Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
The National Institute of Standards and Technology (NIST) just issued the 2017-2018 Baldrige Excellence Frame Work. There were modifications to a number of categories such as Category 1 Leadership, Category 2, Strategy and Category 6 Operations. Included in the modifications were substantive additions for Cyber Attacks and Enterprise Risk Management (ERM).
In the discussion of the changes from the 2015- 2016 framework it is noted: “The future competitive advantage that will flow from good ERM is based on the holistic addressing of risk and the actions taken – including the pursuit of intelligent risks – as part of an overall strategic approach to managing organization performance.” (Baldrige.2017.45)
This statement makes two things clear. First, ERM is seen as contributing to the competitive advantage for any organization. Second, ERM is a holistic approach. The inclusion of ERM in the Baldrige Excellence Frame Work does two other things. It reinforces the momentum created by the inclusion of Risk Based Thinking in ISO 9001:2015 and the issuance by OMB of Circular A-123. Both actions expanded the reach and ultimately the interest in ERM. In addition, it signals that ERM is considered part of best practice. This means its use increasingly will become a standard by which all organizations can be evaluated by regulators and stakeholders.
To understand this process it is worth examining how the framework creates a holistic approach to ERM. Under the Strategic Development criteria 2.1, it is noted that management has a responsibility for assessing the “level of acceptable enterprise risk.” In the Work Processes foot note 6.1a (3) it is indicated that supply chain process need to be examined to avoid disruptions “trigged by climate change and other unpredictable factors.” Note 6.2c (2) under Operation Effectiveness stresses the extent to which the organization is prepared for disasters and emergencies. “Acceptable levels of risk will vary depending on the nature of your products, services, supply chain, and stakeholder needs and expectations.”
By including risk consideration in major elements of the operation; strategic, work processes and operational effectiveness, risk considerations are made holistic – enterprise encompassing.
While the Frame Work does not explicitly specify an ERM methodology, it stays close to its quality roots by emphasizing ISO 31000 and Plan Do Act Check (PDAC).
Is Baldrige An ERM?
Hertz (2016) in a discussion of the inclusion of ERM in the Baldrige Criteria, it is noted that ERM encompasses the following:
- Aligning risk appetite and strategy to evaluate strategic alternatives
- Making key decisions on risk avoidance, risk reduction and risk acceptance.
- Enhancing the organization’s capabilities to identify potential events and establish responses.
- Identifying and managing cross-enterprise inter-related risks and impacts.
- Seizing opportunities in a proactive manner.
- Improving the deployment of people and capital resources.
Assessing the Baldrige Criteria
Hertz believes that Baldrige Framework is ERM. (Hertz.2016)
I would respectively disagree. While the 2017-2018 framework does now include risk based criteria and is holistic, it is not an ERM system. It is an enterprise wide management framework, which incorporates ERM, just as it incorporates quality. These are subsets. Moreover, ERM has a specific set of methodologies which are increasingly being standardized. The standardization can be seen in the similarities between ISO 31000, which is referenced in Baldrige, OMB Circular A-125, COSO (Treadway Commission), and the GAO Green Book, to name but a few of the comprehensive standards.
With the addition of ERM to the Baldrige Excellence Framework, the momentum of risk and ERM is increased. It also signals that ERM is considered part of Best Practice. As such, it becomes another vehicle by which regulators and stakeholders can evaluate the performance of an organization. Accordingly, organizations which do not have ERM, might not be viewed as competitive and this could damage the organization’s reputation.
James Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience. He has consulted on economic, quality and workforce development issues. He has also published numerous articles related to quality in government and risk analysis.
Baldrige, 2017, Baldrige Excellence Frame Work, 2017-2018, www.nist.gov/baldrige
Hertz, Harry, 2016 “Enterprise Risk Management Requires A Systems Perspective”, Insights, www.nist.gov/baldrige