According to COSO ERM, “enterprise risk management” refers to the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
Sounds not too bad.
In this article I will argue that doing this, or rather doing as COSO and most consultants and most best practices suggest, is actually bad risk management.
For the sake of this article I will not argue that ERM is actually an empty concept with no foundation is science and is primarily promoted by Big 4, IIA, software providers and some academics. This alone is enough to avoid the concept like plague, but let’s pretend we actually genuinely wanted to implement ERM. I will attempt to explain why it’s a bad idea and bad risk management.
Getting buy-in for ERM
ERM offers us a holistic, transparent view of the risks affecting the strategic goals, etc, etc. Sounds noble. Here is a catch. On one side we need all managers, board members and staff to buy in. On the other side we have this message of a greater good.
Now ask yourself who will buy into the message that ERM offers?
Audit committee – absolutely!
Board members – most definitely!
CEO – most probably…
The rest of the management and staff – don’t give a sh@t… they couldn’t care less, all they think about is what’s in it for me and where is the money. Rightly so, let me add. Good luck selling the ERM message to them.
When I recently returned to a role as a CRO, I went with something much simpler and more appealing – probabilistic decision making. Without ever mentioning ERM I was selling different messages to different stakeholders: I talked about adding stochastic analysis to the budget with the CFO, with the head of strategy we talked about upgrading scenario analysis to MC simulations, with the head of investments we talked about running simulations instead of traditional sensitivity analysis, with the head of PMO we talked about SRA and CRA, with the head of commercial department we talked about his decisions and how we can make them probabilistic. Make no mistake, the management may still ignore the results of the risk analysis, but at least there is no longer any debate about the need to carry out risk analysis for important decisions.
The most common barrier to implementing ERM apparently is getting management buy-in. Well hopefully now you know why. It’s a totally made-up problem. No issue selling probabilistic decision making.
Implementing ERM
This is basic project management. Which project is less risky? A project where you try to implement organisation-wide holistic initiative or where you run multiple pilots making small changes one decision at the time? I feel weird even writing about it. It’s risk management 101. Start small, pilot test, get quick wins, scale up.
When risk managers start the ERM implementation they are literally shooting themselves in the leg. With even the best intentions, the organisation is just too complex, too volatile to implement an enterprise-wide project. Any enterprise-wide project. Don’t ERP systems take ages and cost millions? Now imagine doing a similar scale project without the budget. Insane.
As a returning CRO, I went the other way. I picked 5 decisions that would allow me to either save on insurance or reduce the cost of external financing through better probabilistic decision making and started implementing:
- Stress test the company cash flow model:
- The probability of positive cash flow / cash deficit
- Probability of meeting / breaking covenants
- Quantitative assessment of most strategic risks
- Stress testing changes in demand or supply
- Build a quantitative model for one of the insurance policies:
- Fair deductible
- Risk-adjusted limit
- Renegotiated premium
- Implement schedule and cost risk analysis into project management:
- Risk-adjusted project budget
- Risk-adjusted project schedule
- Risk management plan for a pilot project
- Integrate risk analysis into market forecasting:
- Probability of positive / negative price movements
- Forecasted changes in demand and supply
- Integrate risk analysis into performance management and KPI:
- Risk-based KPIs
- Probability of achieving KPIs
- Key risks associated with KPIs
A separate stream of work is culture and risk awareness. Humans are not inherently built for risk-based decision making, so it will take a lot of work changing attitudes, perceptions and helping management learn that openly discussing effect uncertainty has on decision pays off.
Anyway, whichever way you look it, implementing ERM makes no sense. Prove me wrong in the comments below.
Check out other decision making books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
I do not agree … entirely. For me and ERM program is valuable as a tool for the CFO/CRO (and not many others). The purpose and value comes from the overview it provides, especially on externally driven risks and opportunities.
When focusing so very hard on linking risk management to explicit decisions, you risk (pun intended) to employ horisontal (decision focused) silos rather than vertical (risk focused) – which to me is not an improvement, except for the fact, that far too many decisions are taken without risk consideration at all, which is bad.
To me, an ERM program should be efficient as it is background only, and be based on maybe one week of effort annually – at most. Standard reporting should be auto-generated (any Monte Carlo tool enables this) – and focus drawn upon, what has changed … and how we leverage that. As such, I see ERM data as the DRIVER of decisions, which would not otherwise have been timely considered. That’s the value.
This is not proof, nor scientific … I still believe in it.
You seem to have a very narrow view of ERM, what you describe is done anyway when risk analysis integrated into corporate strategy or cash flow model or annual budget (all 3 are examples of decisions in my mind). So basically I do what you describe anyway but never call it ERM, because I don’t need a new name for it, nor it is what is considered ERM by consultants and auditors
Hello, thanks for the post on ERM, it is always gratifying talking about different perspectives on the matter.
I believe what were all doing is ERM just using different approaches or words to call it. In essence we are speaking ERM (risk management) however we want to see it, approach it or implementing it. I do not believe it matters too much using the word Enterprise, due to every one has to adapt their own models to their risk specific needs and budgets.
On the other hand one risk can be important for management in the lower levels but what if that risk has not an important impact on the overall strategy of the company? Should we assign time and resources for that risk? Or should we help that manager in to understanding the real important risks for the organization.
Hi Alex,
What you say is so true and many in the risk consulting community have known this for years. Qualitative COSO-style risk management is, as one client described, “just pub talk” with no measurable effect on organisations beyond ticking the risk management check-box.
However, organisations definitely sit up and take notice when risk assessments are backed up by real numbers especially big ones with dollar signs in front of them. Unfortunately, many risk managers are simply uncomfortable in the world of statistics and quantitative analysis and many quants are uncomfortable in the vague world of business plans and execution strategies.
The training of risk managers is hopelessly lacking in this area and is maybe the reason so few want to take your approach and back up their words with real numbers. I guess that’s for another article.
Totally. Although I am not convinced training is the solution, as unless someone in risk team has background and undergrad in statistics and corporate finance, training will not help them, risk analysis is just too complex
Thank you Alex, you make a very good point, though a very confrontational way of bringing it across, thank you for this perspective. Is it fair to surmise that you have worked towards building a bridge between risk management and business? a way to have a CFO buy into risk management? Where could I get more information on the language you use for that bridge, what scientific methods do you use in bridging that gap?
Geert thank you, this blog is a good place to start, I have answers to most risk related questions
Alexei, I agree with you to a point. I loved the ERM program I built, but at some point it was deemed too… I know but I can’t write it. Bottom line “The rest of the management and staff – don’t give a sh@t… they couldn’t care less, all they think about is what’s in it for me and where is the money. Rightly so, let me add. Good luck selling the ERM message to them.” I am lift the quote from the article because there was so much resistance when I tried to refine the process and find ways to make improvements. I hate the use of the AUDIT, for implies a universal standard, and with the exception of financial accounting standards (let’s just stick with business) GAAP, SAP and Gov’t accounting there are not many opportunities for universal auditing. If you stick to the words and you are creative, ERM can be very useful.
I don’t think there is any scenario in which ERM can be useful. People just have a Stockholm syndrome and continue to call good risk management, which has nothing to do with ERM, ERM ))