Enterprise Risk Management
Still swimming upstream?
Expert identifies five flaws preventing ERM from achieving its potential
By Michael J. Moody, MBA, ARM
Enterprise risk management has become part of the corporate lexicon in a very short period of time. For example, 10 years ago, there were probably less than a dozen risk professionals that knew what ERM was or how it fit into a corporate risk management program. Fewer still truly fully grasped what the future of ERM would look like.
By any measure, ERM has made giant strides over the past 10 years. It has evolved from the concept that was going to require a major change in corporate culture by taking a 360° degree view of an organization, taking a broader view of risk management. Obviously, any discipline that makes these kinds of strides is bound to encounter roadblocks to being fully integrated. While I typically prefer to remain forward-looking regarding the progress of ERM, periodically it can be beneficial to dissect the current state of ERM. This includes any perceived weaknesses that have accompanied its meteoric growth. So a retrospective on its rapid growth may be in order.
Shortcomings remain
To be honest, ERM is not without its detractors. It is moving too fast … it is moving too slow … it doesn't consider management involvement … and the list goes on. Criticism of ERM still abounds, but criticism for criticism's sake is of little value. Valid shortcomings should be reviewed and corrected to the extent possible.
Today there is no shortage of articles, white papers, studies and surveys that highlight problematic issues associated with ERM. However, one of the most informative is a paper, Five Weaknesses of Enterprise Risk Management by Vern Grose, chairman of Omega Systems Group, Inc. Grose, whom Business Week refers to as "the founding father of the system-based approach to managing risk," indicates five specific shortcomings of ERM—all of which will need to be addressed if ERM is to fulfill its promise. He points out that global orientation and business complexity have contributed significantly to the need for and growth of ERM. Yet, ERM failed to anticipate the original global financial crisis. This alone, Grose notes, has called into question the long-range capabilities of ERM.
He notes that while there are certain strengths that ERM has brought to the table, the five weaknesses occasionally have overshadowed its strengths. Grose's list of weaknesses includes:
1. "ERM lacks the framework it touts." His observation is that the evolution of ERM has been "haphazard, almost random in nature." The goal was noble, placing all risk activities under a single corporate effort. However, as so often occurs, several approaches were advanced. To this end, ERM continues to lack a universal framework with which the business world can agree, and this has become a serious impediment to ERM implementation. Grose believes a more systematic approach is required in order to clarify any ambiguity pertaining to risk management.
2. "ERM is reactive instead of proactive." Without question, recent events have confirmed the need for a progressive, proactive risk management approach. Grose notes the importance of protecting and creating value for its stakeholders, including owners, employees, customers, regulators and society overall. However, he also notes that risks of all types have yet to be revealed or experienced, along with the consequences that come with them. As a result, "This forces ERM to be much more reactive instead of proactive, waiting for losses to occur before implementing countermeasures against them," he says. "Reactionary management is always inefficient and impulsive and typically more expensive and less effective." His suggestion is to develop a proactive risk identification program that systematically imagines those risks that have yet to be experienced but whose impact has been recognized and estimated.
3. "ERM discards the wisdom of insiders." Unfortunately, over the years many insurers, brokers and risk consultants have convinced corporations that they know the best way to manage risk. As a result, corporations have tended to fall victim to engaging experts from outside the organization, many frequently telling them what they already know. Grose points out that in many situations, "The most critical wisdom that is required to manage and control risk is found within the organization itself." He notes that traditionally risk management has depended far too much on insurers to handle the risk and notes that this frequently is the least cost-effective approach to the problem. He says that in large part, "this is due to many risk management professionals having come from the insurance/broker side of the business. They incur undue influence that cannot be denied." However, now that ERM has moved past risk financing into a true enterprise-wide approach, the result will be much more activity within the control side of risk.
4. "ERM doesn't calculate mitigation cost." Grose notes that every identified risk attracts management's attention in one of two ways. The first way is to define risk in terms of severity and likelihood that generally is considered to be consequential. But, today there is a third dimension—mitigation cost—which is assigned to risk and must be recognized by decision-makers so they can properly address it. "It can no longer be ignored." Grose points out that "without a mitigation price tag, management will ignore results."
5. "ERM fails to rank risk." The final weakness that Grose notes is well known to all top executives. That shortcoming is the fact that at this point, there is no universal approach to identifying risk that must be controlled or mitigated versus those risks that are acceptable without counter-measures. Today there are never enough resources for any organization to mitigate every identified risk. Thus, allocation of resources to effectively manage them is a key consideration for any risk manager. This allocation of limited resources provides a major dilemma for executive management. Here again, "The lack of universal framework is complicating an otherwise difficult situation," he points out. "Risks are changing at an ever-increasing rate and corporate America must continue to stay ahead of the trend." The only way to do this is to develop a proactive risk identification protocol that is a core component to any ERM program.
Grose has provided a good overview of the several major shortcomings within the ERM program. These shortcomings must be dealt with in an orderly fashion in order to maintain and strengthen ERM.
The author
Michael J. Moody, MBA, ARM, retired as the managing director of Strategic Risk Financing, Inc. (SuRF), a firm that had been established to advance the practice of enterprise risk management. As a regular columnist, he continues to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.