Enterprise Risk Management (ERM) has shot to prominence in recent years, and is now considered an essential element in the governance framework of any organisation. Our recent blog, 10 Reasons Why Your Enterprise Risk Management Program Won’t Work, was subsequently published by Corporate Risk & Insurance Magazine, and ignited much debate on social media sites as to the common pitfalls to avoid when implementing an ERM program.
In our original blog we asked for reader contributions and we received plenty. As you would expect there was agreement, disagreement and lots of tangential argument which, more than anything else, highlighted the multitude of different individual experiences and perspectives gained across a wide range of industries and countries. Thank you to those who engaged in the debate.
The purpose of this blog is to attempt to collate some of the other potential pitfalls that were put forward. Hopefully this blog can serve as a kind of checklist of things to think about as you go about designing and implementing an Enterprise Risk Management program.
So we can get all the ideas onto one page, here is a summary of the 10 pitfalls that were listed in the original blog:
1. Leadership & Culture (lack of)
2. Excel Spreadsheets (limited functionality for managing enterprise risk and controls)
3. Compliance Focus (rather than enterprise risk focus)
4. Common Risk Language (poorly defined)
5. Diamonds in the Sand (flooding the board/executive with micro risks)
6. Over Quantification (of risk at the expense of qualitative analysis)
7. The Chasm between Risk Practitioners & GRC Software Vendors
8. Vision, Planning (lack of) & Siloed Thinking
9. Linking Strategic Objectives (failure to do so)
10. Risk Articulation & Granularity (getting it right)
From feedback received on this blog here are some other things to look out for. Again these are listed in no particular order:
11. Inadequate Risk Management Policy Framework
The argument here (greatly simplified to get it into one paragraph) is that for ERM to work it must be embedded into business processes. Publishing a risk policy at board level is simply a statement of intent. Embedding ERM requires a documented Risk Program (setting out who, how, what, why and when). As the Risk Program is implemented, identified risks are managed either through (i) allocated actions, or (ii) documented business processes, or (iii) a combination of both. The argument is that for ERM to work effectively an organisation needs to have a robust organisational policy framework and a means of obtaining assurance that these policies and procedures are actually being followed in practice.
12. Risk Based & Risk Related Programs Are Not Linked
In Australia most organisations have to deal with multiple “risk based and risk related programs”. A risk based program is one that is usually derived from a legal obligation, a standard, or both, and requires the organisation to identify a risk (sometimes referred to as a hazard), assess it in terms of likelihood and potential impact, and implement controls and/or treatments. Examples include Work Health Safety (which applies to all Australian employers), Business Continuity Management (at least if you follow the AS/NZ 5050 standard), Fraud & Corruption, Anti-Money Laundering & Counter Terrorism Financing. Risk related programs include Compliance and Complaints Handling. These programs must be linked in order for ERM to be successfully implemented within an organisation and it is important that senior managers understand the inter-relationships between these risk based and risk related programs.
13. Lack of training for Directors and Executive Managers
When most directors and executive managers went through their tertiary education they studied topics such as Total Quality Management and Process Re-engineering. Enterprise Risk Management wasn’t on the agenda and even to this day is only just starting to appear in university programs. It follows that unless today’s Directors and Executive Managers have received specific training on modern day enterprise risk management concepts they are unlikely to fully understand ERM, or the contemporary expectations of key stakeholders such as regulators and insurers. The fact that “Communicate and Consult” is the first step in the ISO 31000 risk process is no coincidence. It is important to get top level buy-in at the beginning of a project and not to presume that all directors and senior executives (even members of Risk Committees) are fully conversant with modern ERM principles.
14. Value Proposition of ERM is Not Clearly Explained
Now this is a somewhat controversial topic. Those who believe that ERM is just another management fad scream from the hill tops that there is no empirical evidence to suggest that risk management adds value to an organisation. And as we all know, if a management process doesn’t add value it will never be embraced as anything but a compliance obligation. The problem for ERM (if implemented properly) is that it either prevents adverse risk events from occurring, or minimises the impact of such events if they do occur. Measuring the benefit of something that doesn’t happen is always going to be difficult, and the relative immaturity of ERM as a business management process means to a large extent we are still relying on “vendor research” (i.e. organisations that peddle ERM services) rather than “academic research”. At the end of the day ERM is simply a process of adopting a methodical process of identifying future events that can impact an organisation and taking steps to address the impact of these events. If we forget the semantics this is simply “Good Management” and no one has ever successfully argued that good management doesn’t add value to an organisation.
15. Lack of Understanding of the Concept of Risk Maturity
Enterprise Risk Management can’t be achieved overnight. There is no instant fix. As a fellow Australian Risk Practitioner Chantal Wiessner commented “I would add that some organisations think they can design and implement a policy and framework and build a risk mature culture in 12 months, or in some hilarious cases 3-6 months. Implementing effective risk management practices is as iterative as risk management itself”. It is critical that directors and senior executives understand the concept of risk maturity and can identify where their organisation sits in the enterprise risk management journey.
16. Not Identifying an Individual who is Accountable for the ERM Function
It is important to recognise that the vast majority of organisations that practice ERM, or should be (in Australia this would be 70-80% of the companies listed on our Securities Exchange and nearly every not-for-profit), are too small to have a dedicated Risk Manager, so this role is often taken on as one of several “hats” being worn by a senior manager who has another primary function (e.g. CFO, Legal Counsel, CEO, COO). If ERM is to be successfully implemented it is critical that responsibility for ERM is clearly allocated to at least one individual within an organisation. A related point here is that “the Risk Manger does not actually manage risk”. The role of the Risk Manager is to facilitate the ERM process, not to personally manage every risk identified in an organisation.
17. Poorly Designed ERM Programs
One of the messages that came across fairly consistently in comments received, was “don’t blame the culture, blame the design of the ERM program”. This is really a twist on a theme, because the vast majority of pitfalls identified relate to “poorly designed ERM programs”. In fact, it could be argued that of all the 20 points made in this blog only “1. Leadership & Culture” does not relate to the design and implementation of an ERM program. Still this is a very valid point. In our experience most organisations have a desire to get this right and have a culture that can make it happen. Getting cultural buy-in is absolutely key to any ERM implementation. As Peter Bonisch (from UK firm Paradigm Risk) noted in his blog – 10 real reasons why ERM fails during implementation – “Unsupportive cultures’ is usually shorthand for either (a) failure to understand the interplay between the many professional, disciplinary and business group behavioural routines or ‘cultures’ that inevitably exist in a firm, or (b) failure to design an ERM programme that executives believed would be effective.”
18. Underestimating Managers
Risk managers / consultants often spend an inordinate amount of time identifying and attempting to quantify risk (refer to No. 6 Over Quantification). Unfortunately, they often forget the human brain is a lot more advanced than any enterprise risk management system will ever be. And of course global events can often move so quickly as to render conventional thinking redundant (e.g. 9/11). Enterprise Risk Management is far from a perfect management tool. At best it can provide assistance to managers to aid their decision making. The brain, however, is also far from perfect. We usually focus on what is in front of us and it often takes processes and techniques, such as those offered through the ISO 31000 International Risk Management Standard, to help us sort through information and identify those risks that are tucked away in the back of our consciousness, or worse, in our “too hard baskets”.
19. Focus on Internal Risk & Ignoring Macro External Risks
Risks can come from anywhere. There is a common misconception that if you map the functional areas of a business and identify the risks within these functional areas, then you will have identified all the risks that may impact your organisation in the future. This is, of course, not true. Many risks (such as a lack of financial controls) will be identified in this way. However, just as many risks (such as the emergence of new technologies, or changes in human behavioural patterns) arise from external sources and often require a deeper degree of lateral thinking in order to be identified prior to impacting on an organisation’s operations. Unfortunately, many ERM programs focus on internal risks and never quite get to dealing with these external macro risks which are, of course, the very risk events that can ultimately prove to be catastrophic.
20. Blind Devotion to a Particular Standard
Finally to round out the list to 20 (there is a slight OCD element in everyone) we’ll add “blind devotion to a particular standard”. Most standards are, at best, guidelines to be followed, and surprise, surprise, other standards usually emerge which challenge existing standards. The battle between COSO and ISO 31000 stands as a good example of this phenomenon, although the concept is probably best illustrated through the global battle of the Business Continuity Standards. If you are in the process of introducing an ERM program it is important to recognise the different standards that exist, and make an informed decision as to which standard your organisation will adopt.
As we noted at the beginning of this blog, risk management is still an emerging profession characterised by a multitude of different individual experiences and perspectives gained across a wide range of industries and countries. CompliSpace is an Australian company working across a range of industry groups (e.g. funds management, not-for-profit, education, wholesale distribution, mining and resources) and dealing with organisations with ten to 1000 staff. We suspect that whatever country you come from, whatever industries you deal with, you will probably agree that while ERM has the potential to substantially add value to any organisation “Enterprise Risk Management is easy to say, however it is not easy to do properly”.
How CompliSpace can help
CompliSpace combines specialist risk management consulting services with practical, technology-enabled solutions. Our risk management programs, which are designed in accordance with the International Risk Management standard ISO 31000, are delivered online and in a format that allows clients to quickly and efficiently tailor the content to their own particular specifications.
If you are looking to streamline your existing governance, risk or compliance programs and make them more relevant to your organisation give us a call. We are passionate about helping organisations to implement sustainable governance, risk and compliance solutions.
Contact Details
P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)
E: contactus@complispace.com.au
This blog is a guide to keep readers updated with the latest information. It is not intended as legal advice or as advice that should be relied on by readers. The information contained in this blog may have been updated since its posting, or it may not apply in all circumstances. If you require specific or legal advice, please contact us on (02) 9299 6105 and we will be happy to assist.
Complispace 
Many
thanks, I appreciate it!