Home > Risk > What is the state of ERM? A new study sheds a little light

What is the state of ERM? A new study sheds a little light

One of the studies I have referenced for a few years has been updated. The ERM Initiative at North Carolina State University has released the 7th edition of The State of Risk Oversight: An overview of risk management practices.

The principals at the ERM Initiative, Mark Beasley in particular, have been active in the ERM area for a number of years. From what I can tell, they have been primarily associated with and involved in the COSO view of risk management rather than that of ISO (the 31000:2009 global risk management standard).

I have been using a sad statistic from the 2010 edition of this publication, which reported that only 3.4% of respondents believed their risk management program was “fully mature”.  This number is essentially unchanged at 4% (the latest edition is based on responses to a survey in 2015).

However, respondents are not provided with a definition of “fully mature”- or at least one is not provided in the report.

Instead, respondents define for themselves what a “complete” risk management program entails (another survey uses this as the highest level of risk management maturity) or when it is fully mature.

COSO ERM goes further than, from what I can see, the ERM Initiative surveys. The survey asks about the frequency with which a list of top risks is reviewed and how often it is updated (very few indeed do it monthly or better). But it doesn’t talk about whether the consideration of risk is embedded into decision-making across the organization, which COSO ERM does. Nor does it address whether risk management “helps an organization gets where it wants to go” – another COSO ERM statement, which recognizes that risk management is about more than avoiding hazards and threats.

So what are we to make of this?

There seems to be growing pressure from boards and regulators to improve risk management practices, and there is every reason for them to be concerned at the current state! Yet, little progress is being made. 4% self-report that they have fully mature risk management, with larger companies (revenues greater than $1bn) at 9%.

Will this study make a difference?

I doubt it.

The emphasis has to move towards whether, as Deloitte has said, risk management is helping an organization set and then achieve its strategic goals.

Focusing on risk management as a silo, separated from the rest of effective management of the organization, is not going to persuade boards and executives (the latter are clearly reluctant to invest in what is seen as a compliance activity) to move the practice forward because it is an essential element in informed, intelligent decision-making.

Let’s start talking about effective management that includes risk management.

When will we get a survey on that?

  1. Kaya Kwinana
    April 17, 2016 at 6:29 AM

    “I have been using a sad statistic from the 2010 edition of this publication, which reported that only 3.4% of respondents believed their risk management program was “fully mature”. This number is essentially unchanged at 4% (the latest edition is based on responses to a survey in 2015).”

    The really sad thing about this from an internal audit point of view is that, quite obviously, internal auditors have failed to implement the 2100 injunction that “The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”

    The focus on so-called “top risks” is also saddening as is, benign though it seems, Deloitte’s reference to just strategic goals!

    Mature risk management practices focus on the whole spectrum of governance, risk management, and control PROCESSES throughout an organisation.

    One day organisations will wake up to the truth that the “risks that matter” narrative is the source of their problems.

  2. Richard Fowler
    April 18, 2016 at 5:25 AM

    Kaya has a good point. I’ll focus on Norman’s statement that “The emphasis has to move towards whether, as Deloitte has said, risk management is helping an organization set and then achieve its strategic goals.”

    I’m not sure that’s the right emphasis. We all know that aspects of risk management are used in decision making all the time, whether it’s the decision to pass the car in front of us or to select what we’re going to eat for lunch or to determine if a merger is the optimal means to grow a company. Deloitte’s statement is confusing risk management processes with formal risk management techniques. They are not mutually exclusive, nor are they the same.

    Risk management processes – the understanding that there are risks that can lead to either gains or losses and how those risks can be assessed and addressed – can be implemented across a company without having a formal risk committee or a fully documented ERM framework. I also think that the focus on enterprise risks is being overemphasized. By definition, enterprise risks are those risks that would impact the entire organization. The impact of an enterprise event becomes a constant, and the only variable becomes the likelihood – and that’s a very difficult number to accurately determine.

    On the other hand, looking at risks to key functional processes can help assure that the current strategies are being implemented and current company goals are being met. This would be an operational risk assessment rather than an enterprise risk assessment, and can be just as valuable (if not more so) to the company. And a risk management process functioning at a maturity level of 2 or 3 may be every bit as effective as a fully implemented COSO ERM framework operating with a maturity level of 5 (assume a generic maturity model with levels 1-5).

    • Norman Marks
      April 18, 2016 at 7:21 AM

      Richard, I just wan to address one of your points – and thank you for your thoughtful

      I have seen multiple situations where management of local operations have different priorities than those at corporate. Local management is keen to invest in this or that, while corporate management sees better use of the funds. Local management want to take certain actions that are seen by corporate as conflicting with enterprise values.

      I agree that risks to local objectives are important, but only when they are consistent with and essential to the achievement of enterprise objectives.

      The trouble is that many simply look at local objectives and risks to their achievement without subjecting them to the test of whether they are in fact critical to the enterprise.

      I would not want to put internal audit resources on an engagement that is not essential to the enterprise, even if local management sees it as critical to their operations.

      I like to use the term “sources of risk”. This recognizes that the source of risk to an enterprise objective is often several layers deep.

  3. Richard Fowler
    April 18, 2016 at 8:04 AM

    You make a very good point, Norman. In far too many cases, local business units fail to align themselves with the corporate strategy or mission. This can put risk managers and internal auditors into an interesting dilemma – if we note a difference between the local strategy and the corporate strategy, who is the responsible party? Is it local management for misunderstanding the directives, or is it corporate management for not being clear and for not providing oversight?

    My first audit job was with a multi-state bank, and one of our regular tasks was branch audits. We could easily identify process weaknesses, but we were also very much aware that the risk to the bank from any individual branch was negligible. Any branch could be emptied of guards and left with the vault doors open, and the resulting loss would not be noticeable on the corporate balance sheet. From an enterprise perspective, this was a low risk audit and should not be performed.

    However, it was important for branch management to know that they were not just numbers, that they were important to the corporation. Branches are the face of the bank that customers see and are highly responsible for the reputation of a bank. We did not audit the reputation or customer service, but our audits helped assure that reputation risks were being mitigated. This was not part of the scope or objective of a branch audit, but it was part of the corporate audit strategy for including branches in the audit plan.

    This is one example of many that illustrate why I am still keen on operational and financial audits of local processes. Not to the exclusion of enterprise risks, but in addition to them. All politics are local, as the saying goes. That’s often true of critical enterprise operations as well.

    • Norman Marks
      April 18, 2016 at 8:11 AM

      Richard, I would argue that the loss of cash is a significant risk to the enterprise, not only because of the material loss but because of the reputation damage. However, the source of the risk is at the many branches. So an audit of a sample is justified.

      In my book, I talk about procurement of materials being a critical risk at Solectron. However, the source of the risk was in the procurement functions at the major facilities. We audited the risk there, but with our eye on enterprise materiality and the opportunity to identify best practices, sharing opportunities, etc.

  4. April 18, 2016 at 8:30 AM

    I think of risk in the three COSO buckets: Financial Reporting, Legal/Regulatory, and Strategic/Operational. The first two are fairly easy. The third should be integrated with strategic planning and budgeting, so those planning exercises generate the top risks to the organization, directly linked to the goals. A scatterplot of likelihood and magnitude for the top 10 plus action plans for each, with status tracked at quarterly ERM meetings, should do the trick.

    But among the reasons ERM is incomplete is that it misses two key elements. One is from Peter Drucker in his article called “The Theory of the Business.” The assumptions underlying how the business fits with its environment (e,g., every day low prices vs. high/low pricing in retail) must be made explicit and periodically challenged.

    Another is from Ben Bernanke’s analysis of the crisis, where he talks about vulnerabilities and trigger events or shocks. Fixing vulnerabilities should be the major work of risk management, such as automating interfaces between operational and financial systems and reducing the number of operational systems or instances. Another is getting data into warehouses for easy access. Anticipating shocks, which humans aren’t very good at, should be secondary to making the organization more resilient by addressing its vulnerabilities.

    So ERM + Drucker + Bernanke is a good model.

  5. shoaib
    April 19, 2016 at 3:45 PM

    Good strategic planning together with execution planning encompass risk management techniques like SWOT and PESTLE. It’s completely business as usual.

  6. April 20, 2016 at 6:00 PM

    Is it possible that after all this time, the reason why only 3.4% think themselves mature (whatever than means) is that we have been doing this thing called risk management all wrong?

    If the true and only purpose of risk management is to support decisions, is it possible that all the paraphernalia and numerous confections risk people now deploy actually (including three letter acronyms like ERM and whacky ideas like ‘risk appetite’, ‘risk culture’ and ‘risk maturity’) have had the opposite effect to what is intended. If what we are doing with ‘risk management’ is to help decision makers, the true ‘end user’, should we not view the world through their eyes and avoid the sort of complex language and concepts which even we in the risk profession cannot agree on? Indeed, is risk itself becoming too risky?

    Clearly while the COSO ERM bandwagon has generated a great deal of income for consultants and auditors since 2002 and the parallel ISO 31000 (and its predecessors) has done the same, patently these standards and all the brouhaha that surrounds them have failed to significantly improve the way organisations understand and respond to uncertainty in the context of their ultimate purposes, their objectives.

    Maybe its time for a fresh approach that ditches the confusing words ‘risk’ and ‘risk management’ and ‘control’ and which uses simple unambiguous language and concepts that normal humans can relate to.

    • Norman Marks
      April 20, 2016 at 7:08 PM

      Grant, the choir yells “amen”. We need to help management understand the value in addressing uncertainty and its effects on their personal and collective success. We are talking about how they decide on a vision, objectives, and strategies, then execute on them through informed and intelligent decisions. As long as we talk about risk and they talk about results, the gap will persist. They won’t invest in or learn to consider what might happen unless they believe it will make them successful.

    • April 22, 2016 at 3:23 AM

      Grant, Norman, I think we need to be careful about throwing out the baby with the bathwater!. The words ‘risk’, ‘risk appetite’ etc are perfectly acceptable in an environment which understands them. Accountants haven’t ditched the words ‘credit’ and ‘debit’ just because management don’t understand double entry book-keeping; they just use words such as ‘income’ and ‘expenditure’. I don’t think internal auditors would be happy about losing the word ‘control’.

      I would agree with your underlying argument that risk managers need to talk in the language that management can understand (Norman’s reply above), although I’m not too sure that talking about ‘uncertainty’ helps either, since management seem to want ‘no nasty surprises’.

      If we want to ditch one term can it be ‘risk manager’, since they don’t manage risks?

  7. April 22, 2016 at 5:57 PM


    Who cares if risk managers understand risk (and in my experience many don’t) or auditors understand control (is it noun or a verb?) let alone ‘internal control’. The point is that the end users, our customers don’t. How can what we do be relevant if our customers think the concepts we use are alien to there way of thinking?

    • Richard Fowler
      April 25, 2016 at 4:44 AM

      Grant, that seems to be like saying the patient needs to understand the difference between the H1N1 and H1N3 virus before the doctor can treat the disease. No, whether our customer understands exactly what risks or controls means to us is not relevant to them being effectively managed. I have seen many instances where a good manager has an intuitive understanding of risks and has been managing them well; likewise with managers and controls.

      It does fall to us as risk managers and internal auditors to explain our jobs and our objectives to management so they not only understand what we want from them but also to alleviate any anxiety over why we are asking them questions. And hasn’t that always been the case?

  8. April 27, 2016 at 1:28 AM

    This rather sad conclusion is due to most ERM reporting being based on an assessment metric… usually red, amber and green. Stating the obvious… you can’t aggregate and compare colors. An effective ERM system needs meaningful risk measurement so maybe these surveys are telling us that it’s time we looked at alternative risk measurement techniques.

    A concept already used in risk management expresses risk in the form of inherent risks (maximum possible loss) and residual risks (probable loss). If these can be consistently and reliably measured and aggregated across the horizontal and vertical dimensions of the enterprise they could provide the basis for an enhanced ERM system that will engage management.

    One method of achieving this is to define a new additive risk metric through which all forms of risk can be expressed and aggregated. A possible solution is described in http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2726638. The proposed new metric is the ‘Risk Unit’ or ‘RU’. A discussion of inherent and residual risks based on the RU starts on page 25 and a description of its method of calculation starts on page 28.

  9. John Fraser
    May 9, 2016 at 8:10 AM

    Some blame must reside with internal audit functions who do not ask for or report the lack of risk assessments for EVERY audit they do. One of the first things an internal auditor should do on starting an audit, be it of a department, process or project, is to ask for the risk assessment. If none has been done this should be raised with senior management and the audit committee until doing these becomes part of the organization’s standard processes.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: