Successful enterprise risk management
There are a number of risk management professional associations. I am proud to have been made an Honorary Fellow of one, the Institute of Risk Management (IRM). Headquartered in the UK, but with members around the world, the IRM focuses on enterprise risk management and its successful practice.
I am not a member but have spoken at the conferences of the Risk Management Society (RIMS). I have great admiration and respect for its Director of Strategic and Enterprise Risk Practice, Carol Fox. Carol not only has an in-depth understanding of enterprise risk management in theory and in practice, but served on the US technical advisory group involved in the ISO 31000 global risk management standard.
RIMS has a broader membership than the IRM and covers more ground, perhaps because a great many of its members come from the ranks of insurance and safety, rather than ERM, professionals. However, I recommend the IRM for its focus on ERM, its training, and its certifications. (And no, I receive no compensation or other benefit for this recommendation.)
RIMS recently had its annual conference and a paper based on one of its sessions was covered in an article published in the journal of the IRM, RM Professional.
Successful Enterprise Risk Management is apparently sponsored by a software vendor although it suggests that it is an accurate portrayal of a presentation by “Jack Hampton, risk management author, thought leader, and Professor at St. Peter’s University, and Michael Leibowitz, Senior Director of Insurance and Enterprise Risk Management at New York University (NYU)”. I was not there, so I will take the author (who is unnamed) at his or her word.
The article starts well, with this statement:
“Organisations have long struggled to successfully implement an effective and robust ERM process that helps them capitalise on opportunities and manage the downside of risk.”[i]
What I have a problem with is the description of the “three critical pillars upon which any successful ERM process must rest: Advanced ERM Technology, Executive Support, and Enterprise-wide Engagement.”
The IRM summary describes these as “the correct people in your organisation, developing and effectively communicating your ERM value proposition, and utilizing innovative risk management software to create sustainable, repeatable processes that incorporate ERM as part of a business unit’s daily activities”. However, the paper that is referenced and published by the vendor puts risk management software first. So let’s address that first.
While I wholeheartedly support the use of technology in risk management processes, I would never place that first – even third – as a pillar of successful risk management. As I have explained time and again, management is the one taking risks through their everyday decisions, their management and operation of the enterprise. A periodic assessment and review of risks is not effective risk management. It just enables management to say that they have ticked the risk management box.
It is only when managers and other decision-makers take the right level of the right risks as they set and execute strategies, monitor performance, and make decisions.
Technology only helps if it is used and helps these decision-makers make more informed and risk-intelligent decisions that increase the extent and likelihood of success.
However, there are strong indications that risk is being managed in a silo at the organization used as an example.
“As risk managers develop their ERM plan, they should build a consensus by engaging business units to look at the risks that have been identified. An effective ERM plan will help risk owners prioritise those risks that could have a greater impact on the organisation’s objectives and its business continuity.”
As I read this and the rest of the discussion, it becomes clear that the risk manager is identifying the risks (even to the point of defining them) and imposing them (my word) on operating management. The risk officer identifies the risks, explains them to management, creates and sends them the risk report (a dashboard), gets them to join the discussion and (hopefully) take action.
I find this damning:
“We send these reports to the executive risk owner, to the Steering Committee, and to the individual board committee responsible for that area to show the value of our ERM process.”
How about a risk management processes whose aim is to help the organization succeed?
I will repeat my caveat. I have no certainty that this is actually what the speakers said or believe. However, if it is I have to disagree.
For the management of risk to be effective, it has to be owned and operated by management and not by a siloed risk office. The risk practitioner can help, but management understands the organization and risks far better than any risk professional – and adds or changes risk with every decision.
When I see management considering risk, what might happen and how it might affect the achievement of objectives, not only on a periodic basis but every minute of every day, then I will concur that risk management is effective.
I welcome your thoughts.
[i] However, it then strays with this next sentence:
“All organisations face uncertainty, but the challenge they face is determining what amount of uncertainty to accept.”
I recognize that many like to think that they can change “uncertainty”, and that is what this sentence implies. But, I suggest that while they can increase their perception and information about what might happen, they cannot predict it with certainty. What they can do is take actions to modify the likely effect or consequences of what might happen.
It’s not about accepting uncertainty, it’s about accepting the potential effects of uncertainty (what might happen) and the likelihood of those effects.
That translates to what I refer to as ‘taking the right amount of the right risks”.
Yes, there is the argument that uncertainty is created by a lack of information. Well, no human in this world (or machine) can provide sufficient information to predict the future. All we can do is to provide more information and clarity about what we think the future is likely to hold. We can then act to modify its effects or consequences.