The Current State of Risk Oversight: Useful or Useless?
For quite a few years, the people at the Enterprise Risk Management Initiative have researched and provided reports on The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.
In February, they published the 8th edition of their report.
I have covered their reports in the past, highlighting:
- According to the authors, very few organizations have what they consider to be “mature” or “robust” risk management processes.
- They don’t provide detail on what they consider constitute “mature” or “robust” risk management processes. My educated guess is that they leave it to the respondents to form their own definition.
- It seems that their idea of risk management is maintaining an “inventory” of risks (i.e., a risk register), updating it every so often, and reviewing it at board and executive management meetings.
There is some useful information in the report.
But does it add value to continue to focus on practices that don’t work?
All the surveys, including this one, report that executives do not believe risk management practices at their organization are making a significant contribution to the development and execution of their strategies.
Here, they found that “Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations.”
When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?
When you think that risk management needs to be “integrated” with strategic planning instead of acknowledging that strategic planning already includes the consideration of what might happen and what we should do about it, I think you are wrong.
Effective strategic planning is not a separate activity from strategic risk management!
So, is this report useful or useless?
Is the traditional practice of risk management, where a risk register is maintained and discussed, useful or useless?
Is it just a compliance exercise (the view of most executives) that ‘ticks the box’?
Rather than track and monitor the maturity of practices that don’t work, let’s figure out what will work.
We need practices that will:
- Inform and enable more intelligent decisions
- Increase the likelihood and extent of success
Right or wrong?
I welcome your thoughts.