Enterprise Risk Management

Enterprise Risk Management (ERM) is a rigorous approach to assessing and addressing risks from all sources that threaten the achievement of an organization’s strategic objectives. ERM treats managing risk holistically and strategically.

Incorporating ERM at state agencies

In 2006, Washington state joined other private and public sector entities striving to implement ERM as a corporate or statewide practice. Initial efforts involved a maturity model assessment tool, which the Office of Risk Management (ORM) risk specialists used to help state agencies assess their risk management commitment and activities.

ORM helps agencies using ERM

ORM is committed to assisting agencies understand and apply ERM through ongoing training, information and resources. Part of this educational process is made available through the the Risk Management Basics manual – this ORM manual defines ERM in detail. For more information call Leslie Atkinson at 360-480-9065.

Risk can be created by any event or outcome that has the potential to interfere with an agency’s ability to achieve its mission on time.

Enterprise Risk Management (ERM) is the discipline and its associated processes of applying a risk evaluation to each agency goal, identifying root causes of these risks, determining—as an enterprise—what changes (i.e., risk treatments) are best to address the root causes, and then monitoring the success of the risk treatments. Treatments can include:

  • Transferring the risk
  • Minimizing the negative outcome
  • Preventing the outcome
  • Eliminating the activity associated with the risk

For example, insurance transfers the possible cost of risk to the insurance company. An early resolution program minimizes the cost of negligence by resolving claims before they become lawsuits. Changing a policy and procedure so that employees know what to do in certain situations can prevent negative outcomes. Abandoning an activity that had resulted in injury eliminates the risk posed by the activity.

How do you get there?

  1. Gather a focus group consisting of a risk savvy person from each area (division, department or function) of your agency.
  2. Brainstorm and list any event (risk) that could interfere with the ability to carry out your agency’s mission.
  3. Prioritize the risks from high to low.
  4. Identify and develop responses for the high risks first.
  5. Establish an aggressive time line and designate accountable personnel to help ensure the risk responses are carried out.
  6. Identify and develop responses for the moderate and low risks and carry out step 5 above for them.

When you have completed steps 1 through 6 you have started the ERM process.

What else can be done to move closer to ERM?

  • Successful ERM must have the support of top management. Before starting the process above seek the absolute commitment from your agency director and assistant directors.
  • Establish an ongoing ERM steering committee. Have the committee meet on a regular basis to discuss losses and identify new risks.
  • Develop an annual risk assessment questionnaire process to be completed by all employees.
  • If possible create a full-time position for the agency risk manager. ERM requires attention.
  • Have a process in place to ensure accountability for losses. Require the accountable people to respond to losses with a report on 'why did this happen?' and 'how can it be prevented from happening again?'
  • Concentrate on helping the entire organization shift its focus away from crisis response and toward preventative action.

Useful resources