I wonder if anyone realises that implementing ERM is actually bad risk management

According to COSO ERM, “enterprise risk management” refers to the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.

Sounds not too bad.

In this article I will argue that doing this, or rather doing as COSO and most consultants and most best practices suggest, is actually bad risk management.

For the sake of this article I will not argue that ERM is actually an empty concept with no foundation is science and is primarily promoted by Big 4, IIA, software providers and some academics. This alone is enough to avoid the concept like plague, but let’s pretend we actually genuinely wanted to implement ERM. I will attempt to explain why it’s a bad idea and bad risk management.

Getting buy-in for ERM

ERM offers us a holistic, transparent view of the risks affecting the strategic goals, etc, etc. Sounds noble. Here is a catch. On one side we need all managers, board members and staff to buy in. On the other side we have this message of a greater good.

Now ask yourself who will buy into the message that ERM offers?

Audit committee – absolutely!

Board members – most definitely!

CEO – most probably…

The rest of the management and staff – don’t give a sh@t… they couldn’t care less, all they think about is what’s in it for me and where is the money. Rightly so, let me add. Good luck selling the ERM message to them.

When I recently returned to a role as a CRO, I went with something much simpler and more appealing  – probabilistic decision making. Without ever mentioning ERM I was selling different messages to different stakeholders: I talked about adding stochastic analysis to the budget with the CFO, with the head of strategy we talked about upgrading scenario analysis to MC simulations, with the head of investments we talked about running simulations instead of traditional sensitivity analysis, with the head of PMO we talked about SRA and CRA, with the head of commercial department we talked about his decisions and how we can make them probabilistic. Make no mistake, the management may still ignore the results of the risk analysis, but at least there is no longer any debate about the need to carry out risk analysis for important decisions.

The most common barrier to implementing ERM apparently is getting management buy-in. Well hopefully now you know why. It’s a totally made-up problem. No issue selling probabilistic decision making.

Implementing ERM

This is basic project management. Which project is less risky? A project where you try to implement organisation-wide holistic initiative or where you run multiple pilots making small changes one decision at the time? I feel weird even writing about it. It’s risk management 101. Start small, pilot test, get quick wins, scale up.

When risk managers start the ERM implementation they are literally shooting themselves in the leg. With even the best intentions, the organisation is just too complex, too volatile to implement an enterprise-wide project. Any enterprise-wide project. Don’t ERP systems take ages and cost millions? Now imagine doing a similar scale project without the budget. Insane.

As a returning CRO, I went the other way. I picked 5 decisions that would allow me to either save on insurance or reduce the cost of external financing through better probabilistic decision making and started implementing:

  • Stress test the company cash flow model:
    • The probability of positive cash flow / cash deficit
    • Probability of meeting / breaking covenants
    • Quantitative assessment of most strategic risks
    • Stress testing changes in demand or supply
  • Build a quantitative model for one of the insurance policies:
    • Fair deductible
    • Risk-adjusted limit
    • Renegotiated premium
  • Implement schedule and cost risk analysis into project management:
    • Risk-adjusted project budget
    • Risk-adjusted project schedule
    • Risk management plan for a pilot project
  • Integrate risk analysis into market forecasting:
    • Probability of positive / negative price movements
    • Forecasted changes in demand and supply
  • Integrate risk analysis into performance management and KPI:
    • Risk-based KPIs
    • Probability of achieving KPIs
    • Key risks associated with KPIs

A separate stream of work is culture and risk awareness. Humans are not inherently built for risk-based decision making, so it will take a lot of work changing attitudes, perceptions and helping management learn that openly discussing effect uncertainty has on decision pays off.

Anyway, whichever way you look it, implementing ERM makes no sense. Prove me wrong in the comments below.

 

Comments

  1. Hans Læssøe

    I do not agree … entirely. For me and ERM program is valuable as a tool for the CFO/CRO (and not many others). The purpose and value comes from the overview it provides, especially on externally driven risks and opportunities.

    When focusing so very hard on linking risk management to explicit decisions, you risk (pun intended) to employ horisontal (decision focused) silos rather than vertical (risk focused) – which to me is not an improvement, except for the fact, that far too many decisions are taken without risk consideration at all, which is bad.

    To me, an ERM program should be efficient as it is background only, and be based on maybe one week of effort annually – at most. Standard reporting should be auto-generated (any Monte Carlo tool enables this) – and focus drawn upon, what has changed … and how we leverage that. As such, I see ERM data as the DRIVER of decisions, which would not otherwise have been timely considered. That’s the value.

    This is not proof, nor scientific … I still believe in it.

    1. Alex Sidorenko Post author

      You seem to have a very narrow view of ERM, what you describe is done anyway when risk analysis integrated into corporate strategy or cash flow model or annual budget (all 3 are examples of decisions in my mind). So basically I do what you describe anyway but never call it ERM, because I don’t need a new name for it, nor it is what is considered ERM by consultants and auditors

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.