Findings on the Process of Selecting and Implementing a Framework
Implementing an ERM framework typically takes longer than expected. More time seems to be spent getting buy-in for the concept from the C-suite and devising an appropriate model than one could ever predict. Rarely do off-the-shelf frameworks exist that can be employed in short order; plans usually have to be tailored to fit the organization's unique circumstances. Some of Edmonton's learnings from this ERM implementation include the following.
There is no perfect system. What works for one organization may not work for another. What is necessary is flexibility. Any system must be simple enough to understand, robust enough to be usable in any area of the organization, and powerful enough to add value in decision making. In addition, it may be preferable to create a hybrid approach, taking the best parts of two or more competing systems to create one that best meets the organization's needs.
No matter how good an ERM framework is, if senior leadership does not buy in to the framework, it cannot succeed, as management will need to see the usefulness and cost justification. Three frameworks were presented to senior leadership between 2005 and 2013; all were sound and based on extensive research and knowledge of risk management principles. All were found by senior leadership to be either too complex or not a fit to Edmonton's needs.
It may be problematic to try to roll out an entire system at once. In the initial ERM planning phases there seems to be a tendency to try to hit a home run; that is, to roll out a perfect ERM system at strategic, project, and operating levels all at once. It may be the most efficient in theory, but in practice it requires a prohibitive amount of up-front resources. It ignores the learning curve managers have in learning about ERM, how it applies to them, and how to do it. This leads to the next point.
It may be preferable to introduce one phase of ERM at a time. In Edmonton's case, previous attempts at an ERM framework were unsuccessful because they went against the stated wishes of the Corporate Leadership Team (CLT). One of the CLT's main drivers for action on ERM was the 2005 city auditor's report, which identified issues mainly with strategic risk. With this in mind, the CLT wanted primarily to focus just on strategic risk, not on an overall framework. In terms of a corporate rollout, then, phase 1 was to be strategic risk; project risk and operational risk could be dealt with later, as these were lower priorities for the CLT and the city auditor.
When working with operating departments on a framework (even a pilot), it is important to define clearly what you want to accomplish with the operating departments in question. In this case, it was clearly defined that the department owned the risk register and was responsible for its content; the ERM team's role was to maintain it. Going forward, the ERM team's role was also that of facilitator, coach, and mentor to the department staff.