Enterprise Risk Management Critique

2010-12-21 / How to Implement ERM / 1 Comments

risk matrixIt is useful for risk managers to recognize a divide in the literature. Some tacitly accept ERM pretty much as the standards and guidelines describe it; others take ERM a social construct – something that does not really exist as it presents itself. This is an important distinction because there is no way to understand and evaluate ERM without taking a critical view.

Enterprise Risk Management is conceptualized in a critical way by Michael Power in his book Organized Uncertainty: Designing a World of Risk Management (Toronto: Oxford University Press, 2007). Standard functions for audit at one time were to check compliance and probity. Power argues that, now, internal control has been reconstituted as risk management. A central thesis in this book is that the idea of risk has taken over as an organizing principle.

We are all familiar with “change fatigue” – and the fact that Enterprise Risk Management has been viewed as just another “flavour of the month”. Many implementations have gotten stuck, complaints of red tape are common, and many are still reporting poor ability to identify and assess risk. The puzzle, as Michael Power points out, is “the continuing co-existence of local critique and world-level conformity” (p.197).

ERM has evidently persisted, even through “the failure of ERM” to predict the economic crisis. Is it because practitioners find that ERM works to create and preserve value? Or, is it because the values that ERM represents are necessary as a sort of exercise in legitimacy? Compliance and risk governance, from Power’s perspective, make up a “moral economy” (p.192).

Power calls into question another mainstay of ERM: “Reputation has come to be a modality of organizational governance but is not itself uniquely governed by any specific interest group or expertise.”(p.185). I’m not sure about the last part of that sentence, because public relations and brand are what some people live for. But obsession with reputation risk – as a program objective – occurs, whether in the private sector, or in government where civil servants should be managing their programs and not politicians’ PR. Power points out that this focus on reputation has now transformed it into a “first order” risk, rather than a downstream consequence.

Many people in government have asked me: what about opportunity? Opportunity is indeed part of the rhetoric, but you will scarcely find it supported with methodology in guidelines and standards. Power’s assessment: “ERM, which celebrates the entrepreneurial spirit of risk taking, may paradoxically lead to an exacerbation of control” (p.199).

I have seen enterprise risk management implemented without an excess of red tape; I have seen it fulfill, at least in part, its mandate. Practitioners, in taking a critical view, might assess whether or not their ERM programs are taking on characteristics they had not intended.

[Revised 12 Sep 2011]

Read More

New Ideas for Enterprise Risk Management Research

2010-11-11 / Management Innovation / 2 Comments

I am going to launch into some new enterprise risk management research, especially to see its interaction with managing innovation. I will be working with my Danish colleague, Ulrik Christiansen. We haven’t completed a literature review, but we can see that much of the study of enterprise risk management is influenced by the trade literature, almost taking ERM for granted as a phenomenon unto itself, while, in practice, the implementation of what is called ERM is diverse. Similarly, risk is supposed to be managed together with opportunity, which is mentioned in the standards. In practice, though, do risk professionals actually recognize and manage opportunity systematically?

Another line of inquiry is to get away from the rational model, and consider the behavioural, motivational and psychological influences in risk and opportunity decision-making. Personal backgrounds, formation and education can also be determinants of opportunity-seeking behaviour and risk aversion. So we have a series of constructs to explore and define, somewhat along these lines:

1. the level of study

a. risk managers
b. Chief Risk Officers
c. R&D managers

2. the personal attributes sought

In addition to dispositional traits, discoverable through questionnaires, we can also investigate education and training, both formal and informal.

3. the situational construct

We have to define this closely; we need comparable situations or organizational contexts:

a. reviewing investment opportunities
b. reviewing project opportunities
c. reviewing stages of product/service development in a formal R&D environment
d. reviewing business model change opportunities

4. the effects sought

To study respondents’ assessment or conceptualization of opportunities, as well as action taken, we can use a scenarios approach, as well as open-ended questions and structured interviews.

This construct framing is something that we will refine as we go ahead with literature reviews.

Read More