The Current State of Risk Oversight: Useful or Useless?
For quite a few years, the people at the Enterprise Risk Management Initiative have researched and provided reports on The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.
In February, they published the 8th edition of their report.
I have covered their reports in the past, highlighting:
- According to the authors, very few organizations have what they consider to be “mature” or “robust” risk management processes.
- They don’t provide detail on what they consider constitute “mature” or “robust” risk management processes. My educated guess is that they leave it to the respondents to form their own definition.
- It seems that their idea of risk management is maintaining an “inventory” of risks (i.e., a risk register), updating it every so often, and reviewing it at board and executive management meetings.
There is some useful information in the report.
But does it add value to continue to focus on practices that don’t work?
All the surveys, including this one, report that executives do not believe risk management practices at their organization are making a significant contribution to the development and execution of their strategies.
Here, they found that “Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations.”
When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?
When you think that risk management needs to be “integrated” with strategic planning instead of acknowledging that strategic planning already includes the consideration of what might happen and what we should do about it, I think you are wrong.
Effective strategic planning is not a separate activity from strategic risk management!
So, is this report useful or useless?
Is the traditional practice of risk management, where a risk register is maintained and discussed, useful or useless?
Is it just a compliance exercise (the view of most executives) that ‘ticks the box’?
Rather than track and monitor the maturity of practices that don’t work, let’s figure out what will work.
We need practices that will:
- Inform and enable more intelligent decisions
- Increase the likelihood and extent of success
Right or wrong?
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Reblogged this on RISK-ACADEMY Blog and commented:
Indeed
You are right. But lets move onto why this situation exists which people do not like acknowledging. The regulators are happy because they have passed risk management responsibility over to directors. Directors are happy because they have got a fuss free and clear approach that allows them to say they have met their risk management governance responsibilities. Consultants (most, not all) are happy to keep selling risk management software and services that support risk registers (for bigger firms suits their business model). Auditors (internal and external) are happy because if they have to validate the risk management framework, they have something explicit to latch onto. And management are happy so long as directors are happy and they (along with directors) are getting (or think they are getting) the information they need to run the business from their normal business processes. Everyone is happy with the current state of play. This is why nothing has changed and will change. It is frustrating and has made a joke of the risk management discpline. Given what I have said, will fiddling around with words in ISO 31000 or COSO help?. Am not sure it will. The Malaysian Code on Corporate Governance and the supporting advice to it already mentions integrating risk into processes but then it goes off mentioning explicit practices in more detail (panel advising them features a number of Partners from Big 4). We need to get the regulators to understand what real risk management is and then get words written accordingly. It then requires a transformation in thinking from all concerned. But is this in everyones interests?. There could be doubt about whether directors really are oversighting a robust risk management framework etc. Rgs
Low to no value as it relates to managing strategic risks. Good discussion, Norman, but we have been grinding the issue at this level for years.
How do we step the discussion up a notch or two?
Keep up the good work.
if they acknowledge it there will be no need for risk managers as they usually are, and a bunch if people at regulatory bodies who write all those standards!
Norman, while I agree that executives are not seeing the value of risk management in strategic planning, I wonder if part of it is due to risk professionals not having the knowledge of *how* to integrate risk with strategy. If risk professionals don’t know how, they can’t communicate appropriately with executives or the board. So nothing ever changes.
I have some ideas on this – that project I am working on. We will see how it progresses.
Cheers,
Carol
All in all I agree with your “practices need” statement. However, nothing in the ERM world is that simple. Academia is good as a “food for thought” provider, but not in leading action as “the real world” is never the same as academia’s “perfect world”. The Enterprise Risk Management Initiative is probably the best effort in academia in understanding not only the need for ERM, but also the challenges that ERM practitioners encounter every day. Therefore your perception of their efforts, while insightful and probably justified, might be a little harsh. At least the ERMI is trying to refocus the discussion.
Risk is risk, and in a true ERM environment there must be a common ERM vocabulary and process. Therefore, in order to confirm in “official” documents (or to one’s owners) that one has an enterprise risk management program, one has to accept this concept. Probably the biggest issue is the “checking the box” issue you raised. In my opinion instead of a checking the box exercise, the ERM question should be been a discussion point in both the company’s compliance statement and, for publicly traded companies, in the audit report. Everyone knows it is easier to just check a box, than to have to explain a program.
Yes, the traditional “risk register” is (and always has been) a relatively useless document since it is a list without reference and discussion of preventive measures. An ERM matrix with risks, definitions, processes, measurement and scoring is a much better document. This is the document that auditors and regulators should be requesting.