Regardless of our school of thought (e.g,. COSO ERM, ISO 3100 or others), for those of us who follow the progress of enterprise risk management (ERM), there’s little to encourage us.
One recent study published by the ERM initiative at North Carolina State University, “Current State of Enterprise Risk Oversight,” is a case in point. Organizations continue to be caught off guard by unexpected risks.
While the number of companies professing to have complete ERM processes has increased since 2009 (from 9 to 24 percent), 40 percent of all organizations surveyed have no ERM process in place. And while many companies seem to have complete risk management processes in place, my experience suggests that sustaining ERM over time and across a complex organization is difficult.
What makes the low take up, slow growth, and sustainability rates of ERM even more surprising is the results of our own internal research that shows corporate leaders believe risk management is extremely important and growing more important. Our survey also showed that companies who do have some risk management processes are frustrated by their complexity and see opportunities to improve them – but for the most part, they don’t plan to do so.
So what’s wrong with risk management? Two things from my perspective.
There are few, if any, rigorous reporting requirements (certainly outside financial institutions) for reporting on how to manage risks.
Companies may be required to report risk factors in public disclosures, but they aren’t required to report how well the risks are mitigated or what levels of residual risk status exist for disclosed risks. One could conclude that companies aren’t investing in improving their risk management processes, because they don’t have to do so. Nothing bad happens to them if they don’t, and nothing good happens if they do.
The fundamental infrastructure for robust risk management and reporting doesn’t exist.
See my somewhat opinionated summary in the diagram below.
Put simply, ERM isn’t progressing because a critical coherent mass of know-how, standards, and best practices doesn’t exist. One way to think about this is to consider the knowledge, standards, and infrastructure supporting financial management. The diagram below compares what the risk management profession lacks when compared to financial management.
It’s easy to think of this as a sort of chicken and egg situation. Which comes first, the requirement for better reporting of risk and risk oversight or the capability to do so? But in my view, it’s quite simple.
The single thing that has the biggest potential impact on the adoption and overall quality of ERM is a reporting requirement. What’s required isn’t simply public disclosure of risk factors, as is now the case, but disclosing for each risk factor, the mitigation effectiveness, and the related residual risk status. If an oil company discloses the inherent risk of a well blow out, what’s the company’s estimate of the mitigation associated with the risk, and what do they know about the remaining risk of well blow outs? Use color coding, qualitative scales, and quantitative information as necessary.
Best practices and standards will emerge, and skills and capabilities will follow. The tools to support robust sophisticated enterprise risk management already exist. What’s lacking is commitment.
This post focused on what’s missing or wrong with risk management. However, that’s not the only problem. Some of today’s practices are also questionable. I’ll challenge some of them in future posts over the next two months.
I’m interested in your views.