What are common misconceptions that can block success in your Enterprise Risk Management program? Your host Edward Robertson has a list of ERM myths, observed over several years’ experience as practitioner and educator. For each point, we will give you the practical take-away to apply in your risk management program.

Show Notes


In the first episode, we asked: Why is ERM so incredibly convoluted and seemingly complex? Why is there not better take-up? Why is there such a strange juxtaposition between the obvious need for ERM and the stagnation of methods and results?

We began to answer these questions by explaining that there has been a proliferation of advice, leading to a confusion of foundational definitions, and core methods and practices. We can understand this more profoundly with an examination of myths or misconceptions that, until you really look closely, are quite naturally bound to have. 

Main points              

Myth #1: ERM is one thing. No, there is a proliferation of methods and definitions.
Take away: The definition of ERM you select or invent must be suited to your business, shared as common understanding among participants, and quite definite in its instructions to operationalize. Many definitions are too vague.

Myth #2: International standards (ISO 31000; COSO, etc.) give ERM implementation guidance. No, they are too general in nature. Don’t try to follow such standards as specific guides to implementation.

Take-away: International standards are best used as reference documents giving, for example, the outline of the stages of the risk process and a glossary of terms. But a company policy based on the international standard will require interpretation and adaptation to your business. 

Myth #3: ERM is unproven. No, there undoubtedly examples of successful practice. But successful ERM occurs in specific instances that may not be comparable or commensurable, due to the confusion of definitions explained above.
Take-away: If the principle of managing uncertainty pro-actively is sound, then the team can proceed with implementation incrementally, taking care to prove value at each step. ERM in specific instances may well be proven, but you will likely have to build your own case studies.

Myth #4: ERM imposes an unacceptable administrative burden. It would seem so, but only if the risk ID and assessment process is ineffective. First of all, managing uncertainty and fixing problems at the front end is always preferable to cleaning up after a risk has been realized. Further, people don’t quite realize how much time already lost in poorly managed meetings.
Take-away: After initial work to build a risk register, it enables very efficient meetings, while managing uncertainty in a structured manner.

Myth #5: ERM is the purview of audit & finance. This is commonly the case, but does it make sense for audit to identify risk, if they are responsible for the quality of the risk process itself? We want audit to maintain its impartiality. With regard to finance, often ERM is construed solely as financial risk. But we want financial risk to be analyzed not in isolation, but as part of the total picture of risk.

Take-away: ERM is the umbrella, the overarching risk function, under which risk in all domains is managed -- subject to the common lens of strategic aims and corporate goals.

Myth #6: All the various pre-existing risk disciplines and practices will be replaced by ERM. People in various risk management practices (eg., health and safety; environmental assessment; IT security) sometimes believe that ERM will try to impose its own methods on them. On the contrary, they can continue with their own proven methods, but will still participate in ERM -- how?

Take-away: Risk management sub-frameworks or sub-disciplines need not conform to a single method, but their criteria and final reporting must align with coporate strategic aims and corporate values.

Myth #7: Managers in all verticals can reasonably be asked to conduct risk assessment. On the contrary, most people in administrative settings are non-experts in conducting risk assessment -- and doing it in an ad hoc or intuitive manner gives bad results.

Take-away: Don’t let people waste time in lengthy informal discussions of risk. Rather, make sure they get practice and training in a rigorous and well-defined process: high quality risk assessment (which we will explain at length, later in this podcast series).


“over 80 risk management frameworks...” 

Ahmad, Saudah et al. (2014) “Enterprise risk management (ERM) implementation: Some empirical evidence from large Australian companies”

“30% of time spent in meetings was unproductive...”

S. Rogelberg, et al. “Wasted Time and Money in Meetings: Increasing Return on Investment”