Sorry to be heavy on acronyms, but the “ERM” abbreviation for Enterprise Risk Management has a firm place in the management practices of larger business organizations. There may be some variation in specific objectives across ERM programs, or in the key process steps of the program, but all ERM frameworks involve identifying and naming risks impacting a business, understanding those risks, and deciding what (if any) action to take to mitigate them. With elements of financial, operational, strategic, and legal/compliance risk, in a larger company the ERM process involves a multi-disciplinary team and a significant allocation of resources. In most cases, however, a small or medium-sized business (with the SMB acronym becoming commonplace) cannot afford that kind of dedicated ERM effort. But the same methodology should be applied in a scaled-down way to every business.
Every SMB owner probably has the most critical business risks on his or her radar. But some important risks may have been overlooked or not fully understood. Risk magnitude may not have been rigorously assessed. And mitigation steps may not have been identified, developed, implemented or monitored. It would be rare that a robust ERM review would not identify some important risks in need of better recognition, assessment and mitigation.
ERM is more than a conversation with your insurance agent (although he or she is an important member of the team). It is worth a two-hour exercise with your legal, insurance, and accounting advisors, along with your business team, to identify and name the key risks, assess their likelihood and consequence, and then start following a written plan to mitigate them. And the more business team leaders you include, the more likely you are to get a full picture of the business risk environment and establish common vision and objectives for the ERM process.
A senior manager should “own” the ERM process and start by creating a written framework to provide structure for categorizing risks and quantifying likelihood and consequences. In many SMBs, this should be the CEO. In other cases, especially where attorney-client privilege might be important for robust discussion of sensitive risks, it may be appropriate for legal counsel to manage the ERM process. All of the team members should collect their thoughts within this framework and be ready for a thorough, but efficient discussion. The meeting results should be documented, and then revisited at a suitable interval. Depending on the risks identified and the gaps in understanding, assessing or mitigating those risks, regular quarterly reviews might be appropriate initially. Once a good understanding has been documented, an annual or semiannual review routine might be sufficient. Once the process is sufficiently underway, you should report to your company’s board of directors on ERM efforts and results, and ideally incorporate annual ERM reports in the board calendar.
Or, if this sounds like too much big company bureaucracy, just bring the team together to talk about risks. If there are no surprises or questions, maybe your informal ERM process is sufficient. But if there are, you may conclude that more ERM effort is a worthwhile investment for your SMB.