Informal Versus Formal Enterprise Risk Management
The concept of enterprise risk management – in layman’s terms, thinking about challenges and opportunities as they impact your organization as a whole – may seem to be more suited to large businesses than the typical small to medium size enterprise. While it’s true that large organizations are in a better position to set up a formal enterprise risk management program with a risk assessment process, committees and a “chief risk officer”, according to consultant Carol Williams there is no “one size fits all” approach and some organizations do better by managing their risks informally.
In a recent article (https://www.erminsightsbycarol.com/practicing-erm-no-formal-program/) Williams states two things are necessary to practice effective enterprise risk management, or ERM for short. First, executives must think and discuss how risks – positive and negative – influence their decisions and planning. Second, there must be a culture of open communication.
Questions for officers and directors to consider in establishing a risk management process:
- Does the board support management in achieving its strategic and business objectives?
- What is the organization’s mindset related to risk?
- How does the organization formulate business objectives? Does it consider risk in establishing these objectives?
- Does the organization identify risks that can impact performance of its objectives?
- How does the organization prioritize risk, identify risks, and select responses?
If your organization’s culture, actions and oversight is naturally conducive to informal ERM, developing a formal framework is not necessary and can actually be counter-productive.