Printer Friendly

The ERM tipping point: ERM has reached critical mass--time to get on board.

In 1962, Everett Rogers, a 30-year-old sociology professor, published a theory that would make him world renowned. Since then, best-selling author Malcolm Gladwell has made the term "the tipping point" a household phrase, but it was Rogers who coined it.

His theory proposed that every successful new innovation includes a distinct time line of acceptance. In the beginning, only true, forward-thinking innovators jump on board. Then come the pioneers, a group Rogers called "early adopters." Soon after, if an innovation is to become widespread, it catches on among the majority. Finally, even the laggards fall in line, leaving just a tiny percentage of people who may never adopt the change.

The genius of his "diffusion of innovations" theory was not simply a breakdown of who embraced the innovation. The brilliance was the precision with which Rogers was able to quantify when an innovation reached a tipping point. When was a budding innovation nearly certain to reach critical mass?

As it turns out, once the idea reaches a 15% to 18% adoption rate, it becomes very likely to begin increasing rapidly and eventually reach a saturation level of acceptance. After about one in six (the innovators and early adopters) accept something, the successive groups adopt the new idea in a typical bell curve progression and its market share (or diffusion level) takes off. (see Figure 1)

As it turns out, Rogers' near-50-year-old theory may apply to enterprise risk management (ERM). According to the 2011 RIMS Benchmark Survey of risk managers (which was conducted by this magazine's publisher), 80% of organizations either have or are in the process of developing an ERM program. Perhaps more importantly, 17% of the respondents stated that their programs are fully integrated and address risk across the organization. This is a full 5% increase from the 12% who reported so in 2009.

These ERM uptake numbers were virtually identical to a recent study by APQC, a benchmarking nonprofit. Those surveyed reported that more than 90% of their organizations have or are building an ERM program, and 17% have "greatly integrated" programs.

Based on the results of these two reports, it would seem that ERM has finally reached a tipping point. The innovators and early adopters have now accepted it as a core business practice. And if Rogers' theory can be any guide, the majority will jump on board soon, leaving only the laggards still wondering what all the fuss is about.

What has been the driving force behind this critical increase in ERM adoption? Certainly, shareholder, regulatory and credit agency pressures have highlighted the need for improved risk management. But more than that, organizations are increasingly seeing the value of ERM as a way to improve their odds of success. They have come to recognize that ERM is much more than a simple list of steps to follow or boxes to check off. Instead, it is now being recognized as what it is: a process that leverages the mastery of risk management competencies along a maturity continuum to improve strategy. ERM is now being viewed as integral to the achievement of an organization's strategic objectives rather than just being an end to itself.



By viewing ERM as more than merely an identification, risk-sharing or even management-control exercise, organizations gain a deeper understanding of the strategic risks that can mean the difference between survival and extinction. They are able to see that strategy depends on operational risks, financial/ legal implications and insurable hazards--all of which may transform how the organization chooses to deal with risk. (see Figure 2) In full maturity, ERM handles the interrelated threats to an organization's entire risk portfolio.

If we use the RIMS definition of risk as "an uncertain future outcome that can either improve or worsen your position," the world has never been riskier. Given the complexity and speed of change in the world today, there is much more uncertainty than there was 50--or even 20--years ago. The key is to understand that risk is not only to be avoided or mitigated. Risks should be understood in light of an organization's strategic objectives and assessed for their relevance, importance and likelihood so that the known risks that could "improve our position" can be exploited, and those that could "worsen our position" can be managed.

Unfortunately, while incorporating ERM into strategy is how it creates true value, not every organization has come to this realization. In the 2011 RIMS Benchmark Survey, only one quarter of respondents found the primary value of ERM to be increased certainty for achieving the organization's strategic and operational objectives. Other respondents cited value protection and silo elimination as the primary benefits. Such returns are certainly helpful, but they hold relatively limited value when viewed in the context of the organization's overall objectives.

Moreover, by not exploring strategic goals, a company jeopardizes the utility of its entire ERM program. In his work at DePaul University's Strategic Risk Management Lab, Dr. Mark Frigo identified five reasons why ERM programs fail:

1. Risk management is not connected or integrated with strategy and strategy execution.

2. Risk assessments are focused on the "wrong" risks (i.e., not focused on strategic risks).

3. Risk management is not executed as a continual, repeatable process.

4. Risk management "silos" create barriers.

5. Risk management is not viewed as valuable and is under-resourced and under-networked.

ERM efforts generally fail when they are not successfully linked to the organization's strategy development nor viewed as a core organizational competency. The bottom line is that if ERM is not put in the proper context, it will not be considered a priority within the organization.

So how do organizations achieve ERM success? There are five important steps to consider: organizational commitment, design, activation, monitoring/review and improvement. (see "The ERM Trajectory of Success")

Throughout the process, the risk practitioner should be able to convey positive responses to the following key success questions: Did we achieve our stated ERM objectives? Did we help the organization create and capture the value intended in planning its strategy and operational objectives? Did we do it better than our competitors?

Enterprise risk management, as a business discipline, has been practiced by pioneering organizations for more than a decade. Its acceptance is now reaching critical mass. It is quickly becoming an indispensable tool for achieving business success. Those who lag behind will soon find themselves at a disadvantage. Start now and it might not be too late to stay ahead of the curve.

The ERM Trajectory of Success

At many organizations, risk managers have trouble convincing their bosses that enterprise risk management will bring value. With such a hurdle, it is no surprise that some programs have trouble getting off the ground--let alone help the company improve its long-term strategy. But once a company does implement ERM, there is a way to help track its progress. The five stages of RIMS' "ERM Trajectory of Success" are designed to take an organization from its initial commitment through design, activation, monitoring and improving its ERM discipline. Ultimately, the goal is to answer the ultimate value questions. Did we achieve our stated ERM objectives? Did we help the organization create and capture the value intended in its strategic and operational objectives? Did we do it better than our competitors? How will we know? Even with these guidelines, not all ERM programs will succeed. But with a road map to follow and chart its progress, every program will have a better chance.



Align risk management objectives and performance indicators with organizational strategies, objectives and performance indicators

Establish purpose, principles, governance and risk strategy

Obtain approval of ERM principles, standards and practices


Consider external and internal scope and context

Collaborate on methodologies for shared understanding of critical risk

Align accountability with organizational objectives

Develop training materials



Align ERM outcomes with organizational objectives

Detail measures for risk management performance vs. expected outcomes

Apply the approved ERM standards and process within the intended scope

Hold information and training sessions


Monitor risks against established thresholds

Measure and report variations from expected outcomes

Report progress

Reassess priority risks

Assess organizational risk awareness


Based on monitoring and review results, improve risk management standards, practices and utilization

Reassess the risk framework and the effectiveness of its application

Reconfirm organizational commitment to the ERM program

Carol A. Fox, ARM, is the director of RIMS' strategic and enterprise risk practice.
COPYRIGHT 2011 Risk Management Society Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2011 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:ERM IN ACTION
Author:Fox, Carol A.
Publication:Risk Management
Article Type:Survey
Geographic Code:1USA
Date:Nov 1, 2011
Previous Article:ERM in action.
Next Article:The strategic advantage of ERM: integrating strategic planning with ERM at Caterpillar.

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters