What are common misconceptions that can block success in your Enterprise Risk Management program? Your host Edward Robertson has a list of ERM myths, observed over several years’ experience as practitioner and educator. We continue our discussion with explanations and examples. For each point, we will give you the practical take-away to apply in your risk management program.
In Episodes 1 and 2, we asked: Why is ERM so incredibly convoluted and seemingly complex? and began to answer this question by explaining that there has been a proliferation of advice, leading to a confusion of foundational definitions, and core methods and practices. We did some myth-busting, an examination of misconceptions: and in this episode, we look at the remaining myths in the list of issues I identified. In each case, I’ll be giving you the lesson or point to take away for application in your own risk management regime.
Myth #8: Managers, directors, analysts, CEOs, etc. know how to implement new programs.
Myth #9: Enterprise Risk Management can best be implemented by using a software application.
Myth #10: Defining “risk tolerance ” is essential to an ERM program.
Myth #11: Monitoring compliance constitutes effective ERM.
Myth #12: Linking corporate strategy to ERM is difficult and complex.
Myth #13: ERM takes 3-5 years to implement.
Myth #14: Good ERM predicts the future; it is effective forecasting.
Establish and understand your own business process and investigate thoroughly the success factors in IT implementation before contemplating a large commitment of resources to tech “solutions”. Above all, do not fall prey to the myth that the technology, in and of istelf, will inspire acceptance and take-up of the new management program.
Program implementation failure:
A synopsis of various studies.
Linked In posts. Scroll down to audio post: innovation: successful tech implementation part one:
Technology implementation failure
The question is: How are these applications faring? The answer is, not very well.
RIMS document, pdf download:
Exploring Risk Appetite and Risk Tolerance
“Steering clear of compliance pitfalls” © Key Media Pty Ltd.
Unattributed, 31 May 2010. Corporate Risk and Insurance. Excerpt:
“The most common pitfall in compliance programs is an overreliance on policies, procedures and systems, according to Ulysses Chioatto, director of SSAMM Management Consulting.
A cursory glance over all the convictions and enforceable undertakings by ASIC in the past five years highlights this overreliance on policies, procedures and systems by financial services providers in their compliance programs, said Chioatto, with “little to no work on people – or to put it another way, the company’s culture.
‘Both internal and external auditors as well as compliance and risk officers pore over documents, flowcharts, plans and reports from computer risk and compliance applications, yet breach registers are overflowing, or worse still, completely empty.’ “
[edited for clarity]
This is Episode 3: Enterprise Risk Management: Busting Myths – part 2/2. Well, in Episodes 1 and 2 we ask why ERM is so incredibly convoluted and seemingly complex. We started to answer that question by explaining that there’s been a proliferation of advice, leading to I think arguably a confusion of foundational definitions and core methods and practices. And then we started looking at a “myth busting”, that is, an examination of (what I take to be) misconceptions in the field, based on observation and experience. In this Episode, I want to continue that discussion.
Let’s look at the remaining myths in the list of issues that I’ve identified. In each case what I’ll do is give you the lesson or the point to take away for application in your own risk management regime.
[01:40] Myth #8: Managers, directors, analysts, CEO’s and so on all know how to implement new programs. This is very similar to the myth that I discussed last time (#7) where managers can be expected in all fields to implement risk assessment when they are non-experts — and of course that is indeed a myth. In a similar way, I think we tend to take for granted that managers and others, once they decide to implement a new program, will be successful, and that the only determinant of success is the quality of the program itself. Really, what the literature shows is that’s not the case at all.
The rates of program failure and program under-delivery are extraordinarily high, and this is across all managerial settings and administrative contexts. So I’ll try to put a few articles in the show notes that substantiate what I’m claiming here. Perhaps you’ve already seen this in your working life where programs tend to fail, for a variety of reasons. So, of course, enterprise risk management is going to be subject to the very same difficulties that any administrative program will suffer from.
There’s a fairly long list of reasons for program failure and corresponding success factors and in my work I’ve tried to distill a pretty broad literature in this regard down to, let’s say, a list of the top ten or something like that. But I’m sure you’ve seen this: the top level will not be persistent and be faithful to one management program and see it through to success. In other words, management tends to be rather fickle in their in their priorities. That’s one common reason for program failure.
Another one is lack of clear goals and objectives. Another one is lack of buy-in — lack of take-up — by staff. That’s pretty much a classic one. Another one is actually lack of support from the senior levels, from senior executive. So in each of these factors, the question becomes: Well, then, how do we actually secure persistence? How do we secure staff buy-in and support? It has largely to do with proving the value of a process. Or I should say letting the people — the intended recipients of this new program — prove the value to themselves. That’s really the only way that they’re going to be convinced.
I think this is a common point of failure for many enterprise risk management programs, especially when the initiative has been imposed on the staff. Then the pushback will be considerable. People will avoid the new program; they’ll go around it; they’ll even sabotage it. These questions of the success factors in program implementation really need serious consideration, and that is my take-away for this point. We can’t expect that Enterprise Risk Management will be successful if it doesn’t meet a whole series of conditions that really all (successful) management initiatives have in common.
[04:42] Myth #9: Enterprise risk management can best be implemented by using a software application. Well this is just another example of the strange myth we have (generally) in management culture; namely, that technology in and of itself will save the day; that it will rescue the business or that it will make a new program successful.
Just in the same way as programs in general have a high rate of failure or under-delivery, this is especially true in IT (information technology). And you know the data here backs me up it. The strange thing is that all the difficulties in IT implementation that were experienced in the early years, let’s say even in the late 1990s or early 2000s, are reappearing — they are resurfacing. And a new generation of users, developers, programmers and so on are having difficulty and they don’t realize that all of these problems have really been already identified and solved! But this information is not making its way into management programs.
If you’re interested in going a little bit deeper into this, I did a three part series, audio posts, on my Linked In account, and I’ll put a link in the show notes. So our take-away for this point is more than just a suggestion. It’s actually huge warning: Do not commit to a huge spent on technology. Do not commit yourself to some sort of enterprise application that you think will make the enterprise risk management initiative successful before you have met certain conditions; namely, proving the value of risk assessment and enterprise risk management generally in a low-tech, paper-based way that everyone signs onto.
[06:39] Myth #10: Defining risk tolerance is essential to the ERM program. This is an example of a term that has been imposed upon managers who are not necessarily dealing with finance or investment as their core business. While in financial investment we might be able to quantify or describe clearly our level of risk tolerance or risk appetite, it isn’t necessarily appropriate to cast things in those terms for, let’s say, a social services agency. So our takea-way for this point is that it isn’t necessary to take absolutely literally and to act on all of the terms, the vocabulary items, that are imposed by the risk management discourse on our particular business. We can pick and choose. So for example an organization might do well to express in positive terms its goals, its aspirations, its values, and then of course try to execute on that mission, within the constraints of the resources that it has available to it. And then, when assessing risk, it can use the idea of risk tolerance as one of the criteria to evaluate identified risk. In other words the risks that affect more closely our core business, we’re going to have a low tolerance for and try to mitigate. Whereas other identified risks will be more peripheral to our mission, and so less critical.
Therefore risk tolerance is not necessarily exactly quantified. It (can be) simply a relative notion. So if you want to pursue in more detail this issue of risk tolerance and risk appetite, those two terms were the subject of a paper by RIMS (Risk & Insurance Management Society) where they explained and described the evolution and application of those terms. And it might be useful for you. So I’ll put a link in the show notes to that paper.
[08:37] Myth #11: Monitoring compliance constitutes effective ERM. Some organizations might construe their enterprise risk management program as essentially a compliance program, and that may be appropriate, depending on the organizational setting and the industry, and so on. There could be an imperative for adherence to statutory law or a professional code or something like that. Other examples would be a scientific operation or technical operation, where you have adherence to certain procedures or specifications.
The classic problem with the compliance approach to risk management is that it runs the risk of just being too superficial, where you take too much for granted, and of course they call that the check-the -box approach. I remember back in government I used to compare notes with my supervisor in the lunch room and we would sort of lament the fact that this department or that agency was taking a superficial approach to risk management, in the sense that they were just going through a list and checking boxes, but without really investigating what was happening behind the scenes. And that precisely is the risk.
Let me quote to you from an article that a client actually sent me a few years back. I’m not sure if that article is still available. I will put a citation in the show notes. It’s called “Steering Clear of Compliance Pitfalls”. Here’s an excerpt:
A cursory glance over all the convictions and enforceable undertakings by ASIC in the past five years highlights this over-reliance on policies, procedures, and systems by financial services providers in their compliance programs, with little to no work on people — or to put it another way, no work on the company’s culture.
Both internal and external as well as compliance and risk officers pore over documents, flowcharts, plans and reports from computer risk and compliance applications — yet breach registers are overflowing, or worse still, completely empty.
That’s the end of the quote, and you can see the difference there with real compliance, as opposed to superficial or apparent compliance.
So what is our take-away on this point? It is that a compliance regime may be the appropriate thing for the organization, but we can’t construe compliance in sort of a superficial or check-the-box manner. We have to be investigating: what the risks, what are the uncertainties that the apparent compliance is not reflecting reality?
Although I said that a compliance regime may be appropriate for the organization, it has to be said also that if they’re not looking at the strategic risk, in view of the trends in the environment and the industry, and so on, then of course the organization will be running risk on a broad strategic scale (as opposed to mere compliance on an operational level).
The next myth that we want to explore is:
[11:23] Myth #12: Linking corporate strategy to ERM is difficult and complex. Although I characterized this as a myth, I can see how someone would think this way, if they were going by the survey results that we discussed in Episode 1. It seems that many are not able to make the connection between the risk practice and the company’s strategy. Actually the survey results reflected that either they can’t make the connection, or they don’t even bother to try.
So I certainly characterize this as a myth. It’s neither difficult nor complex. It stems straight from the definition of risk itself, which is the effect of uncertainty upon goals. That necessarily presumes that you’ve got goals — in other words, that you have some sort of a planning regime in place. The other requirement, of course, is that you have some sort of risk ID and assessment process. Now from my point of view, there is no such thing as “strategic risk assessment” as some sort of specialized or unique operation. It’s simply the risk assessment process applied to a specific context, which, in this case, is your strategic plan.
Now the risk identification and assessment process that I recommend I call High Quality Risk Assessment. “High quality” in the sense that it’s rigorous, structured and very closely specified. It’s not an informal or ad hoc discussion of risk. But the pertinent point for now is that this High Quality Risk Assessment is scalable. You can apply it to a business unit plan, to a departmental plan, to a divisional plan, or to the company plan. You can apply to operational plans or to any sort of project plan. You can also apply it to strategy! So the takeaway for this point is really twofold:
1. As I’m insisting, that there is a risk assessment process that is simply applicable to whatever context you want to consider, including strategic planning, and the others point is that:
2. your success in identifying strategic risk and mitigating it will not be solely contingent upon risk assessment; it will be contingent upon the quality of your planning.
So the questions become: is your strategic plan well-founded? Is it substantiated through research, environmental scan, and investigation into industry trends and innovations? Secondly, is the plan well-formulated in terms of goals and objectives? I have a discussion of the strategic planning process in my book called Strategic Planning: Process, Templates and Effective Implementation and this was the very process that I put in place in a private company. Our efforts were rewarded with winning the Chamber of Commerce Business of the Year. So I recommend that you read that.
You know, it’s curious planning is rarely discussed in risk management circles. And yet I find there’s sort of an 80/20 rule whereby eighty percent of the work in risk management is actually spent in fixing the planning regime. And if that is done properly, then the risk assessment itself just goes like clockwork. Why? Because then people have absolute clarity on what their strategic identity is all about; where they’re situated in the market; what their strategic goals and objectives are. And (the goals) they’re properly formulated, so then you can actually conduct risk assessment in a logical way, and start to really determine the uncertainties that are inherent in the plan.
If you haven’t conducted environmental scan and (seen) what’s happening in the industry, what the innovations are; what the emerging risks are; and so on, it stands to reason that your plan is going to be poorly informed right from the start.
The next myth that we consider is:
[15:09] Myth #13: ERM takes three to five years to implement. This follows I think quite closely on the idea that enterprise risk management is really complex and convoluted and complicated . And it was also the industry wisdom at the time. This is what was told to me, back when I was working in government. But I disproved it. I was the lead consultant for the implementation of enterprise risk management in a post- secondary institution, and there was of course all the complexity of a college with the division between the academic side and the administrative side. And yet we had ERM (or college wide-implementation as they preferred to call it) up and running within eighteen months.
Now this was not short-lived. I checked back on this years later, and It stood the test of time, and was still well liked as a robust practice. Not only that, it got praise from the Auditor General. So I can definitely assert, based on experience, that an enterprise risk management program in a complex organization need not take three to five years. Successful implementation can be a matter of weeks or months, rather than years.
Well let’s consider one last myth in our long list:
[16:25] Myth#14: Good ERM predicts the future: it is effective forecasting. I think it’s a popular notion that risk management is a form of forecasting — to be able to predict, well, especially disaster risk, which is foremost in the minds of the public, in sort of an alarmist sense of risk.
But really it’s a myth. There’s a distinct difference between forecasting and risk management. Forecasting is the attempt to specify one definite future, with certain features or a certain measures. Whereas risk assessment is the investigation of uncertainty. It’s looking forward, in an expansive view to try to identify all of the various contingencies and uncertainties that are associated with a certain plan of action.
Now both forecasting and risk assessment to rely on information from the past. But again there’s a distinct difference. Forecasting is an attempt, in a statistical manner, to predict an exact future based on the method of probability. And that includes of course the actuarial model, where you do have statistical data to rely on. Whereas risk assessment, applied to strategic and operational plans, is the exercise of mapping the professional memories of participants in a round table against all the various potential uncertainties that are contingent upon the plan. Enterprise risk management then, properly speaking, does not try to predict the future. It identifies the uncertainties and then takes immediate action to mitigate them.
If you think about it, we simply don’t have the historical statistical data to bring to bear upon all of the various strategic and operational decisions that we have to make. So for that reason, we rely on the round table method.
Well, thank you for sticking with me through this discussion of the various myths and misconceptions of Enterprise Risk Management. I hope it was useful. You can leave feedback on my blog site Risk Commentary.com and also subscribe there, so that you can get on our list to receive our newsletter, which includes the show notes, transcripts, and links to the various articles that I mentioned — as well as Risk Management Tools and Templates, which I will be presenting in serial form. I look forward to speaking with you soon on the next Episode of Risk Commentary Podcast.