According to COSO ERM, “enterprise risk management” refers to the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
Sounds not too bad.
In this article I will argue that doing this, or rather doing as COSO and most consultants and most best practices suggest, is actually bad risk management.
For the sake of this article I will not argue that ERM is actually an empty concept with no foundation is science and is primarily promoted by Big 4, IIA, software providers and some academics. This alone is enough to avoid the concept like plague, but let’s pretend we actually genuinely wanted to implement ERM. I will attempt to explain why it’s a bad idea and bad risk management.
Getting buy-in for ERM
ERM offers us a holistic, transparent view of the risks affecting the strategic goals, etc, etc. Sounds noble. Here is a catch. On one side we need all managers, board members and staff to buy in. On the other side we have this message of a greater good.
Now ask yourself who will buy into the message that ERM offers?
Audit committee – absolutely!
Board members – most definitely!
CEO – most probably…
The rest of the management and staff – don’t give a sh@t… they couldn’t care less, all they think about is what’s in it for me and where is the money. Rightly so, let me add. Good luck selling the ERM message to them.
Check out other risk management books
When I recently returned to a role as a CRO, I went with something much simpler and more appealing – probabilistic decision making. Without ever mentioning ERM I was selling different messages to different stakeholders: I talked about adding stochastic analysis to the budget with the CFO, with the head of strategy we talked about upgrading scenario analysis to MC simulations, with the head of investments we talked about running simulations instead of traditional sensitivity analysis, with the head of PMO we talked about SRA and CRA, with the head of commercial department we talked about his decisions and how we can make them probabilistic. Make no mistake, the management may still ignore the results of the risk analysis, but at least there is no longer any debate about the need to carry out risk analysis for important decisions.
The most common barrier to implementing ERM apparently is getting management buy-in. Well hopefully now you know why. It’s a totally made-up problem. No issue selling probabilistic decision making.
This is basic project management. Which project is less risky? A project where you try to implement organisation-wide holistic initiative or where you run multiple pilots making small changes one decision at the time? I feel weird even writing about it. It’s risk management 101. Start small, pilot test, get quick wins, scale up.
When risk managers start the ERM implementation they are literally shooting themselves in the leg. With even the best intentions, the organisation is just too complex, too volatile to implement an enterprise-wide project. Any enterprise-wide project. Don’t ERP systems take ages and cost millions? Now imagine doing a similar scale project without the budget. Insane.
As a returning CRO, I went the other way. I picked 5 decisions that would allow me to either save on insurance or reduce the cost of external financing through better probabilistic decision making and started implementing:
- Stress test the company cash flow model:
- The probability of positive cash flow / cash deficit
- Probability of meeting / breaking covenants
- Quantitative assessment of most strategic risks
- Stress testing changes in demand or supply
- Build a quantitative model for one of the insurance policies:
- Fair deductible
- Risk-adjusted limit
- Renegotiated premium
- Implement schedule and cost risk analysis into project management:
- Risk-adjusted project budget
- Risk-adjusted project schedule
- Risk management plan for a pilot project
- Integrate risk analysis into market forecasting:
- Probability of positive / negative price movements
- Forecasted changes in demand and supply
- Integrate risk analysis into performance management and KPI:
- Risk-based KPIs
- Probability of achieving KPIs
- Key risks associated with KPIs
A separate stream of work is culture and risk awareness. Humans are not inherently built for risk-based decision making, so it will take a lot of work changing attitudes, perceptions and helping management learn that openly discussing effect uncertainty has on decision pays off.
Anyway, whichever way you look it, implementing ERM makes no sense. Prove me wrong in the comments below.