Home > Risk > Successful enterprise risk management

Successful enterprise risk management

October 31, 2015 Leave a comment Go to comments

There are a number of risk management professional associations. I am proud to have been made an Honorary Fellow of one, the Institute of Risk Management (IRM). Headquartered in the UK, but with members around the world, the IRM focuses on enterprise risk management and its successful practice.

I am not a member but have spoken at the conferences of the Risk Management Society (RIMS). I have great admiration and respect for its Director of Strategic and Enterprise Risk Practice, Carol Fox. Carol not only has an in-depth understanding of enterprise risk management in theory and in practice, but served on the US technical advisory group involved in the ISO 31000 global risk management standard.

RIMS has a broader membership than the IRM and covers more ground, perhaps because a great many of its members come from the ranks of insurance and safety, rather than ERM, professionals. However, I recommend the IRM for its focus on ERM, its training, and its certifications. (And no, I receive no compensation or other benefit for this recommendation.)

RIMS recently had its annual conference and a paper based on one of its sessions was covered in an article published in the journal of the IRM, RM Professional.

Successful Enterprise Risk Management is apparently sponsored by a software vendor although it suggests that it is an accurate portrayal of a presentation by “Jack Hampton, risk management author, thought leader, and Professor at St. Peter’s University, and Michael Leibowitz, Senior Director of Insurance and Enterprise Risk Management at New York University (NYU)”. I was not there, so I will take the author (who is unnamed) at his or her word.

The article starts well, with this statement:

“Organisations have long struggled to successfully implement an effective and robust ERM process that helps them capitalise on opportunities and manage the downside of risk.”[i]

What I have a problem with is the description of the “three critical pillars upon which any successful ERM process must rest: Advanced ERM Technology, Executive Support, and Enterprise-wide Engagement.”

The IRM summary describes these as “the correct people in your organisation, developing and effectively communicating your ERM value proposition, and utilizing innovative risk management software to create sustainable, repeatable processes that incorporate ERM as part of a business unit’s daily activities”. However, the paper that is referenced and published by the vendor puts risk management software first. So let’s address that first.

While I wholeheartedly support the use of technology in risk management processes, I would never place that first – even third – as a pillar of successful risk management. As I have explained time and again, management is the one taking risks through their everyday decisions, their management and operation of the enterprise. A periodic assessment and review of risks is not effective risk management. It just enables management to say that they have ticked the risk management box.

It is only when managers and other decision-makers take the right level of the right risks as they set and execute strategies, monitor performance, and make decisions.

Technology only helps if it is used and helps these decision-makers make more informed and risk-intelligent decisions that increase the extent and likelihood of success.

However, there are strong indications that risk is being managed in a silo at the organization used as an example.

“As risk managers develop their ERM plan, they should build a consensus by engaging business units to look at the risks that have been identified. An effective ERM plan will help risk owners prioritise those risks that could have a greater impact on the organisation’s objectives and its business continuity.”

As I read this and the rest of the discussion, it becomes clear that the risk manager is identifying the risks (even to the point of defining them) and imposing them (my word) on operating management. The risk officer identifies the risks, explains them to management, creates and sends them the risk report (a dashboard), gets them to join the discussion and (hopefully) take action.

I find this damning:

“We send these reports to the executive risk owner, to the Steering Committee, and to the individual board committee responsible for that area to show the value of our ERM process.”

How about a risk management processes whose aim is to help the organization succeed?

I will repeat my caveat. I have no certainty that this is actually what the speakers said or believe. However, if it is I have to disagree.

For the management of risk to be effective, it has to be owned and operated by management and not by a siloed risk office. The risk practitioner can help, but management understands the organization and risks far better than any risk professional – and adds or changes risk with every decision.

When I see management considering risk, what might happen and how it might affect the achievement of objectives, not only on a periodic basis but every minute of every day, then I will concur that risk management is effective.

I welcome your thoughts.


For more on my thoughts, see World-Class Risk Management and consider joining me for a risk conversation.



[i] However, it then strays with this next sentence:

“All organisations face uncertainty, but the challenge they face is determining what amount of uncertainty to accept.”

I recognize that many like to think that they can change “uncertainty”, and that is what this sentence implies. But, I suggest that while they can increase their perception and information about what might happen, they cannot predict it with certainty. What they can do is take actions to modify the likely effect or consequences of what might happen.

It’s not about accepting uncertainty, it’s about accepting the potential effects of uncertainty (what might happen) and the likelihood of those effects.

That translates to what I refer to as ‘taking the right amount of the right risks”.

Yes, there is the argument that uncertainty is created by a lack of information. Well, no human in this world (or machine) can provide sufficient information to predict the future. All we can do is to provide more information and clarity about what we think the future is likely to hold. We can then act to modify its effects or consequences.


  1. Gregory Sosbee
    October 31, 2015 at 9:36 AM

    “How about a risk management processes whose aim is to help the organization succeed?”

    That is Job 1. Acceptance will take time as internal silo’s have to be removed.

  2. Richard Fowler
    November 1, 2015 at 1:17 PM

    Norman, I agree with most of your assessment. However, one point you make in your footnote is (to my mind) incorrect. As we develop risk mitigation plans, we should not accept the uncertainty at all. There are activities that can reduce the likelihood of some events. Yes, we have to accept the existing likelihood of hurricanes and earthquakes – nothing we do will change those probabilities. But for the risk of an ethics failure, supply chain failure, safety failure, etc., we can take actions that reduce their likelihood much more easily than we can reduce their impact. Both aspects of risk should be addressed to the furthest extent possible as part of effective risk mitigation.

    • Norman Marks
      November 1, 2015 at 1:39 PM

      Richard, I did not mean to imply that you can’t change the likelihood of an impact. Certainly you can. What I meant is that you have to accept that there is always a measure of uncertainty.

  3. Lalit Dua
    November 2, 2015 at 2:55 AM

    Though Corporate vision and objectives are defined by stakeholders and key management and but it should percolate down to operating level staff in a very efficient way. Same way, as per me, risk assessment exercise should follow Bottom Up approach. The operating staff are the ones who translate vision into reality and hence more hands on regarding limitations, obstacles, risks etc.. And not only this they can provide valuable data and detail to define effective and implementable mitigation plans. One of the approach to make ERM processes effective.

  4. November 2, 2015 at 12:10 PM

    Here’s another article that considers risk management should identify risks and internal audit should verify they are doing this (point 6). Unfortunately it comes from the UK institute. http://auditandrisk.org.uk/features/adapt-or-disappear-internal-audit-must-lead-the-way-to-navigate-disruption?mc_cid=9bdfa8787c&mc_eid=45af4665fa.

  5. November 2, 2015 at 12:20 PM

    We have developed World Class Enterprise Risk Management (ERM) training. Our training starting point is the Board of Directors, followed by C-Suite and trickles down to the staff level. We recommend a Risk Committee which should operate under a formal mandate and report to the Board. A well thought out Risk Committee Mandate will address the issues discussed above. There is no “cooker cutter” approach which we as ERM professional can develop. The COSO 2013 Framework has a section on Risk Management. Principle 6 addresses “Reporting Risk” and principle 8 addressing risk of Fraud. We also have principle 11 which addresses IT Risk. The 10k filing item 1(a) discloses risk factors. These are developed by Disclosure and Risk Committee of most organizations. As we can see ERM is a area and involves all facets of an organization.

  6. Steve Stich, Chief Risk Officer
    November 2, 2015 at 2:40 PM

    I have heard way too many organizations create risk boards or third party assessments (both internal and external) for business unit assessments and then feed risks back to the business unit. Although it sounds good, and may provide an answer to the BOD that a risk assessment has been completed, this approach will ultimately fail as the ownership of threats and opportunities MUST come from and dealt with by the business unit.

    We have been doing ERM since 2002 and ‘software’ is the last item of import in ERM. Leadership commitment (C Suite and BOD) must be the starting point. Business unit engagement where ‘they’ identify the threat and opportunites AND develop response plans that are integrated into their strategic goals/plans is the next major hurdle.

    “KEEPING IT SIMPLE” (both tools and process) so that the business unit can accomplish the assessment and response planning is key to long term ERM success and organizational maturity. “IF” the chief risk officer can generate consistency, continuiety and competance in the process/tool(s), he/she has done the bulk of the ERM program foundation work. The balance is being the mentor/coach/cheer leader for business unit efforts.

  7. Javed Iqbal Khan
    November 4, 2015 at 11:26 PM

    Yes, risk is handled / tackled by management; practitioner can help in independent analysis, since practitioners analyses the matter independently; practitioner sensitizes management to aspects that might have been overlooked or not properly examined or addressed in the pursuit of objectives.
    Decisions need to be made even in the face of uncertainty; but management expertise / acumen is equally important in projecting outcomes of actions, whether made on the basis of required level of information or less than that. Practically, a practitioner’s job is to insist on required level of effort, right methodology, handling by competent staff, and if possible, flagging over ambitious targets as well as unsubstantiated projections.
    My experience is that many targets / objectives are missed by public sector in developing world because of absence of risk management practices or less than required level of robust practices / services.

  8. David Beer
    November 9, 2015 at 9:29 AM

    Norman I support all your observations

  9. February 17, 2016 at 10:23 AM

    Folks, i need your help. Is this really necessary to use all these types of software (like in this list http://enterprise-riskmanagement.com/enterprise-risk-management-software/) to predict and warn risk for enterprises? Or this just another way for software developing companies to earn some money?

    • Norman Marks
      February 17, 2016 at 11:04 AM

      It all depends, Alex, on the risk and the context. You need to take each one and ask how you will know when the risk changes.

      By the way, its a pretty poor list!

      • February 17, 2016 at 11:09 AM

        Ok, thank you, Norman!

        It is hard to choose even one from 10 to use in my company. So i can’t even imagine how could i pick one from bigger list:)

  1. October 31, 2015 at 10:48 AM
  2. October 31, 2015 at 10:48 AM

Leave a Reply to Gregory Sosbee Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: