Leverage ERM to ensure everyone at your firm owns and manages risk
By Louise Fleming, Partner, Aretai Consulting
There is a lot of talk in the market about enterprise risk management (ERM). You may think ERM is only for big corporates, but it is very well suited to the culture, ethos and structure of most law firms. It delivers a structured and consistent approach to understanding and managing risks across the organisation, where everyone is a risk owner and manager. In short, ERM:
-
is the responsibility of the board and management;
-
supports delivery of the organisation's strategic objectives;
-
addresses all types of risk;
-
focuses on managing risk within risk appetite; and
-
provides an integrated framework for monitoring and reporting risk.
It is helpful to think of ERM as comprising five pillars. If you focus on the substance of ERM in each of these pillars and adjust the form to the scale of your organisation, you will be well positioned to achieve your goals.
1. Governance
Governance should be the starting point for any risk management framework. The following questions should be addressed:
-
Does the board provide independent oversight of the firm's management of risk?
-
Do the structure and reporting lines of the business enable the flow of information to manage the firm's activities?
-
Does the firm have a healthy risk culture where senior management 'walk the talk' and set the tone from the top?
-
Is the firm's strategy set out in clear business objectives that go hand-in-hand with a statement of the firm's risk appetite?
2. Risk
The best way to go about assessing risk is to follow four steps:
-
risk identification: agree a risk index that categorises and defines risk so that everyone is speaking the same risk language;
-
risk prioritisation: adopt a common approach to prioritising risks to ensure the appropriate level of management engagement;
-
risk evaluation: evaluate whether the risks identified are within risk tolerance, taking care to manage the gap between inherent risk (before controls) and residual risk; and
-
risk response: agree what you are going to do as a result of this assessment (i.e. accept, avoid, reduce or share the risk).
I am a big fan of the top-ten risks map. If you can map the impact and likelihood of your most significant risks and keep them on the management agenda, you are less likely to disappear in a mass of spreadsheets and models, losing perspective on the issue at hand.
3. Control
Risk controls should be proportionate to the risk being managed and, where possible, should start with the principle of trust. If we can empower fee earners to manage risk effectively, controls will serve to protect them. For example, an independent reviewer would provide a second pair of eyes or a policy would inform fee earners of regulatory obligations.
Controls should be business enablers, not business preventers. However, the principle of trust only works if key controls are followed.
4. Monitoring
Monitoring is a matter of capturing and analysing data to inform our understanding of risk. One form of monitoring is the process of recording risk events and near misses. Another example is internal audit. Monitoring should be used to evaluate whether controls are designed and operating effectively to mitigate risks and, where necessary, control issues should be addressed.
One thing we need to be very clear on here is that the ERM framework is completely undermined where firms invest in understanding risk and identifying the controls to mitigate those risks, but then fail to check those controls are actually being adhered to.
5. Reporting
The term 'reporting' is a catch-all for four risk management fundamentals.
-
Information for decision making. This whole process is about making better strategic and operational decisions.
-
Internal communication. This ranges from informal communication channels to formal reporting and independent whistleblower lines.
-
External communication. This involves taking account of all stakeholder needs, from business owners to regulators, auditors, clients and prospective employees.
-
Continuous improvement. An effective framework relies on a continuous learning process. However big the gap between the substance of ERM and current practice in your firm, now is the time to start to improve it.
Louise Fleming has 20 years' experience working with professional and financial services firms in business and risk management (www.aretai.net)