The Language of Risk

Tiah recalls, for example, that the language that the project management group used to identify and manage risk in its work differed, for example, from the language and approach that other operational areas used to identify and manage risk.

The risk register the company developed in 2004 began to bridge this gap. "But we did not quite succeed in getting the consistent methodology that we were seeking," Tiah acknowledges.

Outside Help

So, Phoenix Park sought external help. Dominic Rampersad, Phoenix Park vice president of finance and information technology (IT), played an active role in the selection of a consulting firm. The selection process adhered to the company's existing services procurement methodology, which sounds rigorous based on Rampersad's detailed evaluations of numerous potential consulting partners.

"Many of the consultants to whom we spoke had their own tools and techniques," he recalls. "Those firms wanted to come here and strap these systems onto the organization and then teach the organization how to use them. We already had a fair amount of tools that we had invested in. We wanted to select a consulting firm that was willing to look at what the organization already had in place and then integrate that with the ERM tools and processes that they brought with them."

Tiah agrees. "We worked with Aon to design an approach that utilized all of the beneficial aspects of existing ERM standards as well Aon's own methodology and insights," he explains. "This approach was tailored it to suit our specific needs while aligning with our processes and our culture."

Aon fit the bill, PPGPL's selection team decided. Taylor emphasizes the importance of tailoring her firm's ERM methodology to the client's culture, processes, and information systems. Although nearly every outside vendor will (and should) note the importance of respecting a client company's culture, Taylor asserts that the respect begins with an understanding of the culture.

"This means finding out what's in place, what's been done to date, who the players are, what will be effective, and what will not be," she notes. "An approach that works well in one company may fall flat in another company. What you don't want to do as an organization is to say to your people, 'OK, here's ERM, and it is something completely different than what we've been doing.' This not what it is. ERM is about enhancing existing processes and practices."

Rampersad agrees, and he characterizes the ensuing work, which took place over the course of roughly 12 to 14 months beginning in October 2008, as "partnering."

Assembling an All-Star Team

Tiah identifies three objectives that guided the 2008 initiative (and still guide the ongoing effort today):

1. Make ERM a sustainable effort that permeates the entire organizational culture.

2.Integrate risk thinking (i.e., risk identification, risk assessment, and risk information) into every decision-making process at every level of the organization.

3. Leverage identified risks as opportunities to add value to the organization through innovation and continuous improvement.

The sustainability that PPGPL sought required the common risk language that Tiah describes.

"Every decision we make," he explains, "from the lowest level in the organization right up to the highest level of governance at the board level, is steeped in risk: What are the risks? What are acceptable levels of risks? How do we manage these risks within a desired level? How do we transfer other risks? What are suitable mitigations? This approach to risk will help us to make better decisions ... and ultimately to add value to the organization. If we are excellent with ERM, it positions our business for excellence."