Published in the Project Post-Gazette, January 2014
by Cheryl A. Wilson, PMP, PMI-RMP, CCEP
The implementation of Enterprise Risk Management (ERM) within organizations today is being driven by a very powerful motivation. This driving force, the Dodd-Frank Act or the Wall Street Reform and Consumer Protection Act, Public Law 111-203, brings the increased task of adding newly imposed compliance regulations to an organization’s compliance programs in an effort to ensure conformity to these governmental requirements.
Organizations need to ensure they acquiesce to Dodd-Frank by ensuring they adopt a systematic stratagem for addressing the increased accountability imposed by the Act.
Compliance and risk professionals need to work together to ensure all additional conditions of Dodd-Frank are completed within their organization. No two companies are alike; no two organizations are alike; but what is common are the new regulations. Early and often information communicated to all those affected will keep them aware of these upcoming changes demanded by this far reaching and significantly legislative public law. One positive outlook, these new compliance regulations should force organizations to revisit their business objectives, compliance programs and risk environments with a more deliberate approach toward risk reduction and regulatory compliancy. The outcome of this proactive approach should result in more robust compliance and risk programs.
This leads the compliance and risk professionals to the question of “where do we start to ensure we are compliant?” Answering this question can be a major challenge for organizations when the perceived complexity of ERM or a lack of understanding of its strategic benefits create barriers to proceed forward. Another element facing organizations today are the pressures to reduce costs, and the mindset that any increased risk management is a monetary hardship. Many organizations see risk management as a lower priority, and could put off the essential steps to bring their current environment up to the standards imposed by Dodd-Frank.
This Risk Line will walk compliance and risk professionals through the steps of modifying their organizations’ risk program from an informal risk management environment to a proactive and focused ERM environment that will be more conducive towards meeting the requirements of Dodd-Frank.
However, we need to make the normal legal disclaimer that we at the PPG are not offering nor making an offer of legal or financial advice in light or in compliance with the Dodd-Frank. Every reader is highly recommended to seek competent legal and/or financial advice that will place their organizations in compliance with the Dodd-Frank. OK, end of legal mumbo jumbo.
The approach below describes specific, tangible actions in an incremental, step-by-step methodology to start an ERM environment that is designed to be very adaptable and flexible to your organizations specific needs.
- Ensure the “Tone at the Top.”
For an organization to implement change enterprise wide, the adjustment needs to be viewed as a significant and strategic effort that is endorsed by senior leadership and the board of directors. Communications and support from the senior leadership team (SLT) strengthens the message that is being delivered. Without this advocacy, the compliance and risk manager will find it hard to obtain needed resources, and to advance new compliance requirements.
- Establish the correct roles for the compliance and risk professionals
In addition to having senior management provide the tone of leadership for the Compliance and Ethics Program (C&E) the position of the C&E manager(s) need to be high enough in the organizational chart to implement vast changes required of Dodd-Frank. If the C&E manager is to be viewed with respect by other members of the organization, senior management needs put the C&E position at a strategic level. Implementing additional requirements into the business environment of the organization is critical to continued success.
- Conduct an initial enterprise wide risk assessment of the organization and develop a management plan of action.
All functions and/or departments of the organization should be a part of the risk assessment: legal, HR, C&E, Audit, and IT. Organizations should consider setting up a senior executive steering committee responsible for overseeing the tracking, analysis, and implementation of the new regulations required under Dodd-Frank. Also, develop a matrix of the Dodd-Frank requirements that will directly and indirectly affect current organizational operations based along the following proposed timeline:
- short term requirements (one or two years),
- medium term requirements (two to four years)
- long term requirement (five years and beyond)
- Complete a gap analysis of existing risk management framework
Such an analysis enables the organization to identify gaps in its current risk management processes relative to significant shortfalls. Often times risk management activities are focused on existing operations and compliance risks, as opposed to significant external, emerging or strategic risks such as the new requirements of the Dodd-Frank. As new risks are identified in the risk assessment process, the knowledge gained will help the organization assess the connections between existing risk management processes and the most critical enterprise level risks so that management can determine if there are any gaps in how they are managing the most important risks. Further, it assists the organization in mapping risks to underlying objectives. This analysis will be the baseline against which the organization will benchmark its performance and progress.
- Create a roadmap with milestones and action owners
Impact analysis should help your organization to determine:
- Current high risks
- Resources requirements
- Budget requirement
- Compliance requirements
- Regulatory reporting requirements
- Possible new compliance automation
- IT requirements for enterprise wide reporting
- Upgrade necessities of proprietary applications to meet new regulatory standards
- New rules on data retention
- New data storage requirements
- New data retrieval requirements
- Develop new required reporting structure
The organization next needs to develop its initial approach to any required reporting including its communication processes, target audiences, and reporting formats.
- Develop next phase of action including audits and any necessary corrective action plans
The implementation of ERM is an evolutionary process that takes time to develop. The compliance and risk manager should also decide what types of ongoing training and communications should be deployed across the organization to continue to strengthen the organization’s risk culture and its compliancy with Dodd-Frank requirements.
While most of the above steps are also conducive to building your organization’s ERM, if your organization does not have any processes in place, now is the time to implement your program. Senior management need to oversee the critically important ERM practices and take this opportunity to enhance their processes and improve their ability to meet all required Dodd-Frank mandates.