Rarely does a week pass without some new white paper or study about enterprise risk management (ERM) hitting risk managers’ inboxes. This is not surprising, since the failures of risk management have been blamed as a major contributor to the country’s recent financial problems. Initially, there was a mad scramble to develop new and improved risk management standards to prevent a similar situation.

At that point, it appeared that many risk management experts had “found” the secret to successful risk management programs. The secret was called enterprise risk management. As a result, the following several years have seen a plethora of additional frameworks and other thought papers. However, it would appear that many of these were written just to promote a specific approach.

There are really only a few seminal papers that have afforded valid information about how ERM programs should be designed and implemented. Among the more important works are the initial 2004 COSO framework, along with its 2009 update. The Risk and Insurance Management Society’s 2009 framework and, more recently, the ISO 31000 requirements are both also considered to be landmark documents.

However, another document has been getting quite a lot of attention. It is a white paper titled “Enterprise Risk Management: Insights & Operationalization,” published by the Financial Executives Research Foundation (FERF), an affiliate of Financial Executives International (www.financialexecutives.org). In the introduction to the study, the author points out that the November 2009 COSO-sponsored paper, “Effective Enterprise Risk Oversight: the Role of the Board of Directors,” poses an interesting question. It states: “…the challenge facing Boards is how to effectively oversee the organization’s enterprise-wide risk management in a way that balances managing risks while adding value to the organization.” It is this effective “operationalization” of ERM that FERF addresses in its paper.

The study addresses several important issues. First and foremost, the author emphasizes that the study “does not present an analysis of any particular framework.” Nor, as the paper states, does it try to put forth an alternative framework. Obviously, FERF believes that there has been sufficient information provided on this subject matter already. Rather, the study’s goal is to “provide insight into the current state of ERM operationalization.” Further, the paper tries to draw some conclusions regarding the likely direction of ERM in the future.

Results of the study are derived from a review of the ERM programs at 40 large, Fortune 500-type organizations, and they include detailed interviews with 25 of these companies. The study indicates that despite the fact that ERM has been around in one form or another for more than a dozen years, most of the participants indicated their programs were in a “comparatively early stage of development.”

The study confirms that there were three key drivers behind today’s decisions to establish ERM programs. One of the most important drivers of the current interest in ERM was that top management wished to improve their organization’s risk management efforts.

Frequently, the increase in this interest has grown out of a change in leadership, such as a new CEO or board member. Additionally, these types of changes could come from activities of a “risk champion” from within the corporation. Another frequently noted ERM driver was a reaction to some “internal or external event that acts as a catalyst for change.”

Finally, new legal or regulatory requirements were cited as the third major class of change agents. A frequently reported requirement was the Sarbanes-Oxley Act of 2002, since many ERM programs were extensions of corporations’ SOX efforts. Many survey participants indicated that the changes that have been occurring within the rating agencies are a key driver. However, most participants indicated that the new SEC Proxy Disclosure Enhancement Rule (Rule 33-9089) has had the most impact on the survey group.

The report highlights the five broad classes of ERM activities on which most corporations focus. Among these activities are:

• The gathering and organizing of “risk intelligence”

• Cross-functional risk discussions

• Risk scoring and prioritization

• Risk response plans

• Reporting

Interviews with the participants pointed out that there is no specific sequence in which these activities occur. In fact, for the most part, these activities can take place simultaneously and may well overlap each other. The only exception to this is when organizations are just beginning to implement an ERM program and intelligence gathering is a natural first step. Additionally, these activities are not considered one-time activities, but rather are considered to be ongoing.

Most participants agreed that their ERM programs began with senior management highlighting the major risk categories faced by the corporation. This list is then fine-tuned with input from leaders of the business units and corporate functions. Long lists are typically trimmed down to a “top 10” list during these cross-functional discussions. These types of discussions are considered very important by many participants “because they bring together insights and inputs from across the business and therefore play a critical role in ensuring truly enterprise-wide engagement.”

Risk scoring, according to the study, is typically prepared by using “heat maps” that measure both the likelihood and the severity of risks. While some participants voiced concern that heat mapping is insufficiently robust, it remains the dominant approach to risk scoring. Once measured, decisions are then required regarding risk responses.

In essence, the responses boil down to four choices that have been long-standing options with risk management: accept the risk, share the risk, mitigate or reduce the risk, or avoid the risks. Reporting is the final critical activity. Here the participants pointed out the fine line that needs to be maintained to keep senior management and the board fully informed without “getting bogged down in details.”

The FERF report provides an excellent background piece for any organization that is considering advancing the state of its ERM programs. In addition to the opera­tionalization issues noted above, the report also addresses several other areas of interest. Insights provided by the participants can lead to a much better understanding of the entire ERM process.

Risk culture has been and continues to be one of the hottest topics, according to the survey. Most believed that “development of a risk culture has become an often-stated goal of ERM,” but it has proven to be more difficult to achieve. This is primarily because the relationship with the various players within the corporation is one of the keys to determining the success of the program.

Survey participants indicated that it was impossible to impose a risk culture; rather, they stated that a risk culture must “develop naturally, one encounter at a time.” They also pointed out that “one size fits all” simply does not apply to risk culture, or the ERM process, for that matter. Based on the study, “securing engagement from the business is perceived to be among the top priorities for a successful ERM program,” making the esta­blish­ment of a positive risk culture so important.

Another observation of interest is the staffing size of the ERM team, given the size of Fortune 500 organizations. Study participants confirmed that overwhelmingly, the “ERM team” was staffed by a very small group. Many indicated that the function was staffed in their company by “an army of one.” Most also agreed that the function “does not actually require large teams.” Some partici­pants did note that ERM programs should not rely too heavily “on the personal ‘equity’ of any one person.” This could become an issue if that person is no longer involved with the organization.

ERM studies abound, and while some of them are of questionable value, the recent study from FERF contains many good points. Most of the information is provided by risk management professionals who are implementing ERM programs for their corporations. The insights that are shared are equally applicable regardless of which framework an organization may choose or even the size of the organizations. While some of the information is common sense, much of it is easily forgotten when trying to tackle a broad topic like ERM. Risk management professionals who are in the process of updating their current ERM programs would benefit from most of the data that is supplied in this study.