This article was initially published by Tim Leach in our Linkedin Group https://www.linkedin.com/groups/3701313/
Chat GPT is unequivocal - objective centric ERM/internal audit outperforms. Why aren’t more adopting it? I asked Chat.
ChatGPT: “Here are the top 10 reasons companies resist transitioning from risk list ERM and legacy internal audit methods to a forward-looking, objective-centric focus on assessing and managing the effect of uncertainty on mission critical objectives:
1. Deep Organizational Inertia
Legacy ERM and audit methods are entrenched in policies, training, technology, and mindsets. Change requires effort, unlearning, and often institutional disruption—something many leadership teams avoid.
2. Compliance Mindset Dominance
Boards and executives often confuse regulatory compliance with effective risk oversight. Risk registers and audit deficiency reports feel “safe” and defensible—even if strategically unhelpful.
3. Fear of Accountability for Objective Failure
Objective-centric ERM exposes risk ownership and clarity on who is accountable for managing risk to major objectives. Many prefer the ambiguity of risk lists to avoid scrutiny.
4. Comfort with Existing Roles and Silos
Internal audit, risk, compliance, legal, and operational groups have carved out comfortable, siloed roles. A shift would require integration, collaboration, and possibly loss of turf.
5. Board and C-Suite Lack of Understanding
Directors and many executives aren’t trained to oversee ERM in an objective-focused way. They accept risk lists and red/yellow/green dashboards without questioning if they help ensure objective achievement.
6. Inadequate Incentives to Change
There is no regulatory or market pressure forcing organizations to move toward better-integrated, outcome-focused risk oversight. Without consequences or incentives, many stick to the status quo.
7. Audit Committee Overreliance on Deficiency Reporting
Audit committees often value legacy internal audit’s control deficiency reports as “proof of assurance,” even though it may demoralize managers and miss risks to mission-critical objectives.
8. Perceived Complexity and Resource Demands
Transitioning to objective-centric ERM is seen as complex. Leaders assume it will require expensive systems, retraining, and additional staff—even though it often streamlines processes and improves decision-making.
9. Lack of Clear External Guidance or Mandates
Standards like COSO 2017 hint at objective-centric ERM, but most consultants and regulators still accept checkbox ERM and list-based audits as adequate. There's little clear, enforceable direction.
10. Psychological Biases and Blind Spots
Leaders may genuinely believe their current systems are effective due to confirmation bias, familiarity bias, or fear of change. It’s difficult to accept that foundational practices might be doing harm.”
TL: Boards are responsible for overseeing ERM/IA. Boards should be briefed and consciously decide on BOARD'S PURPOSE; and what info they need from MGMT/risk/IA. Regulators - stop legislating ineffective/harmful ERM/IA methods.
Comments