms of their narrow scope, look at that as leverage rather than an obstacle. Integrating good processes and activities already in place may enable you to build momentum for ERM implementation.
A first step is to take an inventory of what type of ERM monitoring or control activities are in place. Also determine how well they are sponsored and who owns them. Qualitatively, how well are these activities working? You may find several significant and worthwhile activities that are well-sponsored with the backing of one or more functional areas: the controller, human resources, internal auditing, product development, research, or risk management. While you take inventory of what you have and which activities are in place, you may be able to identify some areas or existing activities that are lacking or duplicated.
Once you've taken inventory, use the results as the basis for developing a manageable list of risks and risk owners. Validate the list by comparing it with similar organizations and select members of management. Then, ask yourself what is realistic to accomplish within a reasonable period of time regarding ERM. Consider your level of sponsorship — or lack thereof. Is it realistic to consider a stand-alone new ERM initiative? Organizationally, how will management be engaged in the process?
In other words, create a realistic vision for ERM in your mind. Then develop a project plan to sell this vision. Rather than a seamless process, you may find that you envision a jigsaw puzzle that cobbles together disparate pieces from different parts of your organization. Then incorporate the existing enterprisewide control activities where they fit.
Next, circulate the plan for validation and obtain buy-in on the major risks, stressing the benefits and efficiency of leveraging existing efforts. Sell your ERM plan as a way of integrating the existing efforts — overlap can be eliminated and existing gaps can be filled. Understand that your plan will need to change to accommodate stakeholders' additions and modifications. This circulation process can be effective in building credibility and support for ERM.
At this point, you may be asking, "Aren't you going about this backwards? This should be a collaborative process driven by top management. You can't unilaterally do this by yourself." I admit that this is a short-cut approach to ERM that is not without drawbacks. But once in place, the process can be refined. If you are able to pull it off by getting ERM off the ground, you may find yourself ahead of many other organizations that are still just talking about the potential of ERM.
David Harmon, CIA, CCSA, CPA, CISA, is director of financial management programs at the University of California, Los Angeles and instructs several IIA courses on CSA. Harmon helped to develop a CSA program in his former position at Fannie Mae and contributed to the questions in The IIA's CCSA exam.