This is a copy of the latest CompliSpace blog orginally published at http://http://complispace.wordpress.com/2012/04/04/10-reasons-why-your-enterprise-risk-management-program-wont-work/. Would love to get your feedback.
In our last blog post we boldly asserted “If You’re Not Practicing Enterprise Risk Management You Should Be”.
So it was with great interest that we came across an article in Risk Management Magazine titled “Is ERM Failing?” which basically summarised the finding of a 2012 PwC report that found that while 74% of executives who responded to the survey had a formal Enterprise Risk Management process in place, only 45% said that they were comfortable with how well their most critical risks were being managed.
So this got us thinking. Is ERM Failing? Well we believe the answer to that question is a resounding NO. ERM works just fine, if you know what you are doing. The title to the Risk Magazine article really should be “Is Management Failing to Properly Implement ERM?” because that is the root of the problem.
So, as to put our money where our mouth is, we thought we would scribble down our Top 10 reasons why ERM programs won’t work. And because we have already taken about 250 words just to position this blog we are going to publish a blog series which gives more detail to each ERM problem area as we see it.
We are also asking for reader contributions so we can build out a definitive list, which may help others avoid falling into the traps of their predecessors. Once we have built out the list, for a bit of fun we will rank the Top 10 … or even Top 20 if we can get some social media interaction going.
So to get the party started here, in no particular order, are our Top 10 reasons ERM programs won’t work. As the blog series is published we will add hyperlinks to this blog so you will be able to link from each heading to another blog which contains a more detailed analysis of the issue raised.
No. 1 – Leadership & Culture – Simply put, enterprise risk management won’t work in an organisation that does not have a participative management culture that encourages open debate and allows individuals to raise risks without fear of retribution. Organisations that stifle debate and leaders that surround themselves with Emperor’s New Clothes style “yes men” are doomed to fail … eventually.
No. 2 – Excel Spreadsheets – We have been screaming about this issue for years. We wish we had a dollar for every organisation that we have seen that has spent considerable time and energy in running risk workshops and building frameworks only to have all their risks end up on a static excel spreadsheet (or worse in a Word document) … and then in a year or two’s time work out that the whole ERM effort was an enormous waste of time and effort. Excel spreadsheets don’t work in an ERM context. Using GRC (Governance, Risk, Compliance) software is a must.The trick is to understand what to look for in GRC software. In our experience “expensive” does not equal “better”.
No. 3 – Compliance Focus – Many regulators now require organisations to implement risk management systems. Think financial services, AML/CTF, work health and safety, environmental impact statements, publicly listed entities. The problem, as we see it, is that many organisations have a very limited view of risk management, which is derived from the fact that it was first introduced as a compliance necessity. Many executives in these organisations appear satisfied having thrown a few risks on an excel spreadsheet (aka a “Risk Register”) and having a document titled “Risk Management Program”. In fact they will often have multiple risk registers (to satisfy different regulators), none of which talk to each other and none of which add any value to the organisation. Unfortunately the sense of satisfaction of these executives is often fulfilled by regulators who rarely enforce their own risk requirements. By way of example, neither ASIC or the ASX require independent verification of the fact that an organisation’s risk program is actually working.
No. 4 – Common Risk Language – Without a clear and deep set of risk classifications that cover all of the types of risks that an organisation may face, it is a simple fact that most organisations will miss key risks and they will then probably end up building out a risk register minus the greatest risks the organisation faces. In this case your ERM program will be meaningless to your directors and key executives, and will be doomed to fail. In a later blog, we will explain how an organisation can use multiple risk languages to satisfy its desire to control both micro and macro risks.
No. 5 – Diamonds in the Sand – Ultimately, it will be the board of directors and senior executive team who determine whether or not they see any value in ERM. And you don’t have to be Einstein to work out that to get them engaged you need to provide a short but sharp (no more than 15-20) list of risks that are truly reflective of your organisation’s risk profile. These risks may be strategic, operational or financial. They may come from left field, or be derived from micro risk sources within your organisation. The challenge for those responsible for managing risk is to identify the “Diamonds in the Sand”. In our experience, the vast majority of organisations have not learnt the art of finding and delivering the diamonds.
No. 6 – Over Quantification – Pick up just about any text book on Enterprise Risk Management and somewhere along the way you will come up against a set of mathematical formula that will make you feel inadequate. We know that maths geeks do, sort of, rule the world (think Google algorithms and hedge fund managers) however when it comes to ERM there’s something the maths geeks can’t deal with and that is … “people”. In our view, ERM is all about management and getting the right information into the hands of managers so they can make the right decisions. You can do it without having a PHD in maths.
No. 7 – The Chasm Between Risk Practitioners & GRC Software Vendors - Has anyone else noticed the chasm between risk management practitioners (consultants and internal resources) and GRC software vendors? The usual scenario is that the practitioner is called in, runs a workshop and develops a risk framework, a risk register and a flashy heat map, without reference to how the framework will actually work on an ongoing basis, which includes linking with internal control and incident management systems. The organisation then approaches GRC vendors to make the system come alive. GRC vendors sell systems. They will give you training on how their system works. However, they will presume that you have all the necessary content, skills and expertise to automate your paper based system. In our experience, for ERM to work effectively, the risk framework needs to be designed and documented with the GRC software solution at front of mind.
No. 8 – Vision, Planning & Silos – This is pretty much the difference between the old Australian Risk Management Standard AS/NZ 4360 and the ISO 31000 International Risk Management Standard. Whereas AS/NZ 4360 focused purely on the seven step risk management process, ISO 31000 makes it clear that for the Risk Management Process to work it needs to be developed within an ERM framework and this framework requires, up front, a clear mandate and commitment from directors and senior executives within an organisation. Unfortunately, organisations often attempt to build risk systems without really understanding their ultimate goal in terms of return on investment (ROI). Without clear vision and planning, they end up with what we call “Shanty Town Governance” which is reflected in organisations that have multiple risk based programs (e.g. ERM, Business Continuity, Workplace safety, Fraud Control, AML/CTF) which have been built on a standalone basis. With clear vision and planning, organisations will invest and persist in developing an ERM program which will deliver ROI in spades. If you want a detailed explanation as to the differences between AS/NZ 4360 and ISO 31000 you might want to read our 2010 blog The New International Risk Management Standard AS/NZ ISO 31000 – What You Need To Know
No. 9 – Linking Strategic Objectives – ERM is all about enabling directors and executive managers to effectively predict future events, and prepare their organisations for the impact of these events. ERM will not add value unless it is clearly linked to the strategic goals and objectives of your organisation. After all, it is your strategic goals and objectives which dictate the future direction of your organisation and provide guidance as to the likely source of key risks.
No. 10 – Risk Articulation & Granularity – The art of properly articulating risks is rarely mentioned however it is a major point of confusion, and ultimately ERM failure, in many organisations. At a basic level we often see risk registers where the described risk is actually a consequence. In others, the description of the risks is simply a statement which does not describe a particular risk event and therefore is not capable of being analysed in terms of likelihood and consequence. Then we have the issue of granularity. Organisations often get bogged down in micro risks, or conversely only articulate a handful of macro risks. Getting the balance right will depend on the nature and complexity of the organisation.
And finally…
Some more problem areas to think about: poor visibility and integration of internal policies and procedures, poor internal communication of risk, lack of internal risk training for directors and executive managers, poor understanding of risk maturity concepts.
Hopefully organisations that are either in the process of implementing an ERM program, or are not comfortable with how their ERM programs are performing, will find some food for thought in this blog. For risk practitioners reading this, please send us through your comments and ideas.
Comments