Podcast launch! Is Enterprise Risk Management (ERM) dead? There is a striking disconnect between the unprecedented need for ERM to be “instilled into the corporate DNA” (former President Lloyd’s of London) and lacklustre risk manager survey results. Let’s explore why ERM is broken, and how to fix it.
Welcome to the Risk Commentary podcast – Episode One! Who is this podcast for?
Those seeking core concepts and ideas; those managing a struggling implementation; those wondering whether there is a the value proposition of ERM for the organization.
I want to examine first what is wrong with ERM, and then continue with how to do it right.
This is a serial podcast, presenting material, as best as I can manage, in a logical order.
”We are in an unprecedented and evolving landscape unlike anything that we have ever seen historically.” This from the former President of Lloyd’s of London for North America… and yet only 35% of those surveyed have a full Enterprise Risk Management practice.
Book: Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (E.R. 2016)
Linked In bio for LoriAnn Lowery-Biggers
Interview of LoriAnn Lowery-Biggers and colleague Sean Murphy by John Czuba of Legal Talk Network.
(American Institute of Certified Public Accountants) and North Carolina State University. April 2021.
Authors Mark Beasley, Bruce C. Branson and Bonnie V. Hancock.
TRANSCRIPT (edited for clarity)
Is Enterprise Risk Management Dead?
[00:40] Welcome to our launch! This is the first one of the whole series and I want to start with a few comment on what the motivation for this podcast has been, and who it’s intended to address.
There are people in risk management who are just sort of shopping around for core concepts, trying to “get their feet wet”, because they’re charged with leading their risk management initiative. Or they might want to propose it, but they’re not quite sure where to begin. There are others I’ve seen in recent years in workshops who have an existing practice, but somehow getting bogged down and they need some pointers on how to fix it. They’re not even sure in some cases on how to demonstrate value.
With still others, the doubt is even worse. People in the C-suite or on the board are wondering whether anyone really has solved this whole notion of enterprise risk management and proven its value. There seems to be too much noise in the whole space. And in that situation there’s no point in investing in a process that doesn’t have clear methods and a value proposition.
So if any of those descriptions matches your situation you’ve come to the right place. I want to examine what is wrong with ERM, and then continue with how to do it right. So this serial podcast presents material, as best I can manage, in sort of a logical order, starting with a tear down and exploding myths (which I think is necessary), to presenting foundational concepts, and then eventually to full implementation.
[02:22] So here’s my mission statement for the whole series (and I’m quoting from myself — I wrote this a while back):
“To help you develop an enterprise risk management program that is conceptually sound, practical and of demonstrable worth.
“I describe a low risk incremental process that imposes a minimum footprint and delivers on a clear value proposition.
[02:52] So if you’re wondering about my credentials, my background and so on, I encourage you to visit RiskCommentary.com — check my bio. I’m former senior manager of enterprise risk management in the provincial government; author, speaker, and educator for these last ten or fifteen years, with successful examples of ERM implementation and dozens if not hundreds of successful examples of risk assessment on strategic and operational topics both in public and private sector.
[03:24] I thought I should address something that’s sort of obvious, in our face these days, and that is the covid phenomenon. Listeners could be wondering whether that prompted the motivation for this podcast. The answer is No. The material that I’m going to be presenting is not driven by current events; rather it consists of perennial principles.
My answer, if you need one, in brief, to the whole covid phenomenon is first, obviously, to be aware of the Business Continuity and Emergency Planning (BCEP) discipline It has its own practice, its own certification, experts and so on. I did state (again quoting for myself back in 2016): “It can be argued that business continuity and emergency planning is the cornerstone of ERM plan. If disaster risk is not covered it’s a serious deficiency.
Perhaps in future episodes, especially if you’re interested, and you want to make a comment in this regard, I can address BECP in depth and try to get one of the experts that I know in the province on on board with an interview.
Now the second part of my answer to the covid phenomenon is: let’s say you discover that (since) it’s already happened now, we need to turn our attention to recovery — so you might be interested in innovation methods. If that’s the case, I can recommend my free introductory course on innovation: just go to my website and you’ll see link to it.
[04:50] With that out of the way. I want to move now to our main points and consider this question: Is ERM Dead? The thing that really motivates that question is this extraordinary contradiction that I see between, first of all, the unprecedented need for enterprise risk management (and that was expressed by a prominent person in the field) contrasted with the lacklustre ERM survey results. So let’s go over this in more detail now.
[05:19] The need for effective risk management was expressed by LoriAnn Lowery-Biggers in a post, actually an interview, that was done back in October of 2019 — still perfectly relevant and timely. LoriAnn is former president of Lloyd’s of London for North America, as well as a long list of other credentials. I’m going to put a of course a link in the show notes to this interview — but it’s extraordinary. Let me just read a bit. She articulates so well and so powerfully the need for risk management. She says:
“We are in an unprecedented and evolving landscape unlike anything that we’ve ever seen historically.”
Okay — this is coming from the (former) Lloyd’s of London president! She continues:
“So a few key trends that are driving this increased focus, particularly from the board and the C-suite levels are rapid speed of business model interruption and disruption, industry changes, corporate tax reforms, political uncertainty, increasing workplace violence, reputational and headline risks, cyber threats unlike we’ve ever seen, crisis management needs, new litigation, regulatory risks and scrutiny, innovation and technology disruptions.”
I’ll stop there, but she goes on and pretty soon she comes to the conclusion that she had better stop enumerating things, because there is just too much to deal with in the short space of a podcast. Later on in her comments she says that the solution to all this is: “to instil it [that is, ERM] into the corporate DNA.”
[06:53] Okay so now let’s contrast that authoritative view of the need for enterprise risk management with survey results. Recent results, from just last month: we’re considering the April 2021 edition of the study entitled of The State of Risk Oversight: An Overview of Enterprise Risk Management Practices and this is published by AICPA (American Institute of Certified Public Accountants). I’ll choose a few stats from this study to illustrate my point.
While progress has been made in certain areas, undoubtedly, over the years in enterprise risk management, many of the discouraging results are sort of part of a multi-year trend of stagnation. So for example, let’s start with with this one:
“83% respondents noted that the volume and complexities of risks have drastically increased over the past 5 years…”
Okay so the survey respondents are actually confirming what LoriAnn had already outlined a couple of years earlier but then it goes on:
– only 35% the percentage of respondents reported having a full Enterprise Risk Management practice in place.
Okay now that number drifted around twenty five to thirty five percent in the past eight years, so not a dramatic change. Next:
– only 25% reported that this practice was ‘mature’;
– only 35% reported that risk is addressed when discussing the organization’s strategic plan;
That to me is just a mind blower — that’s just unconscionable. There’s a huge confusion around “strategic risk management” and I will get into that. But let me now continue with these stats:
-“about half of organizations surveyed formally define the term ‘risk’ ”;
Only about half formally define the term risk. In other words, 50% of the respondents are dealing with a notion of risk that’s not even defined — and that leads to a huge confusion of methodology, which I will get into.
– “heavy emphasis on risks related to technology, legal/compliance, and financial issues”… less focus on “emerging strategic/market/industry risks”;
– “Organizations continue to struggle to integrate their risk management and strategic planning efforts”;
That’s another quote on on the same point that I made above.
So the questions then becomes: Why is progress impeded? Now the respondents themselves say, well, “Risks are monitored in other ways besides ERM.”
Really? So there seems to be some other way to tackle risk, and yet it’s being confused with the risk management process. There’s something to be sorted out there.
Others say “There’s too many pressing needs.” So despite this unprecedented level of risk there’s too many pressing needs to actually go ahead and manage them (i.e., the risks).
Then other people say “There’s no requests to change our approach.” People are at sort of a loss to say what what else they could do with regard to the risk assessment process. Still others “do not see the benefits of enterprise risk management exceeding the costs” which is sort of a demonstrably false notion — assuming there are methods out there that are effective.
Alright so that’s enough of a sampling from that survey. Of course I’m going to include a link in the show notes.
[10:21] My conclusion, then, is simply to ask the following questions: Why is ERM so incredibly convoluted and seemingly complex? Why is there not better take-up? and Why is there such a strange juxtaposition between the obvious need (for ERM) and the stagnation of methods and results? Those are really the questions that I’ll be answering in detail throughout the whole series.
[10:39] But to start with, to answer this, I’m going to propose a sort of a thesis and I think this is relatively obvious; many people have come to the same conclusion. ERM is a young discipline and it has developed over the past several years, let’s say since the late 1990’s. Quite naturally there’s been an attempt by all major institutions, associations and firms in the field, in the industry, to capture the market and position themselves as the authority.
Now the inevitable result of that was a sort of a proliferation of advice. And here we see all kinds of foundational and conceptual confusion with regard to definitions, methods and practices. Now it has to be said, this was often done by people who had never actually implemented ERM. So what about me? Well, I don’t pretend to answer all of the contradictions in the field or to comprehend or judge the entire industry — that would be a herculean task. And undoubtedly there are outstanding examples of good practice. And yet I dare say that these outstanding examples — wherever they are — are rarely codified and universally promulgated, or accepted as standards.
So the reader or the listener will obviously object that I’m simply adding my own voice to the cacophony. But I do stand on my track record and I can claim that I can deliver on my mission statement, which I’ll repeat here: to help you develop an enterprise risk management program that is conceptually sound; it follows logically from definition to practice. It’s practical; it’s not overly burdensome with respect to resources, and it is of demonstrable worth. So we can prove the value. What I’m talking about is a method that is internally consistent and applicable in public and private organizations of all sizes. Here’s the thing: it’s tested. It has been tested over the years, finely honed by me with clients in all kinds of administrative settings, and it’s judged to be of value by the practitioners themselves and by third party auditors. It has actually stood the test of time.
[12:55] So in conclusion, it’s the mission of this podcast to enable risk champions to succeed. But in order to do so I really must begin with tear-down of sorts, in the form of exploding what I find to be prevalent myths. Only that way can we sort of “level set”, clear the decks and set the foundation for a concept of enterprise risk management that is practical and feasible.
Now the fact is I’ve got quite a lot of material with respect to misconceptions in enterprise risk management. (Let me) give you a few examples. People might think that the international standards (ISO 31000, COSO and so on) give really good ERM implementation guidance that is authoritative — and yet that’s not really the case. Another example would be the various pre- existing risk management disciplines and practices in different fields, like health and safety, IT security risk, even environmental assessment, and so on. (The myth is the idea that) “these will all be replaced by our ERM and that’s how they should be handled”. No, that’s not really the case. Here’s another one: Managers, directors, analysts and CEO’s — these people, generally speaking, know how to implement new programs. Well, the evidence says otherwise.
So I’m going to be addressing these various misconceptions and myths, and also talk about the obverse — in other words, the positive conceptions that we can take away… and lay the groundwork for a new concept of enterprise risk management.
[14:19] So if my message so far resonates with you then encourage you to subscribe to the podcast. You can do so either on the podcast player app that you’re using or actually visit RiskCommentary.com and subscribe there. And that way you’ll receive show notes, full show and interview transcripts, and I’ve got a giveaway that I’m offering as an enticement to get on my list and that is the Risk Management Tools & Templates. This sign up has a no-spam policy.