Practical Applications for ERM

ERM (Enterprise Risk Management) is a holistic way of looking at the risks an enterprise must manage. For project managers who aren't managing projects in an environment that enjoys this approach to risk management, ERM may not seem relevant to their project but many of the features that make ERM attractive to enterprises that have adopted them can help your project. Organizations are adopting some of the precepts of ERM without realizing it, usually as a response to a stakeholder demand to improve on their risk management.

Let me illustrate this with an example I recently reported on in our web site's News & Events section (Steelmaker Fined). Essar is a large multi-national steel making enterprise. They were recently fined a large amount and further chastised with a surcharge as the result of a tragic accident at their facilities in Sault Ste. Marie, Ontario, Canada. The accident cost a worker his life and the Ontario authorities determined the accident was due to a violation of the Ontario Health and Safety Act. The fine levied was $300K with a $75K surcharge. While this may seem rather large, the company took in over $450Bn (CAD) in gross revenue for Q1 2010. The damage done to Essar's reputation by the negative press coverage the company received and the responsibility for an employee's death were far more consequential.

Essar responded to the accident and subsequent investigation by drafting and implementing a policy statement setting forth the company's approach to managing risks in their health, safety, and environment areas. The policy statement came from the company's CEO. Not only did it come from the CEO, it was signed by him. This satisfies one of the first criteria for an ERM program. Well it doesn't satisfy it 100% but it is close enough. According to COSO (Committee of Sponsoring Organizations), the Board of Directors should be setting policy. I would argue that the CEO is close enough to the board to lend authority to the policy statement. The other key to an ERM program is the definition of the organization's risk appetite. Essar's CEO has done this with his policy statement; the policy states that the company's goal is an injury free environment. This is just about as specific as you are going to get with a risk appetite statement. The policy goes on to state that management will ensure that this goal does not get compromised by any other business objectives. The policy applies enterprise wide, to both operational activities and projects.

Project managers who toil in areas without the benefit of an ERM program can still take advantage of the key elements, mainly support at the executive level and direction on the organization's risk appetite as it applies to your project. For executive read executive sponsor. For your purposes theexecutive sponsor can represent the organization. Your Risk Management planshould state the approach you intend to use for your project and your executive sponsor should indicate approval by signing off on that plan, along with the rest of your plans for the project. Formal acceptance can come at a Gate Meeting just make sure you review your plan with the sponsor in advance to ensure they are comfortable with it.

Project Managers who work in industries where injury and death are a real risk can expect to receive direction and support in the form of a risk appetite statement for safety issues. Your sponsor's appetite for other risks will be determined when your budget for management is negotiated. When discussing mitigation strategies for a specific risk try and analyze the risk quantitatively. You may not be able to determine a dollar amount for the risk event but you should be able to describe the impact in terms of schedule slippage, quality degradation, or some measurement of impact to a project goal. Ask the question "Would you be prepared to accept a slippage of 1 week if this risk event happened?" If the answer to that is no, then your sponsor should approve the budget for your risk mitigation strategy. If they are not prepared to approve the strategy, the alternative is to accept the risk.

Your insistence on a statement of risk appetite should not be used as a weapon with which to extort additional budget, or be perceived by your sponsor as such. Avoid the appearance that you are using threats to increase your budget by choosing the most cost effective mitigation strategies. Don't sacrifice effectiveness to reduce costs but seek out strategies that will be effective without a large money outlay. I don't offer this advice in the area of health and safety because I have very little experience in this area, but where threats are to goals such as schedule, budget, quality or feature set are concerned seek out cheaper alternatives.

The ERM policy statement comes from the Board of Directors. Essar's statement came from the CEO. Your project can benefit from a policy statement even if you have to articulate the policy. Your risk management plan should contain a description of the approach you plan to use for managing project risk and that is where the policy is described. Senior management endorsement should be formally obtained when your plans are approved at a Gate Meeting. You can obtain your risk appetite statement piecemeal by ascertaining your sponsor's willingness to accept or mitigate the key risks to your project. You may not work in an organization that has adopted ERM but that doesn't mean you can't take advantage of the best features of the methodology.