Five Weaknesses
Of
Enterprise Risk Management
By Vernon L. Grose
Omega Systems Group Incorporated Chairman Vernon L. Grose has been described by
Business Week as a “founding father” of the systems-based approach to managing risk.
Five Weaknesses of Enterprise Risk Management
Enterprise Risk Management (ERM) broke over the horizon at the end of the 20th
century as a welcomed and heralded improvement – a broadened scope for
managing risk, embracing a wider range of operational, strategic and stakeholder
concerns. Initially established in the private sector, it has now been adopted by
public organizations as well.
Unfortunately, ERM has serious flaws. This white paper examines the history of
ERM, identifies its five weaknesses, outlines a path for reform and explains
what’s at stake for society.
Defining ERM
This popularity of ERM ironically has been attained without a universal definition.
It has been variously described as a framework, approach, strategy, discipline, or
tool. Consider these definitions:
ERM is the discipline by which an organization in any industry assesses, controls,
exploits, finances and monitors risks from all sources for the purpose of increasing the
organization’s short and long-term value to its stakeholders. -- Casualty Actuarial
Society
ERM is a process, effected by an entity's board of directors, management, and other
personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be within its risk appetite,
to provide reasonable assurance regarding the achievement of entity objectives. –
COSO (Committee of Sponsoring Organizations of the Treadway Commission)
A comprehensive and integrated framework for managing credit risk, market risk,
operational risk, economic capital, and risk transfer in order to maximize firm value.
James Lam in Enterprise Risk Management
Curiously, David L. Olson and Desheng Dash Wu, in their book ENTERPRISE
RISK MANAGEMENT, have a section “What is ERM?” that only discusses it –
but never defines it.
Origin of ERM
The origin of ERM is significant. Historically, Risk Management had been
focused primarily on financing rather than controlling risk. This was sufficiently
2
short-sighted that it gradually became evident to clients that risk involved aspects
of management concern greater than financially surviving accidental losses.
Strategic and operational parameters involved risks that required foresight and
control. Stakeholders were demanding that the Board of Directors take an active
role in managing risk.
So ERM was born in the financial services industry – as an extension and
expansion of its classical financing approach to risk. But therein lies a possible
source of weakness for ERM due to that limited perspective.
In contrast to the tradition of financing risk, my own professional involvement in
managing risk has involved controlling it. Working in manned spaceflight –
including Apollo flights to the Moon – has involved high risk for which financing is
unthinkable. The alternative to financing risk is to employ foresight to identify,
evaluate, and control it through implemented countermeasures.
Two primary forces – global orientation and business complexity – provoked
ERM into existence. In response, five aspects of risk have been increasingly
addressed: strategy, accountability, identification, ranking, and mitigation. From
the outset, ERM was intended and anticipated to rise in significance beyond the
CFO to the top executive – and on into the boardroom – where it would join the
highest strategic concerns. A new executive – Chief Risk Officer – was even
christened to carry the ERM torch.
ERM Did Not Anticipate Global Financial Crisis
Despite ERM’s expanded focus, the worldwide financial chaos was a risk
apparently not foreseen by risk managers. If some foresaw it, their concern had
no impact.
3
As an article in Risk Management Reports observed, “While businesses have
made progress in implementing enterprise risk management (ERM) programs,
we have seen that such programs have often been ineffective. . . ERM has not
become embedded in corporate strategic thinking and culture. Risk
management processes continue to be fragmented and left to functional
managers or business units and do not reflect a vision of the firm’s long-term
goals.”
Summarizing ERM to date, it consists of methods and processes used by
organizations to manage risks and seize opportunities influencing achievement of
their objectives. Like all such innovative initiatives, ERM has been evolving –
with contributions from many sources. As mentioned earlier, ERM has expanded
from the private sector where profit and loss are prime concerns into the public
sector where functional success is essential. One example of the latter is ERM
application in the Nation’s Critical Infrastructure Protection program where risk of
international terrorism must be managed.
In fairness before evaluating ERM, it should be obvious that ERM is not a standalone. It requires human expertise, cultural acceptance, and socio-political skill
as well as executive endorsement and support for successful implementation.
Therefore any evaluation of its effectiveness – including this one -- presumes
these requirements are and have been available. Often they are not.
Sufficient ERM experience has accrued, however, to justify a critique at this time.
Judging its success requires a baseline of expected performance. Six tasks are
offered as the primary ERM functions that form the baseline of appraisal:
•
•
•
•
•
Define the entity whose risks are to be managed
Identify all risks within that entity
Establish and price countermeasures for all identified risks
Rank all identified risks using severity, probability, and mitigation cost
Mitigate all significant risks
4
•
Accept (prepare to live with) all unmitigated risks
Of course, these functions are often divided into dozens of sub-tasks. But
limiting evaluation to these major components allows an all-encompassing,
systematic analysis of ERM performance to date.
Every human endeavor consists of strengths and weaknesses. So listing and
examining ERM weaknesses is a normative activity hopefully leading to its
increased success – rather than a criticism intended to urge its elimination.
Weakness 1 -- ERM Lacks the Framework it Touts
The expansion of traditional Risk Management beyond financial concerns – and
denoting it as Enterprise Risk Management – was haphazard, almost random in
nature. Obviously, the intent was to consolidate all activities, functions, and
interests within a corporation so that their risks might be integrated, examined,
and managed as a unit. The idea was admirable. But the very singularity it was
seeking is missing – because it has no universal rationale or mechanism to attain
it.
So the No. 1 weakness of ERM is that it lacks the framework it touts. It has no
defined process that assures TOTAL management of risk. Instead, it’s “bits and
pieces” -- often focused on the sensational and obvious while ignoring the
mundane and routine. The goal of ERM is to address risk in all areas of the
enterprise. Consider Enron and Worldcom – companies that spent millions on
risk management services that likely never addressed the risks of accounting and
financial reporting.
5
“Enterprise” turns out to be elusive rather than descriptive. ERM in one
organization may not even resemble ERM in another. What is needed?
Application of the systems approach – that global, holistic, all-encompassing,
universal technique used successfully in high-risk space endeavors. That
approach clearly defines the boundary of concern – so that there is no ambiguity
about what is and what is not the entity for which risk is being managed. Once
that is accomplished, its known inputs and desired outputs are established, a
functional platform for identifying every conceivable risk is constructed, and risk
scenarios are written.
Until ERM becomes systematic, it will suffer misunderstanding, false exploitation,
fragmentation, and confused reaction.
Weakness 2 -- ERM is Reactive Instead of Proactive
History certainly reveals a wealth of risks needing to be managed. However,
those risks are only a portion of those that management must address if an
organization is to protect and create value for its stakeholders -- including
owners, employees, customers, regulators, and society overall. Risks that have
yet to be revealed or experienced may be more consequential than the obvious
ones that most organizations traditionally manage.
There is no recognized and endorsed ERM process for foreseeing and identifying
risks prior to experiencing their associated losses. This deficiency forces ERM to
be reactive instead of proactive – waiting for a loss before implementing
countermeasures against it. Reactionary management is always inefficient and
impulsive – as well as expensive.
ERM should be proactive, but it’s not. It’s usually reactive. Because it has no
method or process for identifying risks that have not yet happened, it is destined
to remain reactive. The sad fact is that – by being reactive – every loss is much
more costly than if it had been foreseen and controlled.
6
The answer for reactive risk management? A defined, well-executed program for
identifying risks proactively – systematically imagining those that have not yet
been experienced but whose impact has been recognized, estimated, integrated
and ranked within the full spectrum of risks to be managed.
A proactive risk identification program requires several components. First, there
must be executive interest, demand and support for it. Second, a methodology is
needed for stimulating or provoking insight about that which is possible but as yet
has not happened – a variation of Murphy’s Law. Third, a class of creative folks
should be recruited and trained in the methodology. Finally, there must be a
formalized means for documenting the foreseen-but-not-yet-occurred events or
conditions so that they can be processed into the risk data base. A proven and
effective vehicle for this step is the risk scenario.
Weakness 3 -- ERM Discards the Wisdom of Insiders
The third weakness is a sleeper – due to the history of risk management.
Insurers and risk consultants in financial institutions have always convinced most
client executives that they know how best to manage risk. So those executives
have fallen victim to engaging experts from the outside to tell them what they
already know -- while still remaining vulnerable to risks the outsiders know
nothing about. Most critically, the wisdom required to manage and control risk is
right within the enterprise itself. The key is to have a technique that extracts and
organizes that wisdom.
Traditionally, risk management has been a profitable business – primarily
because it was performed by insurers on behalf of the insured. But risks really
weren’t managed. They were financed. So it follows logically that the early
recruits and participants in ERM came from the financial end of the risk
management spectrum – rather than the control end. Their influence and
earmarks cannot be denied.
Yet, as the scope of risk concern broadened under ERM to include control of risk,
it became obvious that risk management knowledge and expertise required was
not available from the outside financial experts who had historically provided it.
True, there was a base of client knowledge in financial service companies
whereby insurance rates could be established for various types of businesses.
But that ballgame changes when the spectrum of potential losses widens beyond
the insurable.
7
This is not to say that outside financial consultants cannot augment the internal
wisdom of a client enterprise regarding management of risk. But the shortcoming
is that they typically limit their involvement to a few mid- or high-level client
managers with financial interests. Risks can only be impacted or reduced by
those in control of the scene wherein they occur – and it is those very people
who are rarely involved in the ERM process even though they have the greatest
knowledge and understanding of those risks. ERM discards the wisdom of
insiders.
ERM demands far greater sophistication than shopping around for the right
insurance – and thereby engaging experts from outside the enterprise to manage
its risks. Since the vital required risk knowledge resides within the enterprise, it
may require a cultural transformation to elicit and mobilize that resident
intelligence. The secret to creative risk mitigation lies there. A goldmine of
untapped risk knowledge requires a methodology for extracting and utilizing it, if
the full spectrum of risk within an enterprise is to be managed.
Weakness No. 4 -- ERM Doesn’t Calculate
Mitigation Costs
Every identified risk attracts management attention – in one of two ways. If it is
defined only in terms of its severity and likelihood, unanimity of concern about it
is generally universal but inconsequential. Why? Because there is no
consequence involved. Everyone agrees that the risk exists. But it is simply a
moral concern – but not a management one.
However, if a third dimension – mitigation cost – is assigned to that risk, decisionmakers are forced to address it. It becomes consequential. It cannot be ignored.
Questions arise – about all three dimensions because, taken collectively, that risk
can now be placed in an array of management significance or consequence.
Executives become accountable for its management.
8
As a general rule, ERM measures risk in only two dimensions – severity and
likelihood. With little doubt, this short-sighted approach almost guarantees that
management will not get involved in addressing it. It may become assigned to a
list or a group of similar risks or be classified within a zone of interest. But
without a mitigation price tag, management will ignore it. Ignoring mitigation cost
assures ignored risk.
Executives simply cannot deal with risk until it joins the real world of economics.
Cost of mitigation is an absolutely essential third dimension of ERM. Without
providing decision-makers with the COST of controlling losses, risk managers will
continue to be absent from the boardroom.
Weakness No. 5: ERM Fails to Rank Risks
The fifth weakness is well-known to top executives. They have no unambiguous,
universal means for determining what identified risks must be controlled or
mitigated versus those that may be accepted without any countermeasure
investment. Diverse interests and voices within an organization can and do
promote risk as vehicles for securing additional resources. Alarmism and
sensational appeals for risk mitigation are not unknown – even in the board
room.
There are never enough resources in any organization to mitigate every identified
risk. So allocating resources to manage risk is a prime concern for executives.
On what basis then can an executive determine the necessity for investment to
control risk? How can one risk be justified as more important than another?
When and how can a decision-maker feel justified in allocating limited resources
to competing candidates for risk control – particularly when great diversity in
complexity, function, or cost among them exists?
Compounding this dilemma is the possibility that risk identification itself may even
be manipulated to favor or influence resource allocation decisions. Should an
executive desire to have the organization publicly appear more risk responsible,
he could limit or divert the function of risk identification – ordering that certain
types of known risk not be acknowledged and documented. This did occur in the
tobacco industry when the risk of nicotine addiction arose. Risk identification is
not immune to political or social pressure.
9
Today the only option for many decision-makers is to spend very limited
resources on the current risk du jour. What a shame – being forced to randomly
commit assets to manage risk simply because risks cannot be ranked for costeffectiveness! Should not every executive know the organization’s Number 1
Risk, Number 2 Risk, Number 3 Risk, and so on?
The answer to this weakness is related to the fourth weakness. When the third
dimension of mitigation cost joins severity and likelihood assigned to every
identified risk, the possibility of ranking every risk becomes possible. The
distinction between two-dimensional risk (severity and likelihood) and threedimensional risk (severity, likelihood and mitigation cost) is profound. The former
is no more than risk moralism, while the latter enables risk management.
What then is the answer to the fifth weakness? It is being able to rank every
conceivable risk so that decision-makers can allocate limited risk control
resources on a cost-effective basis – getting the “biggest bang for the buck” in
mitigating risk. Starting at the top of the risk ranking with the most severe, most
frequent, and least costly-to-mitigate risks, the risk array descends to the least
severe, most infrequent, and costliest-to-mitigate. Somewhere in the middle of
that array of risks, there will be a point where allocated risk mitigation resources
will have been expended. So all risks below that point will be accepted in their
current status.
Such a risk ranking will always remain dynamic, not static -- not only because the
world is always changing but because risk identification is an ongoing activity.
New risks can be expected to be identified on an ongoing basis. Further, as risk
mitigation takes place, there is constant re-ordering of the ranking that reflects
the impact of risks that have been controlled.
10
“Enterprise” Means Nothing
Hopefully, these five ERM weaknesses will be overcome soon. Identifying and
discussing them is only the first step. Thoughtful and constructive response is
essential.
Simply adding “Enterprise” to traditional Risk Management changes nothing.
What is needed is fundamental and revolutionary change – the kind that causes
the management world, whether private or public, to take note and acknowledge
that managing risk is the key to survival in a turbulent and uncertain milieu.
The risk management profession has a major challenge directly ahead. Far too
long it has enjoyed a parochial – even isolated – status in most organizations.
From that perspective, identifying weaknesses rather than strengths of ERM
could appear negative or destructive. To the contrary, it is highly affirmative.
How? By (a) acknowledging ERM potential that is still impaired by those
weaknesses, and (b) presenting opportunity to expand its influence and
effectiveness at a time when it is most needed.
Questions to Ask About ERM
To assist in raising a standard of excellence, the following ERM questions are
offered as a checklist:
•
Is it systematic, built upon a defined process that assures total
management of risk?
11
•
Is it all-embracing, identifying every type of risk – legal, political,
technological, cultural, environmental, and human?
•
Is it proactive, with a means for foreseeing what has not yet happened?
•
Does it provide decision-makers with a ranked order of risks – their No.
1 risk their No. 2 risk, their No. 3 risk, et al?
What’s Needed
Participation in such a challenge will be based on three premises:
1. A high degree of integrity. Integrity has always been a driving force in
managing risk, primarily because truth – so essential to identifying risk – requires
the ability to “run against the grain” in all organizations. Successful risk
management has always depended on truth telling.
2. Independent insight. Independent insight is the ability to see what others do
not. It will be essential because forces accommodative to “what is” are always
strong and resistant to changing status quo. Good risk managers have
possessed this rare gift.
3. Courage. This is needed to openly declare and support required action that is
not readily discerned by society in general will be foundational. Sound
management of risk produces this vital characteristic as well.
12
CONCLUSION: Imagining the Unimaginable
Question: What is the upcoming imperilment to which risk professionals may be
called as prime participants?
Answer: Major nut yet undefined risks that threaten our continued existence as a
society.
Those risks – like those demonstrated by the 9/11 airliner assaults – must be
foreseen and defined so that countermeasures can be designed and
implemented prior to their execution. There is little doubt that such risks are
being created by diabolical minds bent on destruction of our civilization.
But survival of future society depends on many other undefined risks beyond
terrorism. The current financial chaos is rife with undefined risks as well.
Biotechnology – driven by promises and hopes for better living – involves risks
that are truly frightening, many yet undefined. Rapid population growth
undoubtedly impacts life on earth with many as yet undefined risks – whether or
not global warming is a valid example.
As risk professionals become proficient in “imagining the unimaginable” and
convincing executives to implement effective mitigation prior to experiencing loss,
their skills will become increasingly recognized and engaged.
Western society, as we look ahead, presents professionals involved in managing
risk an even larger potential challenge than simply perfecting ERM. Refinement
and maturation of ERM – properly attained -- may provide opportunity to
graduate to a much higher level of strategic consequence: survival of life as we
know it.
Photos: Purchased from Shutterstock and 123RF.
13
Vernon L. Grose
About the author: Vernon L. Grose is the founder and president of Omega Systems Group
Incorporated, a risk management consulting firm. Business Week has called Grose a
“founding father” of the application of systems methodology to managing risk.
About Omega Systems Group Inc.: Based in Washington, D.C., Omega Systems Group Inc.
is a risk management consulting firm that features TOTEM, an ingenious Web-based
program that enables decision-makers to have at their fingertips all identified risks –
whether legal, technological, environmental, security, safety, political, or human.
Contact info: Email [email protected] or 703-892-1905. Check out our website at
www.omegainc.com. You can find our blog at www.omegainc.com/blog. You can also find
us on Linkedin, Facebook and Twitter.