Practical Applications for ERM
ERM (Enterprise Risk Management) is a holistic way of
looking at the risks an enterprise must manage. For project managers who aren't
managing projects in an environment that enjoys this approach to risk
management, ERM may not seem relevant to their project but many of the features
that make ERM attractive to enterprises that have adopted them can help your project. Organizations are adopting some
of the precepts of ERM without realizing it, usually as a response to a
stakeholder demand to improve on their risk management.
Let me illustrate this with an example I recently reported
on in our web site's News & Events section (Steelmaker Fined). Essar is a large multi-national steel making
enterprise. They were recently fined a large amount and further chastised with
a surcharge as the result of a tragic accident at their facilities in Sault
Ste. Marie, Ontario, Canada. The accident cost a worker his life and the
Ontario authorities determined the accident was due to a violation of the
Ontario Health and Safety Act. The fine levied was $300K with a $75K
surcharge. While this may seem rather
large, the company took in over $450Bn (CAD) in gross revenue for Q1 2010. The
damage done to Essar's reputation by the negative press coverage the company
received and the responsibility for an employee's death were far more
Essar responded to the accident and subsequent investigation
by drafting and implementing a policy statement setting forth the company's
approach to managing risks in their health, safety, and environment areas. The
policy statement came from the company's CEO. Not only did it come from the
CEO, it was signed by him. This satisfies one of the first criteria for an ERM
program. Well it doesn't satisfy it 100% but it is close enough. According to
COSO (Committee of Sponsoring Organizations), the Board of Directors should be
setting policy. I would argue that the CEO is close enough to the board to lend
authority to the policy statement. The other key to an ERM program is the
definition of the organization's risk appetite. Essar's CEO has done this with
his policy statement; the policy states that the company's goal is an injury
free environment. This is just about as specific as you are going to get with a
risk appetite statement. The policy goes on to state that management will
ensure that this goal does not get compromised by any other business
objectives. The policy applies enterprise wide, to both operational activities
Project managers who toil in areas without the benefit of an
ERM program can still take advantage of the key elements, mainly support at the
executive level and direction on the organization's risk appetite as it applies
to your project. For executive read executive sponsor. For your purposes theexecutive sponsor can represent the organization. Your Risk Management planshould state the approach you intend to use for your project and your executive
sponsor should indicate approval by signing off on that plan, along with the
rest of your plans for the project. Formal acceptance can come at a Gate
Meeting just make sure you review your plan with the sponsor in advance to
ensure they are comfortable with it.
Project Managers who work in industries where injury and
death are a real risk can expect to receive direction and support in the form
of a risk appetite statement for safety issues. Your sponsor's appetite for
other risks will be determined when your budget for management is negotiated.
When discussing mitigation strategies for a specific risk try and analyze the
risk quantitatively. You may not be able to determine a dollar amount for the
risk event but you should be able to describe the impact in terms of schedule
slippage, quality degradation, or some measurement of impact to a project goal.
Ask the question "Would you be prepared to accept a slippage of 1 week if
this risk event happened?" If the answer to that is no, then your sponsor
should approve the budget for your risk mitigation strategy. If they are not
prepared to approve the strategy, the alternative is to accept the risk.
Your insistence on a statement of risk appetite should not be
used as a weapon with which to extort additional budget, or be perceived by
your sponsor as such. Avoid the appearance that you are using threats to
increase your budget by choosing the most cost effective mitigation strategies.
Don't sacrifice effectiveness to reduce costs but seek out strategies that will
be effective without a large money outlay. I don't offer this advice in the
area of health and safety because I have very little experience in this area,
but where threats are to goals such as schedule, budget, quality or feature set
are concerned seek out cheaper alternatives.
The ERM policy statement comes from the Board of Directors.
Essar's statement came from the CEO. Your project can benefit from a policy
statement even if you have to articulate the policy. Your risk management plan
should contain a description of the approach you plan to use for managing
project risk and that is where the policy is described. Senior management
endorsement should be formally obtained when your plans are approved at a Gate
Meeting. You can obtain your risk appetite statement piecemeal by ascertaining your sponsor's
willingness to accept or mitigate the key risks to your project. You may not
work in an organization that has adopted ERM but that doesn't mean you can't
take advantage of the best features of the methodology.