Implementing ERM in any organisation depends on both the model to be applied, and the mindsets of those who will be doing the implementation.
ERM will challenge the organisation, but will ultimately improve its competitiveness, sustainability and growth over the long term. Organisations which intend to implement it should be prepared for more stringent governance, closer monitoring and evaluation of corporate performance. Staff who will have to deal with the nuts and bolts of ERM will need training to develop mindsets that will be attuned to the more structured and efficient processes and procedures of ERM.
From the outset, organisations should aim to develop an in-depth understanding of ERM. This can be done through training sessions for all levels. The sessions should raise awareness of the need for the framework and concentrate on objectives. If the model to be used seems unwieldy, awkward, vague or unfocused, treat it as an opportunity to re-engineer and apply customisation, i.e. adapt it to the respective environments in which it is to be adopted. But more often than not, firms have neither the time nor the appropriate resources to allocate to ERM. Thus, they tend to follow the model to the letter to avoid getting it wrong which may lead to a problem of “form over substance” instead of ensuring “substance over form”.
With ERM, there is no one-size-fits-all solution. It works best when interpreted according to the individual realities of the respective organisations. However, firms can be forgiven if they follow the rules to the letter without allowing themselves any leeway for customisation. They have, after all, “invested” in ERM to make it work. These costs need to be justified; so optimum use of them has to be made. Sometimes the Board and management may find it difficult to ascertain if the firm is doing things right if it doesn’t religiously follow the model’s systems, processes and procedures. It is difficult to advocate mindset over model or vice versa, when it comes to ERM. There are times when applying one is more suitable than the other.
Correct or appropriate application may also depend on factors like individual incidents, situations, business departments, units or varying environments. For instance, the Board may decide to apply ERM as the result of a risk incident, but at that point, no one in the organisation may be familiar enough with the model to customise it. Bearing in mind the fact that ERM should be done in-house, the model should be depended upon to establish the necessary systems, processes and procedures. But these will need to be aligned and refined as the organisation’s members become accustomed to dealing with them.
It does take time for people in any organisation to realise the implications of ERM. It is a system which has an effect on every other system in the business. The full extent of this does not sink in until you are fully immersed in it. This is why ERM advocates structured documentation, assessment, measurement and evaluation. These components, together with data/information collection can be time-consuming for the uninitiated but absolutely necessary. Trying to contextualise all this may add to the difficulty of implementing ERM that has been customised to the organisation’s requirements; Board and management may therefore decide that tried-and-tested methods are safest.
Overdependence on a model has its issues; it can sometimes encourage complacency. The idea that all the rules have been followed and the organisation’s risks have thus been managed, will take hold. The ability to rise to different challenges and mitigate different risks may not sufficiently develop, and the organisation may find itself unable to deal with a real-life risk incident that wasn’t a model scenario. But waiting for the right mindset to develop to effectively deploy ERM may not be a viable option. The most pragmatic approach may well be to use the model with the aim of developing a mindset that will sustain the practice of ERM regardless of which model is applied.
