The 2021 State of Enterprise Risk Management – a state of madness
The ERM Initiative at North Carolina State University’s Poole College of Management has published its 12th annual report on the state of ERM practices. Each year, I have reviewed their report.
I bring it to your attention because it is an important topic and their report usually has some useful data on the level of maturity and effectiveness of risk management practices.
It has consistently confirmed, each year, that traditional risk management practices are not seen as adding value to an organization’s success. It may possibly help them avoid some degree of harm, but it will not add much to the chances of success.
As you will see later, more than half of the larger companies, those with revenues of $1bn or more, believe they have ‘complete’ risk management processes. But only 3% of the CFO respondents say that ERM is giving them much strategic value.
XX
Let’s stop the madness. Continuing what hasn’t worked in the past, traditional risk management based on a periodic review of a list of risks, is not the way to succeed.
XX
Change to enabling informed and intelligent decision-making and reaching an acceptable level of certainty that you will achieve enterprise objectives. This requires considering all the things that might happen, both good and bad. Focusing only on avoiding failure will result in failure.
Change to a continuous activity, not one that pops its head up every so often. After all, running the business is a continuous activity!
XX
This year’s report has more detail than I recall in prior years, so I am going to excerpt more than in the past.
However, please note that:
- The professors who lead the ERM Initiative and conduct this annual survey are COSO ERM adherents. That is neither necessarily good nor bad, just a fact.
- They are academics without, as far as I can tell, practitioner experience. That is, again, neither good nor bad as academics are perfectly capable of conducting a survey – if they can ask the right questions. More on that later.
- The survey is of CFOs and similar executives. That will bias the results to a certain degree. There is no assurance that CFOs understand what effective ERM is all about, and they obviously tend to be far more risk averse than operational management and CEOs. However, a survey of CFOs is probably better than a survey of practitioners who will usually not have a clear understanding of how their activity is valued by operating management.
XX
The authors start well (emphasis added by me):
We have recently encountered a new wave of challenging economic, political, social, and technological issues that triggered an unimaginable range of risks that have impacted virtually all organizations. Business leaders and other key stakeholders are realizing the benefits of increased investment in how they proactively manage potentially emerging risks. This is done by strengthening their organizations’ processes surrounding the identification, assessment, management, and monitoring of those risks most likely to impact – both positively and negatively – the entity’s strategic success. They are recognizing the increasing complexities and real-time challenges of navigating emerging risks as they seek to achieve key strategic goals and objectives.
Many organizations have embraced the concept of enterprise risk management (ERM), which is designed to provide an organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon so that those risks can be managed proactively to increase the likelihood the organization will achieve its core objectives.
Unfortunately, they follow the COSO ERM practice of recognizing that risk can be good, bad, or both (the latter is rarely understood) at the beginning of their paper and then focus exclusively on avoiding harm when it comes to detail and practical guidance. There is nothing in COSO ERM nor here about how to see the big picture and weigh all the things that might happen, both good and bad, to make an informed and intelligent decision.
While they recognize (I think for the first time it is said explicitly in their report) that the intent is to “increase the likelihood the organization will achieve its core objectives” (a principle I have been pushing for several years in my books and this blog), they have nothing more to say.
XX
Their survey (please take note, Mark, Bonnie, and Bruce) does not ask these important questions:
- Does your ERM program effectively identify, assess, and evaluate together all the things that might happen and effect the business, both good and bad?
- Does your ERM program help leaders make informed and intelligent decisions?
- Do you measure the likelihood of achieving core objectives, given all the things that might happen, and act when that likelihood is not acceptable?
- Is your program continuous, helping decision-makers understand and respond to changing business conditions?
I wonder if anybody will ask these questions in a broad survey of business leaders.
XX
The authors do a decent job of identifying that there are problems when it comes to understanding what might happen before establishing core objectives and related strategies (something missing from COSO ERM):
Organizations continue to struggle to integrate their risk management and strategic planning efforts.
Except for financial services organizations, most organizations are not emphasizing the consideration of risk exposures when management evaluates different possible strategic initiatives or when making capital allocations.
Most organizations do not formally articulate tolerances for risk taking as part of their strategic planning activities.
XX
They also recognize that too many organizations manage risks for their own sake, rather than with respect to how they might affect (positively or negatively) the achievement of objectives.
There are opportunities to reposition an entity’s risk management process to ensure risk insights generated are focused on the most important strategic issues.
XX
In prior years, I have used the ERM Initiative report to highlight the fact that traditional risk management practices are not seen as effective. That continues to be the case:
Overwhelmingly, most organizations do not perceive their risk management processes as providing important risk insights that management can use to create or enhance strategic value.
This question was asked of the CFOs: “To what extent do you believe the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage?” The answers were:
- Extensively – 3%
- Mostly – 9%
- Somewhat – 22%
- Minimally – 31%
- Not at all – 35%
Yet, many CFOs claim to have complete ERM process and practices, even “mature or robust”:
In 2009, only 9% of organizations claimed to have complete ERM processes in place; however, in 2020 the percentage has increased to 35% for the full sample. [56% of companies with revenues greater than $1bn claim to have a “complete formal enterprise-wide risk management process in place. 35% of the full sample and 38% of larger companies claim a partial process is in place.] So, greater adoption of ERM has occurred.
While we observe an increasing percentage of entities that describe their risk oversight processes as “complete ERM processes,” that does not mean those ERM processes are mature. Interestingly, only 28% of full sample respondents describe their organizations’ approach to risk management as “mature” or “robust.”
This year, the report includes more detail that gives us a clue about what the authors believe makes a program “mature” or “robust”.
|
Percentage of respondents |
||||||
| Description of the Current Stage of ERM Implementation | Full Sample | Largest Organizations (Revenues >$1B) | Public Companies | Financial Services | Not-for-Profit Organizations | |
| Our process is systematic, robust, and repeatable with regular reporting of top risk exposures to the board. | 42% | 65% | 75% | 62% | 33% | |
| Our process is mostly informal and unstructured, with ad hoc reporting of aggregate risk exposures to the board. | 26% | 21% | 17% | 16% | 26% | |
| We mostly track risks by individual silos of risks, with minimal reporting of top risk exposures to the board. | 19% | 10% | 6% | 17% | 27% | |
| There is no structured process for identifying and reporting top risk exposures to the board. | 13% | 4% | 1% | 5% | 14% | |
As you can see, the survey is focused on whether a list of risks is periodically reviewed.
Let me stress this: the periodic review of a list of risks may be traditionally seen as effective risk management, but it most definitely is insufficient. Effective risk management helps an organization have an acceptable likelihood of achieving its core objectives by making informed and intelligent decisions! (Marks, 2021 and earlier)
Why is risk management in so many cases less than “complete and robust”?
It’s clearly because those holding the purse strings don’t see the value! The authors say:
The most common barrier in the full sample to advancing an organization’s risk management processes is a perception that there are other more important priorities for the organization, with 41% identifying this as a “barrier” or “significant barrier” to the organization’s implementation of ERM processes. Not-for-profits especially perceive that to be a significant barrier to ERM progress.
It’s a “barrier” because management does not see the value and wants to spend its time and money elsewhere. If only risk management focused on helping those same people make informed and intelligent decisions so they can maximize their bonuses!
XX
The report also discusses the frequency of updating a risk inventory (about half only do it annually!), how many organizations have a CRO or equivalent, and the extent of management and board risk committees, and more.
XX
I congratulate the ERM Initiative for their 12 years of running similar surveys. I plead with them to ask better questions to help everybody stop the madness and start a journey to effective risk management.
XX
I welcome your thoughts.
XX
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
From NYSE rules (303A.07), ‘Commentary: While it is the job of the CEO and senior management to assess and manage the listed company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company’s major financial risk exposures and the steps management has taken to monitor and control such exposures.’
Since one would expect that most >$1B companies would be listed, what are their Audit Committees, CEO and senior management doing if 35% do not have ‘systematic and robust’ risk management?
Kudos for highlighting flaws in the application of risk management, as well as the potential shortcomings of surveys. The “list of risks” is necessary — but it must be developed and used in the right way. Known risks must be reviewed as an agenda item in leadership and management meetings: changes to the level of risk; are risk response actions on track; do new or emerging risks exist. Known risks must also be factored into strategic planning and annual business planning, to both avoid exacerbating existing risks and also to identify new risks arising as a result of the plans. Risk management is not a periodic exercise performed in isolation: it must be integrated into the way the business is run — at all levels.
I cannot help but giggle and then be frustrated by the truth and appropriateness of your closing Albert Einstein quote. It appears that companies keep doing the same thing, fully aware it provides little or no value (and hence essentially depletes company value).
Do manage for success in a world of uncertainty, risks and levers and deploy intelligent risk taking.
As per usual Norman, so much to support here..
As I see it we have a powerful lobby of folk who are wedded to COSO ERM which in theory (and sometimes in practice) does the job, but in practice much of the time, turns practical risk management as part of business as usual (upsides and downsides) into an academic form filling exercise ..
Further:
> Training on RM is mostly about filling in the risk system
> Many managers don’t value
> Many managers don’t use
> Many risk management functions carrying out a pseudo admin role with limited challenge of sacred cows..
As I see it we have too much GRC theatre.
Risk professionals need humility to come at performance and risk as a genuine partnership between them experts and senior managers (and I am sure the best do), where the idea that risk management is a “program” all wrong .. It should be so inter-twined in doing business performance, strategy, project management etc. that it doesn’t need to be seen as something in need of a programme!
I also agree that surveys are better when they inject diverse views and cover tricky topics:
How does your risk process handle politically sensitive topics where it may be hard to write things down
How is risk appetite lived at a practical level
What root cause analysis is done when there are surprises
What behavioural risk training is done ?
BFN
This post reinforces the view I gained in my master thesis (as an outsider looking into the state of RM). I could not demonstrate a correlation between ERM adoption and firm performance. From what I gathered in RM forums and posts like these the situation has not changed? Is my impression correct? A quantitative model that demonstrates ERM value over traditional RM does not exist? How could one ever convince the Board/C-Suite to truly adapt ERM?
I don’t believe such a paper would influence executives. However, when they see how effective risk management performs in reality, helping them with decisions, they will be convinced. But that is not today’s traditional ERM.
How could ” But only 3% of the CFO respondents say that ERM is giving them much strategic value.” You need to be prepared we see that now more than ever.