Integrating a risk management system into your department or organization will be a major endeavor and while there are significant benefits to making this change, the degree of effort required should not be underestimated. Moreover, the overall workload of the organization and other major initiatives that might also be underway are major considerations when planning ERM implementation. This article will refer to ERM systems but the same principles will apply if the implementation is for a less expansive risk management system. Importantly, as a supporting function and not an operational activity, risk management must be shaped to fit the organization. It should not try to shape the organization to fit it. Implementing a risk management system requires thorough planning, a careful combination of change and project management and a high degree of cultural sensitivity.
A suggested approach for planning ERM implementation is laid out below. It outlines the main considerations and key elements that should appear in the eventual project plan.
Note: this is not meant to be a primer on change management or project management, although generally-accepted principles from each of these disciplines are reflected in this article. Where possible, users should seek guidance from experts within their organization to ensure that any project and change of this scale adheres to the organization’s applicable processes.
A Structure for Change
A well-established model for change management is Dr John Kotter’s eight-step model for change. This article uses this as a loose framework to address the challenges and consideration surrounding ERM implementation. Some adaptations have been made to the eight-step model in order to make it more applicable to ERM. The practical project management elements required for success have also been added to assist with planning.
Eight Steps for Change Management (Adapted from Kotter)
1 – Establish the need and develop urgency
2 – Identify the champion and risk experts
3 – Develop a vision and strategy
4 – Communicate the vision, purpose, and value to generate organizational buy-in
5 – Incentivize and empower action
6 – Generate short-term wins
7 – Build and maintain momentum
8 – Embed the system in the organization’s culture
This eight step framework should allow the risk management champion to design a robust plan for implementation of the system and one that will align with more formal change and project management processes. Again, where the organization has recognized processes for change and project management, these should be used instead but some of the key considerations will remain the same.
Implementing the ERM System
1 – Establish the need and develop urgency
As a risk aficionado, the benefits of a comprehensive risk management system will be obvious to the risk manager but will not be as clear to the rest of the organization. The term ‘risk manager’ is used throughout this article to identify the person driving the risk initiative in the organization. Moreover, implementing any new system costs time and money and robs the organization of a great deal of management focus. Therefore, a clear need for adopting or changing the risk management system is required because the desire of the risk manager alone will not be enough.
To drive this change effectively, a combination of a need and urgency is required. To identify the need, begin with an assessment or gap analysis of the current risk management arrangements in the organization. This will determine what is already in place, if there is a regulatory or legal requirement for a system and will identify any metrics that will support the case for implementing a formal risk management system.
The gap analysis and the associated metrics will help establish the need for a risk management system but there also needs to be a sense of urgency. A legal or regulatory gap presents a real urgency as the consequences of non-compliance could be severe. However, the benefits of improved processes, increased efficiency and reduced losses should also make compelling arguments for implementing the risk management system as soon as possible.
Even with a degree of urgency, it is worth noting that it might not always be the right time for an organization to take on this size of project. A very small business may not have the resources. A larger organization, that is already mid-way through a major project, might not have the capacity to tackle another big initiative. Remember, a bungled attempt to launch an ERM system will deter people from any future risk management activities. Ensure that the timing and conditions are right to give yourself the greatest chance of success.
Although the organization-wide announcement of the plan takes place later in the process (see step 4), buy-in from senior-management and key influencers will be required at this stage. These key decision-makers and influencers need to be presented with a strong argument for this project, (highlighting the need and urgency) so ensure that time is spent developing the business case for the implementation.
From a project perspective, the gap analysis and needs assessment will help identify the major tasks and rough timelines associated with the project. This will form the basis of a bare-bones project plan that can help show senior managers what the project timeline and workload might look like. This top-level project plan should also show how the ERM implementation project is scheduled around other major organizational activities to avoid conflict and scheduling overload.
Step 2 – Identify the champion and risk experts
Again, an enthusiastic risk manager alone is not enough to make this kind of change. A support network is required. Ideally, a senior executive or Board member will be the ‘risk champion’ leading this initiative. They can lend the necessary heft to the project and help hold the organization accountable once the project is underway.
Additionally, a network of ‘risk enthusiasts’ are required in each region, division or function to act as the local champions and risk subject matter experts (SME). In addition to selecting SMEs for their knowledge and abilities, it is also important to ensure that they have enough influence to be able to drive the project forward within their own area of responsibility.
In addition to championing the initiative, these individuals will form the core of the risk management project team. The risk management champion will be the project sponsor at the organizational level and the risk manager will become the project manager, responsible for the delivery of the risk management project.
3 – Develop a vision and strategy
A vision has to be something more inspirational than ‘implementing an effective and robust risk management system at all levels of XYZ Co’. This is an acceptable ‘what’ statement but people also need to understand why something is being done before an idea can be truly effective. The vision should explain why the risk management system is important, stressing the benefits, savings or values that are being supported by the system. A clearly-stated and well-understood vision will be beneficial when it comes to implementation, similar to being objectives-led in an operational sense.
A vision statement that explains the overall intent or objective, why it is necessary and the primary deliverable (returning to the what) is required. For example, the following statement ties the risk management system into operational improvement, which in turn supports the organization’s strategic goal:
‘XYZ Co strives to be the leading widget manufacturer for all deep-sea oils and gas operations worldwide (the supported objective). In order to do this, we require the highest standards of operational efficiency and safety (why the change is necessary) which we will support through the implementation of a robust risk management system by the end of FY 2018 (the primary deliverable).’
This vision statement should be converted into a strategy (the ‘how’) outlining the broad strokes of how this will be achieved. This strategy can then be coupled with the details that were captured in stages one and two to produce a more detailed project plan.
A high degree of cultural sensitivity is key to success and the culture of the organization should be kept in mind during every stage of the process.
During strategy development, the organization’s structure and culture will shape the approach to implementation. For example, does the organization respond better to top-down or bottom-up initiatives? Which department or manager’s by-in will make or break an idea? Is the organization small and nimble or large and resistant to change? These are all key considerations when developing the implementation strategy. This will help the risk management champion and manager determine how to best communicate the vision.
4 – Communicate the vision to generate organizational buy-in
Culture is very important when the vision is being communicated to the wider organization. ‘Change is hard’ is something we often hear and in most cases, it’s also true. Enthusiasm or buy-in will have to be generated in the face of organizational resistance, pressing timelines, competing priorities and often a reluctance to make any change at all. All of this resistance is before any actual change is being made.
Understanding the organization’s culture is key to ‘selling’ the vision to the organization. The risk champion and the other team members should have collaborated and received feedback throughout steps one to three. Therefore, the vision and strategy being proposed should be largely welcomed throughout the organization. However, communicating the vision at this stage is not simply a one-way conversation. It is a two-way consultation.
During the communication activity, in addition to ‘selling’ the change, the project team should also be taking note of feedback and identifying areas where the proposed system and plan for implementation receives push-back. Although not all criticisms requires changes to the strategy or plan, valid feedback will help the project team refine the implementation plan and the risk management system itself. Any time invested improving the implementation plan at this stage will pay dividends later on and will increase the chance of overall success.
Exactly how buy-in can be achieved will be specific to the organization but some considerations are:
- Identify the influencers and approach them first. Remember, an influencer might not always be a senior manager but could be an experienced worker, someone of standing in the community outside work or a just a charismatic employee. Ideally, you would also want some of these influences to be risk champions but they have to be bought into the idea of a risk management system in the first place.
- Use a mix of top-down and bottom-up initiatives, adjusting the balance and sequencing the announcements to suit your organization.
- Acknowledge the pain involved in making significant changes but stress that this is temporary. Emphasize that a faster implementation is preferable, and stress the long-term benefits of making the change to justify the short-term disruption.
- Make compelling arguments. The needs and gap analysis will have identified the organizational pain points that are going to be addressed by the risk management system. Show how the proposed system addresses these with a series of empirical (‘we can save x hundred man-hours in reporting’) and emotional (‘you no longer have to allocate all of February to the risk assessment’) arguments that can be used in different circumstances.
- Be honest. Don’t paint an overly rosy picture of the implementation and don’t oversell what the risk management system will do.
This is a critical stage in the success of the risk management system: without this buy-in, you can still implement a risk management system, but it will have been forced on the organization. This creates a superficial system that isn’t embedded in the organization’s culture and one that will have limited benefit.
5 – Incentivize and empower action
Any kind of major change requires a cross-organizational effort. Embedding an ERM system is no different. A central team of SMEs – the risk management champions – are necessary to oversee and guide the process to ensure that the system is being implemented properly. However, this team cannot and should not be expected to do all the work themselves. In addition to the capacity issues, this doesn’t encourage wider ownership of the processes throughout the organization.
While the risk management champions guide the process, managers at all levels should be tasked with implementation and feel empowered to make these changes. Moreover, these changes should be seen as part and parcel of the manager’s roles, not an additional ‘nice to have’ activity, relegated to last place in their list of priorities. This incentivizes managers to action, as progress on the risk management implementation is a measurable activity against which their progress will be judged.
Involving managers at all levels means ensuring that tasks and deliverables are clear but also that the resources are available to make these changes. This includes additional staffing (either from in-house resources or contractors), an allocated budget and, most importantly, an allocation to complete project tasks. Without allocated time, even the most committed manager will struggle to implement something as complex as an ERM system. To be most effective, this resource allocation should be driven by the risk management champion from the very top and built into the organization’s resource planning.
6 – Generate short-term wins
Short-terms wins help build momentum early on and show that the change is manageable and beneficial. However, rather than planning achievements that amount to little more than window-dressing (e.g. making some terminology changes or issuing general policy documents), short-term wins should drive tangible benefits. This could be as simple as improving or eliminating a process which saves users time. Short-term wins should also reflect the vision of the project so the organization can see why the change is being made. T
These short-term wins also help incentivize managers as they are able to tackle some easier tasks up front. In turn, this helps them make progress and develop momentum with their own department or team.
It is important to not be too cynical when identifying quick wins as the organization will quickly see through any measure that isn’t a demonstrable improvement. Ensure that quick wins create real value and benefit the organization. Be sure to publicize this progress so everyone can see the changes that are underway and the improvements that are being created. From a project management perspective, the project plan should schedule some easy wins up front.
7 – Build and maintain momentum
Momentum will begin with the quick wins noted in step 6 but it is important to maintain this progress. A project that has a burst of activity at the beginning and then stalls will struggle to get started again. To help maintain this momentum, the project plan should be ambitious but realistic. It must push the organization to implement the system in a meaningful time frame while also taking account of other activities.
Regular deadlines and milestones that are enforced will help maintain progress and keep the project on track. However, even though hitting milestones early on is a great achievement, care should be taken to avoid a stop-start approach to the project which can also cause it to stall.
Two things can assist with developing and maintaining momentum; firstly taking a ‘little and often’ approach and secondly, becoming selectively lazy.
- The little and often approach. In the same way that only going to the gym for the first two weeks of January doesn’t help your long-term fitness, short surges of project activity or overly short time frames are unlikely to work. Regular activities at a measured pace help develop the organizational habits and ‘muscle memory’ that are necessary to embed a system thoroughly. The project plan should include weekly and monthly activities to implement and embed the change across the organization. The project team will remain busy throughout the entire project period and there will be a great deal of behind-the-scenes activity. The wider organization is much more likely to adopt the new system if it is introduced at a measured pace.
- Secondly, be selectively lazy. This is a great way to develop efficiency but it does not suggest that risk managers should sit back and let everyone else do the work. It means that you should look for easy routes for implementation, including overlaps with other activities and processes that can be adapted for the risk management system. For example, if you need to establish an organization-wide series of risk forums, look for other groups that already meet regularly. You are more likely to get a team to add 20 minutes each week to their regular meeting for a risk review than you are to get them to add an extra, hour-long, risk-specific meeting to their schedule. This still achieves the aim of organization-wide risk forums but without the demands of a completely new structure and meeting schedule.look for other initiatives where there are shared requirements, even if the objectives might differ. This could be something like using an existing reporting application for risk reporting. This would cut back on procurement and maintenance costs needed for a separate risk management platform and reduces the time required to train employees in how to use the system. The owners of the original system might also be incentivized to share the system as their costs are then shared. Using systems and processes that are already in place has the added advantage of quickly building momentum as the risk management system will be pulled along by the organization’s natural rhythm.
8 – Embed the system in the organization’s culture
Embedding a system is not the same as imposing a system. An imposed system is something that can be jettisoned quickly and replaced, meaning that all the risk manager’s effort will have been for nothing. Embedding requires everything outlined above: a need and urgency, a clear vision, senior support, champions at all levels, top-down and bottom-up pressure, cultural alignment and a clear, sustained period of implementation.
If the risk management system is embedded successfully, a risk-led mindset will become ingrained in the organization and reflected in everything it does. An easy way to tell if a system is embedded or not is whether it still needs a group of champions to make it work. If the risk management champions simply act as SMEs and aren’t needed to push things along on a day-to-day basis, then you can say that the system is embedded in your organization.
However, things do change and some maintenance is necessary to ensure that the organization doesn’t outgrow or deviate from the risk management system. The risk manager should conduct routine reviews of the system and any necessary maintenance to ensure that it continues to be fit for purpose.
It would be horrible to maintain an out of date, deeply embedded mindset that was no longer appropriate. In that situation, a new gap analysis and series of system adjustments would be necessary but this is less likely if the risk manager remains objective and responsive to changes. When a system is no longer fit for purpose, it must be adapted and changed as soon as possible to avoid the organization exposing itself to unnecessary risk.
Summary
Risk management is a strategic, decision-making tool, fed by input from all levels of the organization. If conducted correctly, it will significantly enhance the organization’s operations and build resilience. However, most organizations are already lean and workers at all levels will have fully-stocked schedules just to manage their existing responsibilities. Adding extra processes in these circumstances will result in groans from across the workforce. Integrating a risk management system must be done with care in order to be effective.
A carefully planned, staged approach following the eight steps above can be used to implement an ERM system in most organizations. This will allow the organization to adapt to the new activities at a manageable pace while also ensuring that the risk management system is appropriate and fit for purpose. This will result in a fully-embedded risk management system that has been tailored to meet the organization’s specific needs allowing it to be truly risk-led.
If you enjoyed this, please sign up to get new articles and news emailed to you directly
One thought on “Integrating a Risk Management System into Your Organization”