Enterprise risk management is often criticized as being remote from the real strategic needs of the organization. Is this fair comment and, if so, what can be changed to make ERM more relevant? Peadar Duffy gives his viewpoint...
I recently spent a couple of hours talking with the senior independent director of a major FTSE. He opined that in his experience, risk management consistently fails to deliver value. It is led by people who are more administrators than leaders, and more bureaucrats than doers. The director in question has himself been a spectacularly successful CXO in a number of significant organizations.
Around the same time another senior executive with impressive credentials remarked that in his experience 'risk has been done to him' by folk in risk management. He speaks of the parallel universes of the operational front lines, risk support, and audit. Whereas the theory and rationale (three lines of defence) is sound, the method of execution is often sub-optimal, and sometimes even counter-productive.
I am sympathetic to these perspectives, as I think that whilst harsh, they are representative of generally held opinions of many in both front line decision making, and strategic leadership positions.
The accounting and internal audit professions are alert to these, and other emerging issues, as is evidenced in:
IFACs seminal paper From Bolt-on to Built-in wherein it describes how ‘effective management of risk helps organizations achieve their objectives, while complying with legal, regulatory, and societal expectations, and enables them to better respond and adapt to surprises and disruptions ... and positions the management of risk as an indispensable and integral part of decision making and subsequent execution in order for boards and management to ensure their organization makes the best decisions and achieves its objectives’.
The paper also a) demonstrates the benefits of properly integrating the management of risk, including internal control, into the governance, management, and operations of an organization; b) provides ideas and suggestions on how such integration can be achieved; and c) furnishes practical examples of how professional accountants in business can support their organizations with this integration.
Internal Auditing Poised for the Future: Global Outlook by IIA CEO Richard Chambers: here Chambers outlines how the internal auditing (IA) profession is responding to the changing and increasing expectations of stakeholders. This presentation, and others like it, follow some poor results on stakeholder satisfaction with IA’a contribution to enterprise value creation.
Moves to reposition risk management from its (de-facto) traditional task oriented focus to a more enlightened strategy setting is also apparent vis a vis:
COSO Enterprise Risk Management: Integrating with Strategy and Performance June 2017. The essential message here is that ‘Risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its potential effect on an already-determined strategy... However, the risk to the chosen strategy is only one aspect to consider’. The COSO Framework emphasizes that there are two additional aspects to enterprise risk management that can have far greater effect on an entity’s value: ‘the possibility of the strategy not aligning, and the implications from the strategy chosen. The first of these, the possibility of the strategy not aligning with an organization’s mission, vision, and core values, is central to decisions that underlie strategy selection’.
The implicit call to action here is that chief risk officers must ensure that they are in the room and actively influencing strategy selection before it is delivered as a foregone conclusion to the enterprise at large.
ISO 31000:2018 (Risk Management) which emphasizes the immutable fact that risk management is essentially about the quality of thinking, discussion and decision making when addressing uncertainties affecting the achievement of objectives. Whereas nothing profoundly new emerged with this revision to the ISO 31000 standard, the simple restatement of the fundamentals should remind business leaders and risk practitioners that they should stick to fundamental principles, framework and approach when evaluating pros and cons as they advance, and strive to achieve, new objectives in our uncertain world.
Fast forward a couple of months from my two encounters above to a recent meeting of a risk management ‘innovation’ group of which I am a member. At that meeting a colleague shared what she had heard at a Top Four Accountancy risk briefing that enterprise risk management (ERM), having failed, is now being replaced by ‘integrated risk management (IRM)’.ERM being replaced by IRM was lauded as breakthrough and the next big thing!
I first came across this notion a few months ago when I read a GRC technology rating report promoting the same philosophy and thought to myself: ‘what else would you expect’ from a firm which independently rates GRC technologies in return for significant annual subscriptions?
It also occurs to me that most GRC platforms are sold on the back of massive compliance drivers to the extent that the C is the proverbial foghorn, R has become much louder since the global financial crisis; but the G is virtually silent!
What does G sound like?
Governance discussions and decisions are fundamentally about:
- The purpose, stakeholders, vision and values of the organization: i.e. Value Definition and the things that influence the direction that is set for the organization over time;
- Internationally accepted corporate governance principles and protocols now common in most of the international codes and guidelines: i.e. the high level control frameworks that ultimately permeate throughout the organization;
- Those operational imperatives required to fulfil purpose, realise vision and ensure corporate values are ‘built in and manifest’ in day to day decision making behaviours’: i.e. Value Creation and Delivery vis a vis the intricate play of resources and manoeuvres required to stay in the game, and outperform the competition;
- Long term financial sustainability and viability in a manner which adheres to ESG/CSR principles much sought after these days by most of the Tier 1 Investment institutions: i.e. Value Capture vis a vis the steady flow of returns for all stakeholders over the longer term.
The reality is that most chief risk officers rarely, if ever, participate directly with (as distinct from report into) board sub-committees other than audit and/or risk. Similarly, most CROs rarely, if ever, attend the annual/biannual strategy away days where the grown up discussions take place and decisions are made. Exceptions to this rule do exist but they are in the minority, particularly across non-financial industry sectors.
This big and basic reality goes some way to explaining why most GRC platforms/solutions are sold into compliance and internal audit; and almost never directly into 'parent company' CXOs.
[NOTE: Over the past 18 months I have noticed one GRC platform provider advocate 4th Generation GRC (1st Generation was Excel etc.) with a business case which switches emphasis from compliance to enhanced business performance. This is good news but most GRC vendors are still painfully slow in getting on the train which is already pulling out of the station]
No wonder therefore that:
- GRC rating firms see no evidence of much other than integrated risk and compliance and thus talk of integrated risk management (IRM), and
- Top four firms (who should know better) follow the vendor line as a pull through for their risk assurance engagements, apparently content that the G in GRC remains silent: save for where strategy engagements are separately sold in by more heavyweight consultants.
And so the game continues!
There is clearly a fire-break between the CXO – front-line business discussions and decision making where business language (business model, strategy formulation, execution, capital allocation, operations, revenue growth and assurance, margins management, KPIs etc.) is spoken, and the second line where risk administrators talk in technical risk language of risk identification, analysis, evaluation, KRIs and treatment etc.
Long live enterprise risk management!
The world (ISO and COSO) has agreed what good risk management looks like. The 'what' is universally accepted, but 'the how' is proving to be elusive; it is much more hit and miss.
What does 'The How' look like?
First; there are three things we need to understand:
1. The days of Excel, Word, PowerPoint and disparate GRC deployments are well and truly over;
2. The commercialization of affordable Machine Learning (AI is still too loose a term, and in any event is not the correct term in this 'particular' context) technologies means that you can now run queries across strategic data sets derived from ‘human sensors’ (i.e. your front line decision makers) in real time;
3. To unleash the power of Machine Leaning in ERM you just need to know:
- What (business) questions to ask: if you can't converse in the language of 'real risk managers' (i.e. frontline P&L owners and operational decision makers) your days are numbered! Risk jargon is for risk technocrats, not mainstream folk!
- How to interrogate the answers, vis a vis (1) 1st level interrogation of patterns gleaned from ‘algorithmic analysis’ of large data sets derived from operational front line decision maker(s) answers to questions; (2) 2nd level interrogation of outliers; (3) 3rd level interrogation of drill down reports segmented by topic analysis…
- How to join the dots (information and structured corporate knowledge gleaned from decision makers across your distributed organization), paint the picture so to speak, of what might be around the corner such that you can best anticipate, prepare, respond and exploit opportunities or conversely, preserve value.
The how therefore, is technology enabled risk management expertise augmentation, and automation.
Because we know ‘what’ good risk management looks like, we know what questions to ask (risk identification); how to interrogate the answers (risk analysis); and how to anticipate/prepare/respond (risk treatment).
On this basis ‘evidence based’ risk management can be operationalized (real time performance-monitoring, situational awareness and communications) in a manner which drives data to information, at speed, and information to structured corporate knowledge, thus:
1. Insights: into what’s really going on across your operational and front-line decision-making populations;
2. Foresight: into what your own decision-makers see coming around the corner;
3. Board oversight: in the form of ‘evidence’ that risk management policies i.e. risk appetite, risk culture, ESG/CSR etc. are influencing day to day decision making behaviours’ across the enterprise.
Use cases today include operationalized insights, foresight and board oversight of:
1. STRATEGY: The non-financial operational activities today; which will underpin strategic/financial performance tomorrow.
2. EXECUTION: The validity of principal business assumptions; from the board room to front-line decision-makers.
3. CAPITAL ALLOCATION: Proof that people have thought things through; as they draw down scarce capital;
4. DISRUPTION: Competitor strengths and weaknesses/emergence of business model disruptors identified; before it’s too late.
5. CULTURE: ‘How we do things around here’ … as distinct from ‘how we hope/pretend we do things as defined in our corporate values statements’.
6. ESG/CSR: Conduct of third party suppliers; whose behaviours affect our reputation.
7. CRISIS MANAGEMENT: Bouncing back (resilience) and forward (organizational agility); when abnormal and adverse events occur across modern day complex organizations.
The list is endless…
For enterprise risk management to be all that it can be, we need to pivot from traditional, complex 2nd line methodologies to, easy to complete, manageable, high impact automations; absent of technical risk jargon.
The design, rooted in the now classical definition of risk (the effect of uncertainty on the achievement of objectives) must precipitate ‘enterprise wide optionality in all day to day decision making’.
Optionality, in this context, simply means always designing in more upside than down, and always holding adequate reserves which can be deployed as and when required to bounce back (resilience) from a shock, or bounce forward (agility), ahead of your less adaptive competitors!
The approach here mirrors a basic military approach to iteratively planning, probing, learning, attacking and re-grouping. It is similar to enterprise agility and consistent with what Nassim Nicholas Taleb advocates in his book, Antifragile: Things that Gain from Disorder.
The business case is straightforward: Faster, easier to implement enterprise risk management, at a fraction of the cost of traditional methods!
Peadar Duffy is Founder Director of SOLUXR (an Irish and Latin blended name meaning 'to illuminate') which provides expert automation and augmentation solutions for burning strategic issues facing complex networked/distributed organizations.