• Guide

Risk-Aware Decision-Making: Introduction to Enterprise Risk Management (ERM)

“Everyone thinks of changing the world, but no one thinks of changing himself.” ― Leo Tolstoy

Undoubtedly, many team members within your organization likely joined your cause with a dream of making your community a better place. Changing the world is a noble dream, but perhaps impossible without first changing ourselves.

The discipline of Enterprise Risk Management (ERM) asks organizational leaders to change themselves—by evolving the way they conceptualize risk and the future. Risk management asks us to anticipate the future and prepare for the potential negative events that our organizations will face, but smart practitioners of risk management recognize that the future is impossible to predict. Uncertainty is a fact of life. Preparing to survive uncertainty is vastly different than preparing to survive a list of specific, individual risk events that might or might not occur. Fostering an ERM culture means considering uncertainty whenever your team makes decisions about your organization’s future. Reflecting on the uncertainties of life allows teams to better prepare for the many possible outcomes they might face, making their organizations more resilient and adaptable—making them better able to change the world while surviving in a world that constantly changes itself.

Risk managers and risk management thought leaders around the world continue to question and challenge the industry definitions of risk and ERM, while the discipline continues to morph and evolve. One thing many critics agree upon is that ERM encompasses both operational risk management as well as strategic risk management, by focusing heavily on enhancing governance capabilities and improving management decisions.

Risk management thought leader Norman Marks, co-author of World-Class Risk Management for Nonprofits (published by Nonprofit Risk Management Center, 2017), explains that, “enterprise-wide risk management should be about helping people make intelligent and informed decisions. ERM should not be the end itself.” Marks also points out that risk management is too limiting when it focuses on the management of specific risks. Instead, Marks calls upon leaders to focus on managing their businesses as best as possible, doing so by thinking about risk and uncertainty when decisions are being made. Marks illustrates his points in his May 12, 2018 blog post when he challenges a cyber risk oversight process recommended for governing boards by the National Association of Corporate Directors (NACD). Marks also references fellow risk management thought leader, Grant Purdy, who explains in an interview with RISK-ACADEMY’s Alex Sidorenko that, “…the game we should be involved in is helping people gain sufficient certainty about when they make a decision, that it will contribute to the organization’s purpose.” Purdy and Sidorenko continue to discuss how all decision-makers within an organization must take risks in order to achieve their goals, and that “informed risk-taking” occurs when leaders are capable of challenging the assumptions that influence their decisions. This idea connects back to Norman Mark’s blog post, which explained that “The executive team should make sure they understand those assumptions, challenge them as needed, and then adapt as conditions change.” That adaptability is what enables organizations to thrive in an uncertain, mercurial world.

If your team is considering risk and uncertainty when you make decisions—and questioning your own decisions in order to improve them—then you are already on the path towards ERM. Improved decision-making capabilities will make you better stewards of your organization’s mission and assets.

How can a team begin to cultivate the ERM culture? Perhaps by recognizing the limitations of traditional risk management, which focuses on protecting assets and plans by preventing—or reducing the frequency and severity of—events that affect an organization negatively. Diana Del Bel Belluz, an experienced ERM consultant based in Toronto, Ontario, explains that ERM has great potential of delivering higher value to an organization: “For me, ERM is focused on the strategic objectives of the organization and therefore more closely linked to the value-creation chain. Traditional risk management tends to focus on value protection, usually in operational or functional silos.” This sentiment suggests another key to the ERM puzzle: an inclusive effort that relies on the collaboration of teams across an organization. Inviting diverse and even conflicting perspectives into your decision-making forums will certainly offer a richer understanding of your organization’s context, the assumptions your team holds, and the many ways the future might unfold before you.

The following questions might help your team further distinguish conventional risk management from ERM, and move the needle towards ERM if you aspire to enhance your capabilities as mission stewards. Notice how the ERM questions focus on decision-making, challenging assumptions, and creating value for the organization through informed risk-taking.

Traditional risk management asks:

  • What could go wrong? What is the worst-case scenario and how can we prevent it?
  • How can we prepare to survive a crisis or emergency?
  • Are individual risks being managed appropriately?
  • Is each department or team within our organization effectively managing its own risks?
  • What are our compliance obligations?
  • Do we have adequate insurance?

Enterprise Risk Management (ERM) asks:

  • As a team and as individual contributors, are we effectively considering risk and uncertainty whenever we make decisions?
  • How can we make better choices today knowing that our decisions are based on limited information, and we can’t fully predict what will happen tomorrow?
  • What are the assumptions we are relying on to make this decision? How can we challenge these assumptions to validate our decision or make a better decision?
  • What risks do we need to take in order to achieve our strategic goals?
  • Are we taking the right risks or enough risk to deliver our mission?
  • Is risk-taking across the organization at an acceptable or appropriate level in order to achieve our objectives?

Today, more and more ERM frameworks exist and depict what ERM should supposedly look like in an organization: it involves changing the structures, reporting loops, risk assessment, and risk management processes, and ensuring the holistic integration of these processes across all departments or functions. Too much of the ERM literature focuses on changing and implementing risk management processes and tools, rather than measuring the outcomes we can expect if ERM is actually taking place: the best possible decisions made with limited information about an unclear future. Rather than burdening your team with over-engineered risk management processes and dated tools that offer few actionable insights, focus on cultivating deeper change by becoming better stewards, better decision-makers, and better managers of your mission. This is the essence of ERM.

Explore additional resources from the Nonprofit Risk Management Center to begin fostering a culture of ERM in your organization: