7-year evolution of enterprise risk management

Nonprofit leaders are only human, and preventing risk can often be an overlooked.

During the recent Nonprofit Executive Summit in Santa Fe, N.M., Diana Del Bel Belluz of Risk Wise Inc., emphasized the importance, not just of risk management, but of enterprise risk management (ERM), that is, of using foresight to manage risks to the achievement of strategic objectives and the long-term survival of the enterprise.

She said the two themes of effective ERM are operational effectiveness and strategic positioning.

As essential as ERM is, however, Del Bel Belluz emphasized that it involves a change in thinking and cannot be achieved over night. It means acknowledging that a new approach is coming and taking time to observe. In fact, she said, it could take as much as seven years to put an ERM approach fully into place.

The seven-year plan will look like this (understanding that the motto at the end of each year is “learn and adapt”):

  • Year 1. Design and introduce ERM framework. Qualitative assessment of “strategic” risks. State risk appetite.
  •  Year 2. Identify key enterprise risks. Name “risk owners.” Assess adequacy of risk controls/plans/treatments.
  • Years 3-5. Integrate ERM with business processes (e.g., planning, performance management, reporting).
  • Year 6. Extend scope to include “operational” risks.
  • Year 7. Introduce quantitative assessment of enterprise risks.