The Institute of Enterprise Risk Practitioners (IERP®) is the world’s first and leading certification institute for Enterprise Risk Management (ERM).

Image Alt

IERP® International Institute of Enterprise Risk Practitioners

  /  Articles   /  What matters more when implementing ERM – model or mindset?

What matters more when implementing ERM – model or mindset?

What matters more when implementing ERM – model or mindset? Following an ERM model or framework has to be supported by the right attitude or mindset. When following an ERM model, users need to go beyond mere box-ticking. They have to understand what they’re doing, and why they’re doing it. ERM is not a one-off training session; it’s an ongoing exercise that evolves with the organisation. Ideally, it should involve everyone from the front desk to the Board Room, and everyone, from the Janitor to the Executive Director, has to be on the same page. They need to understand that the risks faced by their firm are everyone’s responsibility.

ERM is a system which has an effect on every other system in a business; it works based on this interconnectedness. Its success hinges on how information is channelled throughout an organisation so that it reaches its intended target in the intended manner. This is critical because today’s business landscape is dynamic and in a state of flux which requires the ability and agility to change at short notice. Traditional business practices are changing. Those who prefer to “do business as it has always been done” may find it difficult to cope, and their decision-making may suffer.

Detractors of ERM often claim that it is vague. But this is intentional as it leaves room for the organisation to customise its ERM approach. In seeking clarity, the organisation is forced to look deeper into its own systems and internal controls. This also pushes it to make honest self-assessments and acknowledge shortfalls which may be hampering its progress. The organisation’s culture is a major factor. Customising ERM involves persuading the people in the organisation to change their mindsets in order to develop a viable risk culture.

When people are given enough time to cultivate a risk-aware mindset, they will be more accepting of it. But this needs to be developed in tandem with training and consciousness-raising. Time may be a critical factor, particularly in an environment which is dynamic and requires rapid decision-making. The organisation may not have the luxury of time to allow the organic development of suitable mindsets and an appropriate risk culture. It may then have to rely on models to support its implementation of ERM, while continuing to encourage the development of the right mindset in parallel.

The danger here is that while the Board has laid the strategy for management to operationalise, the staff may be working without a complete understanding of what they are doing. If there is not enough clarity from the outset, it will only get harder for them to “join the dots” and make sense of ERM’s long-term objectives. The implementation of ERM may be retarded or fail to progress beyond being more than a tick-the-box exercise. Staff will follow the model but be disengaged from it because they don’t understand its underpinning principles. They won’t understand why they’re doing what they’re doing.

Frameworks will work when built upon by the right mindset; the best frameworks are open-ended and allow for customisation. They are inclusive of many perspectives and take into account varying cultures and even sub-cultures that may occur in the organisation’s subsidiary companies which could be operating in different regions. These are built-in, concrete attempts at accommodating the various mindsets that exist within an organisation so that staff at different levels can be comfortable with ERM. The frameworks of ERM are progressive in that they recognise the need for a risk-attuned mindset.

Some companies may find themselves preoccupied with following an ERM model to the letter, concerned that deviating from it in any way will result in failure. As a result, the Board and management may impose practices which feel alien to staff, who may retaliate by being resistant to the process, rather than cooperating to make it work. Companies which are considering implementing ERM should therefore think the process through thoroughly, and not prioritise achieving results over everything else. Their due diligence should include doing what is right for stakeholders, not just shareholders. Employees are one stakeholder group which will inevitably be affected by the changes brought about by ERM.

At the root of the matter is change, and the organisation’s ability to effect this for its own improvement. ERM challenges firms to change the way they think about doing business. It prods them into considering how far they can go with what they have, and how to make the best of always-limited resources. It guides them when assessing the impact of the business on the greater environment, community and society, and how these in turn can influence the business. ERM models provide the tools with which to create sustainable growth, but like all tools, they need to be understood and properly applied to obtain optimum results. The models are only as effective as the minds that use them.

    Name (required)

    Email Address (required, business email address only)

    Mobile Number (required)

    Company (required)

    Designation (required)

    Preferred Contact Method: (required)

    CallEmail

    What is the biggest challenge in your job/industry

    Which modules are you interested in? (required)

    Managing ESGMechanics of ESGEnterprise Risk Management

    Message

      Name (required)

      Email Address (required, business email address only)

      Mobile Number (required)

      Company (required)

      Designation (required)

      Preferred Contact Method: (required)

      CallEmail

      What is the biggest challenge in your job/industry

      Message

        Name (required)

        Email Address (required, business email address only)

        Mobile Number (required)

        Company (required)

        Designation (required)

        Preferred Contact Method: (required)

        CallEmail

        What is the biggest challenge in your job/industry

        Which modules are you interested in? (required)

        Evaluating Risk and Internal ControlCorporate GovernanceEstablishing a Cybersecurity FrameworkEnterprise Risk Management

        Message

          Name (required)

          Email Address (required, business email address only)

          Mobile Number (required)

          Company (required)

          Designation (required)

          Preferred Contact Method: (required)

          CallEmail

          What is the biggest challenge in your job/industry

          Message

            Name (required)

            Email Address (required, business email address only)

            Mobile Number (required)

            Company (required)

            Designation (required)

            Preferred Contact Method: (required)

            CallEmail

            What is the biggest challenge in your job/industry

            Which modules are you interested in? (required)

            Digital Risk Management and DisruptionMechanics of CyberSecurityEnterprise Risk Management

            Message

              Name (required)

              Email Address (required, business email address only)

              Mobile Number (required)

              Company (required)

              Designation (required)

              Preferred Contact Method: (required)

              CallEmail

              What is the biggest challenge in your job/industry

              Which modules are you interested in? (required)

              Evolution of BCM Standards, Policies and FrameworksBIA & BCMS Frameworks and StrategiesRisk, Sustainability, Metrics and Crafting Effective Business Continuity Plans

              Message

                Name (required)

                Email Address (required, business email address only)

                Mobile Number (required)

                Company (required)

                Designation (required)

                Preferred Contact Method: (required)

                CallEmail

                What is the biggest challenge in your job/industry

                Which modules are you interested in? (required)

                Emergency Preparedness, Response, BC Awareness and trainingBCMS Performance, Metrics and Audits, Disaster Recovery Plans and Lean MethodologiesCrisis Management

                Message

                User registration

                Reset Password