What is the state of ERM today?
Is enterprise risk management effective and is it adding the value to the organization that it can and should?
I wish more people were working to address these questions.
Several organizations survey practitioners and share the results in an effort to inform us of the ‘state of enterprise risk management’. Some, like the people at the ERM Initiative at North Carolina State (see their 2020 report) are independent organizations (although they are linked to the AICPA and COSO). Others, such as software company AuditBoard, have an interest in promoting their products and this may affect how they ask questions and consider the results.
The AuditBoard report (available at https://www.auditboard.com/blog/state-of-risk-management-report/) has a bit of a bias, evident in its title: The State of Risk Management: A Tipping Point for Digitization.
This is how they start Part I of their report:
Today’s risk leaders are confronted with obstacles ranging from a volatile risk environment to the operational and technical challenges found in their own risk functions and organizations.
My view is different. I would say this:
Today’s risk leaders are confronted with a disconnect between what they are doing and what business leaders need to make the intelligent decisions, both strategic and tactical, necessary for success. These ‘risk leaders’ are given what they perceive as a lack of support and budget – because executives fail to see how risk functions are helping them achieve the objectives of the organization.
AuditBoard asked risk practitioners what they considered the greatest challenge in 2021. 67.48% said there was a “lack of awareness of the relationship between ERM program maturity and business success”. Now, I am sure that they see ERM program maturity differently than I (as described in my books, especially the maturity model in Risk Management for Success), but even so this illustrates my point: ERM as practiced at most organizations is not considered by leaders as helping them run the company for success. Therefore, they don’t give it all the support practitioners feel is necessary.
The authors continue with:
Though the risk landscape is constantly evolving, organizations are facing an exceptionally volatile risk environment this decade. Risks are more interconnected than ever due to concurrent global developments, including the pandemic, the rapid speed of disruptive innovation, cybersecurity threats, and the energy/climate crisis. Protiviti and NC State’s Top Risks for 2021 and 2030 Report, which included interviews with over 1,000 board members and executives across various industries, found an increase in risk leaders’ overall impression of the magnitude and severity of risks for 2021, relative to 2020 and 2019.
Clearly, they believe that effective organizations need to build and maintain a list of risks, which they then strive to manage or mitigate.
They fail to see the need to take the right risks.
They fail to see that leaders need to weigh both risks and opportunities and make the best business decision given both.
They fail to see that focusing on your feet and making sure you don’t trip on an open manhole will not get you to your destination on time. In fact, you will likely be rooted in place so that you don’t fall on your face or worse.
They fail to see that a focus on avoiding risk comes at the expense of seizing opportunities with full appreciation of the risks you are taking; in other words, making sensible business decisions.
XX
AuditBoard sees a lack of investment in technology for risk management as a serious issue. While I understand their perspective, technology won’t help if you are doing the wrong thing. You might be able to do it more efficiently, but where’s the value in that?
XX
Having said that I don’t find great value in these surveys, except to confirm that ERM programs are not seen as helping organizations succeed. I want to suggest to academics, consultants, and software vendors that they ask about the state of risk management – and whether it is really adding value – in a different way:
First, as I pointed out in my last post, on internal audit, you need to ask the customer if you want to know the value of anything. Instead of asking the seller about quality, ask the buyer.
Board members, business managers, and executives should be asked these questions, with answers ranging from ‘a great deal’ to ‘not at all’:
- Is the risk management activity helping you with the information and insight you need to make the best business decisions?
- Are they helping you weigh the upsides and downsides so you can see the big picture and make informed and intelligent decisions, both tactical and strategic?
- Are they helping you set the best objectives and strategies for the organization?
- Are they helping you achieve your objectives and those of the enterprise?
- Are they delivering the value they can and should?
- Are they helping the organization stay in compliance with laws and regulations with minimal cost and disruption of the business?
XX
A survey of the customers of risk management that gave us insight into these questions would be of far more value than any survey of practitioners assessing their own condition.
What do you think?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Totally agree, great summary
Very accurate view 👏🏻: risk managers, consultants and vendors using immature assessment and management techniques are just creating “paper compliance”. Let´s come back to probabilistic techniques for objective-centric and data-driven risk management.
Norman, you have quite rightly emphasised the need to focus on ‘the big picture’. However, ERM must not ignore the detail.
The following article shows how a simple error could result in the loss of life: https://www.theguardian.com/world/2021/apr/09/tui-plane-serious-incident-every-miss-on-board-child-weight-birmingham-majorca?CMP=Share_AndroidApp_Other
Interesting how the RM and IA professions are agonising about the new risks around ‘cybersecurity’ when a ‘simple software error’ can nearly cause a plane crash. This brings to mind your example of one of the biggest risks in the refining industry: particles in aircraft fuel.
These two examples show that risk managers and IA must not forget the basics while Iooking at the big picture. So I would add a seventh question: Does the risk management function work closely with IA to ensure that line management have identified all the risks and opportunities which may have a material effect on the achievement of objectives and are managing them to the levels set by the board? This question might be covered by your questions but I think a specific question is required.
There is one risk which is rarely mentioned yet it’s the most serious for any organisation: complacency. So I might add an eighth question: How complacent does the risk management function make you feel?