Enterprise Risk Management Critique


/ December 21st, 2010/ Posted in How to Implement ERM / 1 Comment »

risk matrixIt is useful for risk managers to recognize a divide in the literature. Some tacitly accept ERM pretty much as the standards and guidelines describe it; others take ERM a social construct – something that does not really exist as it presents itself. This is an important distinction because there is no way to understand and evaluate ERM without taking a critical view.

Enterprise Risk Management is conceptualized in a critical way by Michael Power in his book Organized Uncertainty: Designing a World of Risk Management (Toronto: Oxford University Press, 2007). Standard functions for audit at one time were to check compliance and probity. Power argues that, now, internal control has been reconstituted as risk management. A central thesis in this book is that the idea of risk has taken over as an organizing principle.

We are all familiar with “change fatigue” – and the fact that Enterprise Risk Management has been viewed as just another “flavour of the month”. Many implementations have gotten stuck, complaints of red tape are common, and many are still reporting poor ability to identify and assess risk. The puzzle, as Michael Power points out, is “the continuing co-existence of local critique and world-level conformity” (p.197).

ERM has evidently persisted, even through “the failure of ERM” to predict the economic crisis. Is it because practitioners find that ERM works to create and preserve value? Or, is it because the values that ERM represents are necessary as a sort of exercise in legitimacy? Compliance and risk governance, from Power’s perspective, make up a “moral economy” (p.192).

Power calls into question another mainstay of ERM: “Reputation has come to be a modality of organizational governance but is not itself uniquely governed by any specific interest group or expertise.”(p.185). I’m not sure about the last part of that sentence, because public relations and brand are what some people live for. But obsession with reputation risk – as a program objective – occurs, whether in the private sector, or in government where civil servants should be managing their programs and not politicians’ PR. Power points out that this focus on reputation has now transformed it into a “first order” risk, rather than a downstream consequence.

Many people in government have asked me: what about opportunity? Opportunity is indeed part of the rhetoric, but you will scarcely find it supported with methodology in guidelines and standards. Power’s assessment: “ERM, which celebrates the entrepreneurial spirit of risk taking, may paradoxically lead to an exacerbation of control” (p.199).

I have seen enterprise risk management implemented without an excess of red tape; I have seen it fulfill, at least in part, its mandate. Practitioners, in taking a critical view, might assess whether or not their ERM programs are taking on characteristics they had not intended.

[Revised 12 Sep 2011]

If you enjoyed this post, make sure you subscribe to my RSS feed!

Tags: ,

One Comment

  1. Davyd
    2014/04/17 at 19:20:31

    Your remark that ‘internal control has been reconstituted as risk management’ is very apt, it is as though one needs to use the term ‘risk management’ to be cool.
    In my exposure to ERM, I can only draw the conclusion that, unless it produces protective action (that is, we find a risk, then change systems to eliminate or reduce probability of the risk event or reduce its effects) then it is ceremonial; almost a ritual of the religion of the corporation. The input of ERM to corporate governance and practice should be the same as risk mgt in projects: find a risk and address it. So in a construction project foundation stability is always a risk, so we do ground tests and design for the conditions. In an enterprise fraud is a risk, so we design accounting systems that will expose any fraud and therefore either prevent or staunch it.

Leave a Reply

Name required

Mail (will not be published) required

Website