Time to wake up to risk reality
This is a post about news we should have known for a long time.
It’s time to recognize the truth about risk management.
For 11 years, the ERM Initiative at North Carolina University has surveyed executives (this year they were again all financial executives) about what they call “the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape”.
On April 1st, they published the 2020 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices – 11th Edition.
It is jarring to see how the authors continue to ask the wrong questions.
Consider how the Journal of Accountancy wrote about the study. This is their lead observation about the results of the study:
While concerns about risk, even before the virus outbreak, have not subsided, fewer finance executives were finding strategic value in their risk management processes. In 2016, 20% of respondents said they believed that risk management mostly or extensively provides strategic value. In the most recent survey, the number was 17% — a small drop, but still the third consecutive year of one-percentage-point declines.
Note that the survey says ONLY 17% BELIEVE RISK MANAGEMENT PROVIDES STRATEGIC VALUE.
These are finance executives and you would expect more of them to see the value, if it existed, than other in the executive suite. In many cases, they are responsible for the risk management function! Other surveys have reported much lower numbers, such as that by Deloitte. In fact, the numbers are declining even as people get, arguably, more sophisticated.
Yet, the authors of the study persist in talking about the maturity of a program that, where it exists, is not seen as adding strategic value! They have this damning point sixth on their list of key findings.
Ask yourself why so many companies are not investing the resources and attention to bring their risk management program up to what the authors reference as mature.
I believe that executive teams are failing to invest in fully mature ERM programs and directors are not discussing the results of such a program because it is separate from how they run the organization for success. That is clear when risk discussions are distinct, even with different people, from strategy and performance discussions.
Practitioners and board members, ask each of your executives whether risk management at your organization is providing significant strategic value, whether it makes a marked and important contribution to the development and execution of strategies and achievement of success.
If they say no (or fail to enthusiastically say yes), ask why not. Listen and then make sure they get what they need.
If they say yes, make sure you are asking them about whether risk management contributes to their decision-making and success, not about whether it has ‘value’. It should have value, even if it’s limited to satisfying the regulators and avoiding (some) harms. If they continue to say yes, then celebrate and tell us all what you did different.
Yes, there are areas where traditional risk management is the right thing to do. For example, it is essential in project management, safety management, and the management of a financial portfolio. But putting together a list of top risks for the organization as a whole and the idea that you need to manager risks should be something done to satisfy the regulators, not how you run the business.
As for academics and consultants, PLEASE STOP preaching what doesn’t work, traditional risk assessments and reporting. START understanding what leaders of the organization need and how it can be provided efficiently and effectively. How can so-called risk practitioners help the organization increase the likelihood of success?
Where do you stand?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Human nature tends toward upside, in business at least. So there are more lottery sales than hedge buys.
So, Robert, when is one better than the other and where does ERM fit?
More to the point, do you agree or disagree with my post?
Quite agree with the post — timely and true. Alas, people too often take the easy way.
Our job is to advocate for more creative perspective, on the upside potential in risk management.
I believe there’s great opportunity. Start with the idea there are no black swans, only unrecognized correlations. Look up from attrition losses to the big event.
First seek ways to avoid that, with advanced analytics to identify deep relationships.
THEN apply that understanding to make previously “infeasible” projects possible. The key is not to deplore the “precautionary principle” bias, but to requite it!
Glad to discuss how and where to share a case study, to make this real.
Isn’t it better to start with “what decisions have to be made?” Then “what information do they need?”
OF course – blocking and tacking first. And avoiding/hedging a big risk releases capital. But that’s a “theoretical” satisfaction.
But there’s more than that, like deal-enabling
Did a complex swap-hedge-barter transaction for a desalination project. Risk “treatment” let investors grab an upside opportunity.
The executives, including the CEO, in the company that I worked for said publicly that they could not run the business effectively without good ERM. Unfortunately still most executives do not understand the potential of good ERM.
If you are trying to decide whether to invest in protecting yourself from a cyber attack vs protecting yourself from the damaging effects of a hurricane, then traditional risk assessments can work. But if you are trying to decide between investing in cyber defense vs marketing a new product, then it does not. It fails even more spectacularly when the decision is between investing in marketing new product A or new product B – because risk folk usually consider that “not out job”.
John, at Hydro, how did your CEO and team decide whether to invest in upgrading a casino vs safety at a power production facility?
It has all been documented extensively in academic papers by Harvard University and Okkahoma University and others. Also covered in our first book on ERM by one of our asset managers (the second edition is now being written). In brief, ALL investments, i.e. resources to be used, were prioritized based on ‘risk criteria’ as to the potential impact on meeting objectives, Hence the need for training could be compared to maintaining assets or investing in new equipment etc. It was how over a billion dollars were allocated each year as part of the planning process. Hope this helps.
Norman, I think you have to be careful not to ‘throw the baby out with the bath water’. ‘Traditional risk management’ (Objective>Risk>Control) has its uses in determining the internal audit agenda, provided: it is kept up-to-date; aims at the risks threatening the most important objectives; is reported on in such a way that it relates back to the objectives.
This approach is fine for what might be considered as ‘static’ risks, that is risks relating to the day-to-day work of the business, such as credit control, health and safety (as you have said above).
The approach does not work for dynamic risks, such as those involved in exceptional changes, new products, new technology, controlling a pandemic (although there are static risks here which should have been identified), since events are moving too quickly. Even in this approach, if there are several courses of possible action there is a need to consider the benefits/threats arising from each (typical SWOT analysis).
In all instances it is the responsibility of risk managers to ensure that management have processes in place to ensure information is available for decision making and that it is used. It is internal audit’s responsibility to ensure this is happening.
If risk management was working with business leaders to identify the information they require to achieve their objectives, they would be seen as relevant. Which brings me to an old rant of mine. To achieve objectives you need to make decisions; to make decisions you need information. Decisions can’t change the past, so information must relate to the future. What proportion of the board ‘pack’ consists of historical data and what proportion realistic forecast data?
My post is not for internal auditors and their risk assessment – although they should not focus only what what could go wrong but include what could go well.
What you are saying here is exactly what I am saying:
“If risk management was working with business leaders to identify the information they require to achieve their objectives, they would be seen as relevant. Which brings me to an old rant of mine. To achieve objectives you need to make decisions; to make decisions you need information.”
Does traditional ERM work for credit control? Maybe. How about when a new customer has great potential for both harm and benefit? Traditional risk management only considers the likelihood of credit issues, not whether its worth it.
I did say that risk assessment and management works in some areas. I’m not convinced that there is a practical distinction between ‘static’ and ‘dynamic’ risks when the business environment is dynamic.
If ‘Traditional risk management only considers the likelihood of credit issues, not whether its worth it’, then I agree, traditional risk management should be binned
Norman,
I’m not sure if this email will get to you, but I thought I’d give it a try.
I read your article below and I also, have read the full report from NCU. I have read it each year since it has been published. A changing landscape, but not enough.
You point out the one thing that has been a ‘craw’ for many executives – how to get value from ERM.
Your point . . . The authors continue to ask the wrong question. I don’t believe that’s it at all.
The authors are only asking about what has been traditionally asked about risk – no one has yet told them the times (the past 15 yrs.) have changed how ERM should even be looked at.
I’m in the midst of writing a paper that will get and I’m putting out there what I have been consulting on and then have been invited to teach at numerous universities . . . it is a systematized methodology for ERM that actually delivers value and measurable results. It has done so for over 350 client organizations plus the many hundreds who have been in my classes.
I will likely post an abbreviated version on LinkedIn in the next few days.
Norman, as long as auditors continue to get involved in a place where they have no business, such as ERM, will continue to be talked about like it is a problem and not what it truly is . . . . risk – which in effect is not real . . . it is a maybe of the future and even then most companies don’t align the risks to their objectives as it is. . . . and I will have much more to say on this.
At some point, I would welcome a conversation with you . . . you do put out some provocative writing and I like that.
All the best,
Thanks. Happy to chat
Norman – I couldn’t agree more on your risk management comments. Would you extend your comments to the practice of GRC generally or limit them to risk management?
Bruce, I doubt many practice GRC in real life, if you mean ensure that all parts of the organization work effectively together towards common goals, understanding what might happen, and acting with integrity. Very few integrate, for example, risk and performance reporting – let alone decision-making. The communication of objectives and setting of individual and team objectives is awful at most organizations
Norman
I have seen about 3 decent attempts at integrating the various elements of GRC and linking to business objectives and reporting. But I suppose we can call them black swans):
Interestingly I posted the following blog on LinkedIn several days ago and it is getting a lot of traffic. Not may “Likes” but lots of noise.
https://www.linkedin.com/feed/update/urn:li:activity:6650452184095956992/
Norman,
How did we get in this mess?
42 years ago when I first started looking at what could go wrong, what it would lead to and how likely the effects were, it was quite clear that my role was exclusively to help those charged with making decisions. I did not seek to impose my arcane language and concepts on the decision makers. Indeed, a big part of my job was understanding their needs and the context and then after I had carried out my analysis, framing the information I gave them using terms and concepts that were meaningful to them. I did not insist they contort their language and ways of thinking to suit mine. I did not insist they either replace their business processes with mine or to run my processes in parallel.
I only worked for the decision makers, and if they could not understand and appreciate what I was telling them, that was my fault, not theirs.
Since then, and despite the Frankenstein monster ‘risk management’ having no solid foundation or universal meaning, the advocates of its many guises (normally with three letter acronyms) have created a perception in those responsible for the governance of organisations that ‘risk management’ was ‘good’ and should therefore be adopted.
This ‘Risk management’ belief system has been promoted as something that is both valid and indispensable: in effect something to be believed in as essential to good governance. But it is only a belief, there is little tangible evidence that ‘risk management’, whatever that term means, actually helps organisations make better decisions and thereby enhances their performance.
Organisations have been encouraged by ‘risk management’ advocates to give effect to this belief by superimposing a ‘risk management framework’ across the organisation comprising various edifices. Common examples included ‘risk committees’ of the Board, ‘Chief Risk Officer’ positions and various ‘risk management’ structures, policies, reporting requirements and so on. The purpose for establishing this paraphernalia, has been seldom transparent, explicit or understood. Consequently, to the extent that it actually existed, this ‘framework’ is seldom integrated with day to day decision-making – because, in fact, it can’t be. If it exists at all, this is only in a parallel universe to the real world where businesses are run and decisions are made.
This belief system has been bolstered by the many national stock exchanges that now included practice of ‘risk management’ as a necessary condition for a stock being listed on their exchange. The (entirely untested) belief is that practising ‘risk management’ (in whichever guise) is prima facie evidence of, and a prerequisite for, sound management. The myth they have perpetuated that investors could and should have greater confidence in such companies.
However, this has been proved repeatedly to be a fallacy, best illustrated by the extraordinary failure of the Enron Corporation and by many recent and spectacular examples of corporate failure such as that involving Boeing’s new 737MAX aircraft that took 346 lives in 2019.
It seems clear to me that if, after all the time and effort that has been invested in ‘risk management’ over the last 30 years, it still isn’t helping decision makers to consistently and competently make better decisions, we simply need to dump it.
We should simply go back to where I was, 40 years ago – understanding how people make decisions and how we can help them understand their assumptions, the context and how they can become sufficiently certain of their desired outcomes.
The ‘risk management’ emperor has no clothes!
I guess too many companies have a risk management function only for the sake of being able to say, that they have it – and to produce reports that shows “we are doing well”. Executives had (and have) no intention of letting risk people involve themselves or tamper with decisions they are making or how they execute/operate.
Executives have the right to decide, and alas, they often decide that any approach to systematic quality assurance and governance they impose on the business does not apply to their own processes – which I find unfortunate to say the least. Why is it, that every medium sized operational decision has to be scrutinized whereas the strategic choices made by executives are not subject to any form of validation – and in some cases, even suggesting this is seen as insubordination.
Hans, Your first paragraph (3 April) makes an astute observation. The essentially useless ‘risk management’ edifices that organisations build, play no meaningful role in assisting the daily task of making sound decisions – from top to bottom. (I put ‘risk management’ in inverted commas, incidentally, because although the expression is common, there is little that is common across all its users as to what it means or consists of!)
These edifices are established at great cost and inconvenience either because of regulatory pressures as illustrated by John Fraser’s later anecdote (such regulations are often a forlorn hope by governments that this will somehow avoid society being disadvantaged in some way or other) or because of supply chain obligations which, as with Covid-19, spread up and down the chain with ease, or because of virtue signalling by the new breed of woke directors who are not focused on their real job of adding shareholder value. The fact is, as you say, these ‘risk management’ edifices exist as an externality to the real management activity (including strategy setting) that is providing the engine room for the organisation.
This is why ‘risk management’ has little influence or, worse still, why it has an adverse effect which is the more common consequence as a consequence of its distractive effect and resource wastage. At very least, it’s not seen as helpful to the daily challenge of making sound decisions because as the world has shown, repeatedly, that with or without ‘risk management’ it is perfectly possible to make both good decisions and bad decisions. One doesn’t have to invert normality in order to make good decisions – just become a little more skilled in the steps that are already followed. There is no need for a ‘system’ or ‘framework’ (for which, read ‘edifice’) just decision-making skill.
Dear Norman, on your comment “I’m not convinced that there is a practical distinction between ‘static’ and ‘dynamic’ risks when the business environment is dynamic.”
Personally I believe there is a significant difference between them and it is handled at different level in the company. Also Strategic risks are confined to an inner circle of Managers because it could leak to the competitors, rightfully strategic risks are dynamic like changes in technology and dependency on IOT. Many of the company employees would not know anything until it has been in progress (on the strategic move).
Static risks are those that are sure incidents which has severe consequences to the company’s objectives like FIRE, EXPLOSION, FRAUD etc. If there are no changes to the operations, the list of controls put in place would mitigate the consequence to moderate or low. The popular Management of Change concept is to transform any STATIC risks to DYNAMIC risks hence studies conducted to evaluate if the existing controls are sufficient because of the MOC. Therefore personally there is a significant difference between dynamic and static risks in an organization.
Norman, just pondering what you said above: ‘My post is not for internal auditors and their risk assessment – although they should not focus only what what could go wrong but include what could go well.’. Are you implying that internal auditors should do their own risk assessment, as opposed to using the risk assessments carried out by managers? My approach to internal audit (www.internalaudit.biz) was to base it on risks identified by management. Since it is the responsibility of internal auditors to pass an opinion on whether the objectives of the organisation will be achieved, based on controls reducing risks to acceptable levels, any discussion of risks must be for internal audit. Thus your post must be relevant to internal auditors.
If management’s risk assessment is reliable, then IA can base theirs on management’s. But internal audit should not only be concerned with the possibility, say, of losing a prime customer but also of gaining new customers. Most management risk assessments are lists of what could go wrong. Just as that is not very useful for management decision-making, it is not a complete picture for IA.
Agreed – but then it’s IA’s responsibility to report on the deficiency in management’s failure to identify opportunities.
Agree
Thanks indeed for your post, Norman.
Having a risk management system, function or even c-suite executive doesn’t create a lot of value in my view. Organizations will benefit more from going back to the basics of management.
Entrepreneurs, directors and managers make decisions all the time. They make them explicitly and implicitly, taking their time and in a hurry, based on extensive analyses and on their gut feeling.
Decision-makers make choices when designing, executing, evaluating and improving their governance structures, processes and projects. When making these decisions they have to balance the potential pros and cons that impact the interests of their key stakeholders. Their entities will remain future-proof to the extent that they will be able to keep their stakeholders satisfied.
The future is uncertain and decision-makers have to use assumptions all the time. In order to improve the quality of their decision-making it is very valuable to have discussions with colleagues, external experts and interested parties whenever they have to make a relevant decision. It’s about basic questions such as: Do we feel comfortable with our assessment of opportunities and threats? How realistic are our underlying assumptions? Do we have any major biases?
Do these activities differ from ordinary management? If not, then why would one want to invest resources in risk management?
Very well said, Marinus
Bravo Marinus.
So, decision makers really don’t need any form of risk management edifice in order to make decisions where they are sufficiently certain of the outcomes.
They might just need ensure they are as proficient in decision making as is necessary. This involves:
• being aware of their present methods and motivations (including biases);
• mastering some basic techniques for enhancing their present methods;
• developing an intrinsic awareness of the level of certainty of decision outcomes; and
• developing an instinct for adjusting their present decision-making methods as necessary.
To do this requires decision makers to be honest and clear about their current methods, aware of the limitations and how they can be enhanced.
Norman, a great blog posting with great interest looking at the many discussion comments. If executives feel risk management is failing (lacks value), I ask what are the many reasons why? Is it the processes or the actors or both?
From my professional observations there are many sides to this failing grade, to list a few, one is the risk management framework and approaches followed which are too old school and not support effective decision making; the second is the executives; and third regulators impacts and expectations. Agreed “value” is probably not the right question or measure of success for risk management. My question is are executives in some cases not part of the problem, if in their decision making process, for what ever reason they choose, do not apply consideration of risks in achieving their objectives are they not ensuring it’s failure too.
Welcome your thoughts.
Michael, thank you for the comment.
I believe boards and management are going along with traditional ERM because regulators and consultants say they should, not because they see it as integral to success and effective decisions.
They don’t know there is a better way, so they just accept with minimal investment of time and resource.
The regulators are concerned with management taking too great a risk with stakeholders’ monies. So I can understand their perspective. But they also don’t realize that a focus on avoiding failure means avoiding success.
From reading the comments above, I get the impression that only two alternatives are available. The so-called ‘traditional ERM’, whatever that is; but I assume it means the stuff that the regulators and consultants try to impose and sell respectively, or else do nothing but leave it up to the existing management processes for decision-making and hope that will work. Nowhere do I see recommendations to do ERM better, which is to enable better decision making. Hopefully some companies are doing ERM well.
John, I believe you know what I recommend: organizations should do what is needed to satisfy the regulators, but augment it by understanding what information leaders need and give it to them.
I have variously described this as:
– give them what they need rather than what you want to tell them, and
– move away from “push” (where you push heat maps and risk registers to management, to “pull” risk management (where you respond promptly to the needs of leaders)
I don’t see effective risk practitioners just letting decision-makers wing it.
Risk practitioners can only be effective if they have the support of management and/or the board. Unfortunately, not all do. Often it is the blind leading the blind. One quick story: a board member once told me to go over to his company to meet with his CRO and see what I could learn from them… So I dutifully went over and met with a nice, freshly qualified accountant who confessed that she had been named the CRO as the regulators required the company to have a CRO, but she really did not know what to do. She showed me a heat map with lots of green and yellow boxes that went to the board periodically. I asked why there were no orange or red boxes and she replied that the CEO did not wish to show any of that colour to the board!
I could not agree more that with “risk management” as practiced today today”, frequently nothing is achieved. and in fact it likely causes damage. (Please don’t put that on a Heat Map) .I suggest however that most of what we call “risk management” is actually “control management”. And “control management ” as practiced today is as bad or worse than “risk management” unless its left to the 1st line of defense. Most “risks” in core business processes are already known and have already happened. “Control design and assessment when left to “risk management” specialists is abysmal. If we can figure out how to undo the damage there is hope. But it wont look anything like what we have today It will require far fewer resources and far better tools.