June 14, 2012 Posted by Peter Moore No Comments
In an article recently published by James Field (managing director of CompliSpace) in “Corporate Risk & Insurance” magazine, ten reasons were tabled as to why Enterprise Risk Management (ERM), or “whole of business” risk management often fails. The article presents the findings from a report prepared by PwC whereby 74% of executives that responded to the survey indicated that their organisations had formal enterprise risk management processes and systems in place but only 45% indicated they were comfortable with how well their critical risks are being managed.
Why is this so, and does this mean that enterprise risk management does not work? We do not agree with the notion that enterprise risk management cannot work and present our views on this topic around the ten headings presented by James Field.
Without effective leadership, buy-in from the top and the right organisational culture, it is very difficult to make enterprise risk management work. Being able to express views and opinions around the table without retribution from colleagues or the CEO is critical in making ERM work. Additionally, a committed board and CEO to business risk management will provide the right leadership and culture required to obtain the benefits and value of enterprise risk management.
Trying to use MS Excel or MS Word to manage risk information is fraught with danger. These tools were not designed for this purpose and specialised Governance, Risk and Compliance (GRC) software tools provide the right platform to manage risk information and integrate risk management into the business. However, choosing the right application is critical and aligning it with organisational processes is a must if success is to be achieved. Don’t let the software drive the business, customise the software to suit your business.
Many companies view risk as “compliance”. For public companies the reporting requirements and compliance issues are significant, however this is the legacy of doing business in the public domain. Directors that view risk management as compliance fail to see the value that true, enterprise risk management can bring to the business. The other key aspect is that many Directors believe that if a few people identify some risks, put them into a risk register and look at them once a year, then this is risk management – “tick the box” and go back to business. Not so!
Establishing common risk language is critical to achieving success in enterprise risk management. The finance department uses different language to the IT department as does the OH& S department to the HR department. Further, managers often have a different interpretation of what a risk is. The OH&S people often see risk as personal injury, whereas risk for the finance people it is about losing money. The other key factor is in naming risks and describing what can go wrong. Using a structured approach such as “Cause – Effect” and “Root Cause Analysis” helps develop common risk language.
Failure to demonstrate the value of risk management is a key reason for the failure of enterprise risk management. Whether the risk professional is an in-house employee or an external consultant, it is critical to demonstrate to the CEO and senior executive team the value of risk management. Identifying 20-30 key strategic and operational risks in a workshop forum does not take a great deal of time, and if done properly the real “gem” of risk management can be found. What may impact the achievement of our objectives?
If you think risk management can be done through financial modeling and mathematics, think again. Look what happened in the USA with hedge funds and the GRC. Where was Monte Carlo modeling and quantitative risk management during the financial crisis? Enterprise risk management is a qualitative and at best, semi-quantitative activity and involves people management, alignment with orgaisational values & objectives and sound decision making. Don’t try to over complicate it!
GRC software vendors are good at selling software for managing risk information and processes. However they often have little understanding of the client’s business, maturity of decision making, business processes and capabilities. Risk practitioners are (or should be) good at establishing risk management frameworks and facilitating risk workshops. There is often a disconnect between the interests of the risk professional and the product vendor. Make sure your risk professional has a strong understanding of GRC software before you make this purchasing decision!
The new (or not so new) risk management standard, ISO 31000 provides guidance on how to establish, manage and integrate risk management into the business. It starts with the requirement to have a clear mandate at the board and executive level to have risk management as part of the business. This is an improvement on the old process based risk management standard, AS/NZS 4360. Furthermore, organisations often have multiple risk based programmes underway which do not talk to each other. They can involve health and safety programmes, business continuity planning, crisis management planning, emergency response, media management etc. For enterprise risk management to succeed this silo based approach needs to be challend and these activities integrated.
So often risk management programmes are not linked to organisational objectives. Enterprise risk management will not add value unless there is a clear linkage between organisational and strategic objectives (what the business is trying to achieve) and risks which are impediments to success, or “the effect of uncertainty on objectives”.
Expressing risks appropriately is critical to success. Describing risks which define current business conditions is stating fact (i.e., tight labour market, high Australian dollar etc). Risk assessment is not fact assessment. If a current business condition may cause an unwanted event, then this could be a risk (refer item 4, common risk language). The definition of risk can be used as guidance in expressing risks that deal with uncertainty, and not fact. The other issue is granularity. Having hundreds of low level risks and many permutations of risk around impact or consequence often clouds the picture and reduces the value of risk assessments. Conversely, only addressing a few high level risks may not present the full picture as to material things that my go wrong in the business.
In summary, enterprise risk management can work. With the right approach, sound understanding of your business, its objectives and your capapbilities and equiped with the risk managment standard, real value can be achieved and business performance optimised.