Is Enterprise Risk Management Dead?

Show Notes

SHOW NOTES

Introduction
[00:40] Welcome to the Risk Commentary podcast - Episode One! Who is this podcast for?

There are people in the risk management space who are just shopping around for core concepts, because they are charged with leading the risk management initiative and are not sure where to begin.  Others, and I seen this more and more in recent years in workshops, have an existing practice, but somehow it is getting bogged down, and the risk managers are not sure how to demonstrate the value of the practice. Others, especially in the C-suite or on the board, are wondering whether anyone has really solved this whole notion of ERM and proven its value. There is too much noise, and so that situation, there is no point in investing in a process that doesn’t have a clear methods and value proposition. 

If any of those descriptions matches your situation, you’ve come to the right place, because I want to examine first what is wrong with ERM, and then continue with how to do it right. This serial podcast, presenting material, as best as I can manage, in a logical order, from teardown and exploding myths, to foundational concepts, to full implementation. 

[02:22] Mission: “To help you develop an Enterprise Risk Management program that is conceptually sound, practical, and of demonstrable worth. I describe a low risk, incremental process that imposes a minimal footprint and delivers on a clear value proposition.” ~ From Preface of my book.

[02:52] Credentials: Risk Management professional; former Senior Manager of Enterprise Risk Management in BC Provincial Government; author, speaker and educator. Please see bio on my website.

[03:24] COVID: Did COVID prompt the motivation for this podcast? No, the material in this podcast is not driven by current events; it consists of perennial principles. My answer in brief to the whole COVID phenomenon is twofold: 

1. to be aware of Business Continuity and Emergency Planning. “It can be argued that Business Continuity and Emergency Planning (BCEP) is the cornerstone of the ERM plan. If disaster risk is not covered, it is a serious deficiency.” (E.R. 2016)

2. to consider innovation methods (I can recommend my free introductory course on innovation).

Main Points

[04:50] Is ERM Dead? The motivation behind this question is the extraordinary contradiction between 1. the unprecedented need for Enterprise Risk Management and 2. the lacklustre ERM survey results.

[05:19] The need for effective risk management was expressed by a risk management professional, LoriAnn Lowery-Biggers, back in October of 2019, and you will see how prescient her comments were for us today:

”...we are in an unprecedented and evolving landscape unlike anything that we have ever seen historically

So a few key trends that are driving this increased focus, particularly from the board and the C-suite levels are rapid speed of business model interruption and disruption, industry changes, corporate tax reforms, political uncertainty, increasing workplace violence, reputational and headline risks, cyber threats unlike we’ve ever seen, crisis management needs, new litigation, regulatory risks and scrutiny, innovation and technology disruptions. “

Later in her comments she says that the solution is to “instill it [ERM] into the corporate DNA”.

[06:53] Survey results. Let’s consider those comments in juxtaposition to certain survey results. I’m referring to the April 2021 edition of the study entitled The State of Risk Oversight - An Overview of Enterprise Risk Management Practices (published by AICPA and North Carolina State University). I will choose a few stats from this study to illustrate my point. While progress has been made in certain areas, many of these discouraging results are part of a multi-year trend of stagnation. So for example: 

“83% respondents noted that the volume and complexities of risks have drastically increased over the past 5 years...”

Here we have confirmation for the need for risk management. But with regard to the levels of practice:

- only 35% the percentage of respondents reported having a full Enterprise Risk Management practice in place. It has been between 25 and 25% for the past 8 years;

- only 25% reported that this practice was ‘mature’;

- only 35% reported that risk is addressed when discussing the organization’s strategic plan;

- “about half of organizations surveyed formally define the term ‘risk’ ”;

- “heavy emphasis on risks related to technology, legal/compliance, and financial issues”... less focus on “emerging strategic/market/industry risks”;

- “Organizations continue to struggle to integrate their risk management and strategic planning efforts”;

Why is progress impeded? The respondents answer that “Risks are monitored in other ways besides ERM; Too many pressing needs; No requests to change our risk management approach; Do not see benefits exceeding costs.”

[10:21] I conclude from these survey results that there are very pressing questions: Why is ERM so incredibly convoluted and seemingly complex? Why is there not better take-up? Why is there such a strange juxtaposition between the obvious need for ERM and the stagnation of methods and results?

[10:39] To answer this, I’m going to propose a thesis: it has to do with how ERM has developed over the years. Quite naturally, there has been an attempt by all major institutions, associations and firms in the industry to capture the market and position themselves as the authority, with an inevitable proliferation of advice.And here we see foundational and conceptual confusion, with regard to definitions, methods and practices -- it has to be said -- often by people who had never actually implemented ERM. And I don’t pretend to answer all contradictions in the field, or comprehend or judge the entire industry, because undoubtedly there are outstanding examples of good practice. And yet I daresay that these outstanding examples -- wherever they may be -- are rarely codified or universally understood, much less accepted as standards.

The reader/listener will object that I’m simply adding my own voice to the cacophony. But I do stand on my track record, and claim that I can deliver on my mission statement; which I will repeat it here:

“To help you develop an Enterprise Risk Management program that is conceptually sound, practical, and of demonstrable worth.”

It is a method that is internally consistent, applicable to both public and private organizations or all sizes; tested over years with clients in all kinds of administrative settings, and judged to be of value by practitioners and third party auditors.

[12:55] Conclusion. Really, it is the mission of this podcast to enable risk champions to succeed. But in order to do so, I must begin with a tear-down of sorts, in the form of exploding prevalent myths in Enterprise Risk Management. That will be the subject of the next few episodes!

[14:19] If my message so far resonates with you then I encourage you to subscribe to the podcast. You can do so on your podcast player app. If you visit RiskCommentary.com and subscribe, you will receive:
               Show notes;
               Full show and interview transcripts;
               One-time ebook give-away Risk Management Tools and Templates;

No spam policy; infrequent notifications.

Key quotes

Is ERM Dead? ”We are in an unprecedented and evolving landscape unlike anything that we have ever seen historically.” This from the former President of Lloyd’s of London for North America... and yet only 35% of those surveyed have a full Enterprise Risk Management practice.

Links to sources mentioned

Book: Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation (E.R. 2016)
Linked In bio for LoriAnn Lowery-Biggers:

https://www.linkedin.com/in/loriann-lowery-biggers-12963b15

Interview of LoriAnn Lowery-Biggers and colleague Sean Murphy by John Czuba of Legal Talk Network:

https://legaltalknetwork.com/podcasts/insurance-law-podcast-am-best/2019/10/enterprise-risk-management-strategies/

The State of Risk Oversight - An Overview of Enterprise Risk Management Practices by AICPA
(American Institute of Certified Public Accountants) and North Carolina State University. April 2021.

1. Authors Mark Beasley, Bruce C. Branson and Bonnie V. Hancock:

https://www.aicpa.org/content/dam/aicpa/interestareas/businessindustryandgovernment/resources/erm/downloadabledocuments/aicpa-erm-research-study-2021.pdf