It's time for ERM.

• Author: Mehta, Sanjay
• Position: ENTERPRISE RISK MANAGEMENT

There's been an upsurge in enterprise risk management during the past few-years, driven by an increased focus on risk among governments and regulators and crises affecting some of the world's most successful companies. Despite that, many corporations have yet to embark upon an ERM program

It's arguable that the roots of enterprise risk management can be traced to the global economic transformation of the mid-1990s. At that time, companies began recognizing the rising importance of intangible assets such as brand, customer relationships and knowledge as sources of value and growth.

Unlike physical and financial assets, intangibles didn't lend themselves to protection through traditional risk management methodologies. A new, more holistic approach was required. The concept of ERM evolved to meet this need and by the turn of the century, seemed to have become well established among large corporations.

For example, a 2000 study by consultants Towers Perrin found that some 91 percent of companies were at least investigating ERM, and nearly half of respondents claimed that they had either completely or partially implemented the approach.

[ILLUSTRATION OMITTED]

Given such optimistic findings a decade ago, it would be reasonable to expect that by 2010 the vast majority of companies around the world would have deeply embedded ERM programs. Yet a report by Financial Executives Research Foundation (FERF) and BMR Advisors suggests that is not the case, since of some 40 ERM programs reviewed for the study, the majority had been in place for less than five years. What's more, a significant number of very large organizations seem to have no ERM program at all.

Companies taking the first steps along the ERM road can often find the prospect rather daunting--considering where they should start and what objectives should they set for the initial phase of implementation, for example, the first 100 days.

According to Phil Maxwell, director of Enterprise Risk at Coca-Cola Enterprises Inc., it's critical not to underestimate the importance of defining the goal of the program.

"The very first thing when designing an ERM program is to figure out what you're trying to get out of it," says Maxwell. "This dictates not just what you're going to do for the first 100 days, but sets the whole tone of the program."

For example, he says, "if your objective is simply compliance then you'll need a very different type of program than if you are trying to institute a decision-making discipline. It's crucial that everyone is on the same page. Defining the goal very clearly at the outset gives you a lens through which your ERM efforts can be focused, so that they concentrate on what really matters most."

It can be tempting to approach ERM with a compliance mindset--and particularly so if the program is created as an extension of an existing compliance-related function. However, David Fox, director of Risk...