Renowned author, blogger and retired chief audit executive, Norman Marks, questions why we need risk management and what role ERM plays.

Too often we do things without understanding why.

Look at the latest report from the Enterprise Risk Management Initiative at North Carolina State. Their 2018: The state of risk oversight is intended to provide “an overview of enterprise risk management practices”.

I will come back to that claim.

But first let’s consider why we need to consider risk.

Some time ago, Deloitte conducted a survey and asked board members and top management the right question:

Does risk management at your organization help you set and then execute on strategies?

Tell me whether you agree with these assertions:

  • The only purpose of risk management is to help leaders select and then execute successfully strategies to deliver optimal value.
  • They do this by making intelligent and informed decisions (which include strategy selection).
  • Those decisions are made every day across the extended enterprise by the people running the business.
  • Risk management is about considering what might happen and enabling decisions across the organization to be appropriately informed.
  • Effective ERM is not focused on avoiding failure; it enables the achievement of success.
  • If leaders of the organization do not believe risk management is helping them be successful in setting and executing strategy, it is failing.

The study reports that only 5% assessed their ERM program as “robust”.

But what does that mean?

The respondents were asked to self-assess their program and not provided guidance, such as asking whether ERM enables informed and intelligent decisions.

So, I personally doubt that even 5% would pass that test.

In fact, the authors continue to position ERM as assessing and providing information on risks, rather than on whether enterprise objectives are likely to be achieved.

The report says something that is strikingly odd, indicating that yet again people see risk management as all about avoiding failure rather than achieving success.

…a majority of the respondents in the full sample indicated that their organization’s risk culture is one that is either “strongly risk averse” (8%) or “risk averse” (45%). Similarly, just over one-half of the largest organizations, public companies, and financial services companies indicated their risk culture is “strongly risk averse” or “risk averse.” The overall lack of ERM maturity for the full sample is somewhat surprising, when the majority of organizations are in organizations with notable aversion to significant risk-taking.

If you are not willing to take risks, you will wither away and die.

The key is to take the right level of the right risks. In fact, I strongly recommend doing away with the idea of “accepting” risk, replacing it with “taking” risk.

No self-respecting CEO or board will say they are risk-averse! That is what they are paid to do – take risks!

The report is a study of failure in action: a failure to implement risk management in a way that adds huge value in the setting and execution of strategy.

It describes these barriers:

  • Competing priorities 29%
  • Insufficient resources 27%
  • Lack of perceived value 24%
  • Perception ERM adds bureaucracy 19%
  • Lack of board or senior executive ERM leadership 18%
  • Legal or regulatory barriers 4%

If leaders across the organization see ERM as a bureaucratic compliance exercise that gets in the way of success, then we should not be surprised that they are neither supporting nor funding it.

Maybe they tolerate it to appease the regulators and the board.

If only they could see how it should function!

That takes courage from individuals, whether in executive leadership, on the board, as CAE, or as CRO.

Don’t do traditional, failing, ERM.

Help people make informed and intelligent decisions.

Is ERM at your organization effective?

You can read the original post here on Norman’s blog: