Enterprise Risk Management Myths
The topic of Enterprise Risk Management can seem quite confusing, especially since there is a good deal of misinformation floating around. In “The Top 10 Enterprise Risk-Management Myths,” Gordon Burnes of NewsFactor.com discusses some of the most common myths of Enterprise Risk Management. The article is a good read for those interested in ERM, although we should point out that it is (like most information on ERM) still heavily IT/Financial focused. A couple of the myths speak directly to the premise behind MyRiskControl.com:
Myth Number 7: You Can Manage Risk Only from the Center
No one is likely to argue that strong, central risk management is a bad thing. Unfortunately, many organizations make the mistake of investing only in a centralized function because it’s too difficult to federate, and they don’t know how to push risk management to lower levels of responsibility in the organization. It’s a classic issue of consistency vs. quality of information.
But, accurate information lies at the business line level. Organizations must augment their centralized risk management efforts with localized, distributed data, and the only way to reliably and cost-effectively do that is to invest in automated technology solutions.
Along this line of thinking, he continues:
ERM needs to be deployed bottom-up so that business managers are the first-line managers of risk, embedding enterprise risk management within the day-to-day business processes of the firm. They must understand the risk/reward trade-offs involved in their own decision-making. Risk management should create a bias for action, surfacing problems as they arise and empowering the entire organization to be risk managers.
This is one of the most important aspects of a well thought out Enterprise Risk Management system. There must be management and employee buy-in at all levels; otherwise ERM implementations tend to suffer from the same pitfalls that plague most change management:
- Unclear rationale for change
- Lack of understanding of the urgency of change
- Inadequate employee mobilization and engagement
- Complacency (resistance to change because of prior success)
- Too many initiatives at one time, overloading change management capacity
- Mixed messages from top and middle management
- Short-term thinking and lack of follow-through, especially in long-term initiatives
Without proper buy-in, and the creation of a true risk management culture within an organization, the change for ERM success falls significantly. There are simply too many risk factors for a centralized risk manager to deal with.
Myth Number 3: It Just Takes Common Sense
“There are really no cookbook solutions. One has to use creativity and a lot of common sense.” This was a May 16, 2000 email response from Enron Corp. risk expert Vince Kaminski, when asked by a colleague to recommend a good book on operational risk.
As Enron proved, creativity is a no-no and common sense alone just doesn’t suffice when it comes to risk management. As business activities have become more complex, so has risk management. The sheer magnitude of the regulations leaves many firms struggling to put in place processes and infrastructure Relevant Products/Services that are able to identify and control the compliance risks they face.
Risk management covers a wide variety of risk disciplines, including operational, compliance, financial controls, legal, liquidity, business strategy and technology, each of which has its own nuances and specialized models for assessing risk. It may not be rocket science, but it does require application of sophisticated models and analytics, aided with accompanying software tools.
While many of the steps taken in the ERM process seem like common sense, the process as a whole should not be approached in a “common sense” fashion. Common sense would say to focus first on the fires that need to be put out right now. Otherwise you might not even have a business tomorrow! Unfortunately, oftentimes, there’s only enough time in the day for dealing with “fire drills” and when you’re done, you’re too exhausted to do the little things that fall under the category of “sharpening the axe”.
When running a business, it’s easy to forget about all the details of all the various disciplines required to prevent business failure and promote a strong, secure company. When we talk to companies about certain risk factors, we often hear the same response:
“I never thought about that (or I never realized that could cause harm to my business)”
That’s why an ERM framework is so important. Used properly, it ensures that adequate policies and procedures are in place to prevent against all the risks you “never thought about” or the ones you did think about but never had time to address.