The short answer to this question is yes. ERM requires proper care and feeding, otherwise the time and energy expended to enter into a new risk-aware environment are for naught.
ERM requires thorough documentation. And no matter the form it takes (Word, Excel, PowerPoint, etc.), if the printed documentation is stored in a file, or under stacks of folders on a credenza in someone’s office, it will be of no use to anyone. If an electronic version is stored in a folder only to the see the light of day during an annual review, ERM is rarely a benefit. A purely electronic ERM process faces a similar fate; if the process is documented in ERM software, the icon can just as easily be lost among dozens of other icons on a desktop.
It matters little what the final form the ERM takes – the key is how the concept of risk awareness and risk management is integrated into your environment. A culture change in an institution isn’t necessary to incorporate ERM into professional lives. Culture changes can take many years to achieve. Rather, an infusion of risk awareness into the current culture is the goal, to raise the institution’s risk intelligence quotient, to introduce a new vocabulary and a new philosophy to work with your current strategic planning and daily operations.
An ERM can do far more than simply identify risk and controls in place to mitigate risk. A successful ERM should take an holistic approach, define the institution’s risk appetite. ERM is an invaluable methodology when infused into the day-to-day operation of the institution, during project planning and developing strategic plans.