ERM is Dead! Long Live ERM!

Driving Change to Improve Resilience and Agility

Enterprise risk management (ERM) is a framework organizations use to manage risks and seize opportunities related to the achievement of their objectives. More and more frequently, upper-level management refuses to acknowledge ERM properly, which leads to missed opportunity and lost revenues. Read more to find out what world-renowned entrepreneur Peadar Duffy has to say about ERM and its business implications.

ERM is Dead!

I spent a couple of hours talking with the senior independent director of a major FTSE recently. He opined that in his experience, risk management consistently fails to deliver value. It is led by people who are more administrators than leaders, and more bureaucrats than doers. The SID in question has himself been a spectacularly successful CXO in a number of significant organizations.

Around the same time, another senior executive with impressive credentials remarked that in his experience, “risk has been done to him” by folk in risk management. He speaks of the parallel universes of the operational front lines, risk support and audit. Whereas the theory and rationale (three lines of defense) is sound, the method of execution is often suboptimal and sometimes even counterproductive.

I am sympathetic to these perspectives, as I think that whilst harsh, they are representative of generally held opinions of many in both front-line decision-making and strategic leadership positions.

The accounting and internal audit professions are alert to these and other emerging issues, as is evidenced in:

• IFAC’s seminal paper, From Bolt-on to Built-in, which describes how “effective management of risk helps organizations achieve their objectives, while complying with legal, regulatory and societal expectations, and enables them to better respond and adapt to surprises and disruptions … and positions the management of risk as an indispensable and integral part of decision-making and subsequent execution in order for boards and management to ensure their organization makes the best decisions and achieves its objectives.”
  The paper also “a) demonstrates the benefits of properly integrating the management of risk, including internal control, into the governance, management and operations of an organization; b) provides ideas and suggestions on how such integration can be achieved; and c) furnishes practical examples of how professional accountants in business can support their organizations with this integration.”
• Internal Auditing Poised for the Future: Global Outlook by IIA CEO Richard Chambers, wherein Chambers outlines how the profession is responding to the changing and increasing expectations of stakeholders. This presentation, and others like it, follow some poor results on stakeholder satisfaction with IA contribution to enterprise value creation.
  Moves to reposition risk management from its (de facto) traditional, task-oriented focus to a more enlightened strategy setting is also apparent vis a vis:
• COSO Enterprise Risk Management: Integrating with Strategy and Performance, June 2017. The essential message here is … risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its potential effect on an already-determined strategy… However, the risk to the chosen strategy is only one aspect to consider… (as the COSO) Framework emphasizes, there are two additional aspects to enterprise risk management that can have far greater effect on an entity’s value: the possibility of the strategy not aligning and the implications from the strategy chosen. The first of these, the possibility of the strategy not aligning with an organization’s mission, vision and core values, is central to decisions that underlie strategy selection.
  The implicit call to action here is that CROs must ensure that they are in the room and actively influencing strategy selection before it is delivered as a foregone conclusion to the enterprise at large.
• ISO 31000:2018 (Risk Management), which emphasizes the immutable fact that risk management is essentially about the quality of thinking, discussion and decision-making when addressing uncertainties affecting the achievement of objectives. Whereas nothing profoundly new emerged with this revision, the simple restatement of the fundamentals should remind business leaders and risk practitioners that they should stick to fundamental principles, framework and approach when evaluating pros and cons as they advance, and strive to achieve, new objectives in our uncertain world.

Fast forward a couple of months from my two encounters above to a recent meeting of a risk management “innovation” group of which I am a member. At that meeting, a colleague shared what she had heard at a Top 4 Accountancy risk briefing that enterprise risk management (ERM), having failed, is now being replaced by “integrated risk management (IRM).”

ERM being replaced by IRM was lauded as breakthrough and the next big thing!

I first came across this notion a few months ago when I read a (GRC technology) rating report promoting the same philosophy and thought to myself, “what else would you expect” from a firm which independently rates GRC technologies in return for significant annual subscriptions?

It also occurs to me that most GRC platforms are sold on the back of massive compliance drivers to the extent that the “C” is the proverbial foghorn and the “R” has become much louder since the global financial crisis, but the “G” is virtually silent!

What does G sound like?

Governance discussions and decisions are fundamentally about:

• The purpose, stakeholders, vision and values of the organization (i.e., value definition* and the things that influence the direction that is set for the organization over time),
• Internationally accepted corporate governance principles and protocols now common in most of the international codes and guidelines (i.e., the high-level control frameworks that ultimately permeate throughout the organization),
• Those operational imperatives required to fulfill purpose, realize vision and ensure corporate values are “built in and manifest” in day-to-day decision-making behaviors” (i.e., value creation* and delivery* vis a vis the intricate play of resources and maneuvers required to stay in the game and outperform the competition,
• Long-term financial sustainability and viability in a manner which adheres to ESG/CSR principles much sought after these days by most of the Tier 1 Investment institutions (i.e., value capture* vis a vis the steady flow of returns for all stakeholders over the longer term),

*CGMA Business Model Framework: (Note: final version due for publication end May 2018)

Whereas “Risk and the Management of Risk” is today a standing board agenda item and exists in board subcommittee terms of reference, the reality is that most CROs rarely, if ever, participate directly (as distinct from report into) board subcommittees other than audit and/or risk.

Similarly most CROs rarely, if ever, attend the annual/biannual strategy away days where the grown up discussions take place and decisions are made.

Exceptions to this rule do exist, but they are in the minority, particularly across nonfinancial industry sectors.

This big and basic reality goes some way to explaining why most GRC platforms/solutions are sold into compliance and internal audit and almost never directly into “parent company” CXOs.

(Note: Over the past 18 months, I have noticed one GRC platform provider advocate fourth-generation GRC (first-generation was Excel, etc.) with a business case that switched emphasis from compliance to enhanced business performance. This is good news, but most GRC vendors are still painfully slow in getting on the train, which is already pulling out of the station.)

No wonder, therefore, that:

• GRC rating firms see no evidence of much other than integrated risk and compliance and thus talk of integrated risk management (IRM), and
• Top four firms (which should know better) follow the vendor line as a pull-through for their risk assurance engagements, apparently content that the G in GRC remains silent… save for where strategy engagements are separately sold in by more heavyweight consultants.

And so the game continues!

There is clearly a fire-break between the CXO; front-line business discussions and decision-making where business language (business model, strategy formulation, execution, capital allocation, operations, revenue growth and assurance, margins management, KPIs, etc.) is spoken, and the second line, where risk administrators talk in technical risk language of risk identification, analysis, evaluation, KRIs and treatment, etc.

Long Live ERM!

The world (ISO and COSO) has agreed what good risk management looks like. The “what” is universally accepted, but the “how” is proving to be elusive – more hit and miss.

What does the “how” look like?

First; there are three things we need to understand:

1. The days of Excel, Word, PowerPoint and disparate GRC deployments are well and truly over,
2. The commercialization of affordable machine learning technologies (AI is still too loose a term, and in any event is not the correct term in this “particular” context) means that you can now run queries across strategic data sets derived from “human sensors” (i.e., your front-line decision-makers) in real time. (I explain what I mean by this in an earlier article, “New Paradigm Corporate Governance: Fink’s Big Ask and Distributed Decision Making using Machine Learning.”)
3. To unleash the power of machine learning in ERM you just need to know:

• What (business) questions to ask … if you can’t converse in the language of “real risk managers” (i.e., front-line P&L owners and operational decision-makers), your days are numbered! Risk jargon is for risk technocrats, not mainstream folk!
• How to interrogate the answers … vis a vis (1) first-level interrogation of patterns gleaned from “algorithmic analysis” of large data sets derived from operational front-line decision-makers’ answers to questions; (2) second-level interrogation of outliers; (3) third-level interrogation of drill-down reports segmented by topic analysis.
• How to join the dots (information and structured corporate knowledge gleaned from decision-makers across your distributed organization), paint the picture (so to speak) of what might be around the corner such that you can best anticipate, prepare, respond and exploit opportunities – or, conversely, preserve value.

The how therefore, is technology-enabled risk management expertise augmentation and automation.

Because we know “what” good risk management looks like, we know what questions to ask (risk identification), how to interrogate the answers (risk analysis) and how to anticipate/prepare/respond (risk treatment).

On this basis, “evidence-based” risk management can be operationalized (real-time performance monitoring, situational awareness and communications) in a manner that drives data to information, at speed, and information to structured corporate knowledge, thus:

1. Insights … into what’s really going on across your operational and front-line decision-making populations,
2. Foresight … into what your own decision-makers see coming around the corner,
3. Board Oversight … in the form of “evidence” that risk management policies (i.e., risk appetite, risk culture, ESG/CSR, etc.) are influencing day-to-day decision-making behaviors across the enterprise.

Use cases today include operationalized insights, foresight and board oversight of:

1. Strategy: The nonfinancial operational activities today that will underpin strategic/financial performance tomorrow.
2. Execution: The validity of principal business assumptions from the boardroom to front-line decision-makers.
3. Capital Allocation: Proof that people have thought things through as they draw down scarce capital.
4. Disruption: Competitor strengths and weaknesses/emergence of business model disruptors identified before it’s too late.
5. Culture: “How we do things around here” as distinct from “how we hope/pretend we do things as defined in our corporate values statements.”
6. ESG/CSR: Conduct of third party suppliers whose behaviors affect our reputation.
7. Crisis Management: Bouncing back (resilience) and forward (organizational agility) when abnormal and adverse events occur across modern-day complex organizations.

The list is endless …

Conclusion

For ERM to be all that it can be, we need to pivot from traditional, complex, second-line methodologies to easy-to-complete, manageable, high-impact automations absent technical risk jargon.

The design, rooted in the now classical definition of risk (the effect of uncertainty on the achievement of objectives), must precipitate “enterprise-wide optionality in all day-to-day decision-making.”

Optionality, in this context, simply means always designing in more upside than down, and always holding adequate reserves, which can be deployed as and when required to bounce back (resilience) from a shock, or bounce forward (agility), ahead of your less adaptive competitors!

The approach here mirrors a basic military approach to iteratively planning, probing, learning, attacking and re-grouping. It is similar to enterprise agility and consistent with what Nassim Nicholas Taleb advocates in his book, “Antifragile: Things that Gain from Disorder.”

The business case is straightforward: Faster, easier-to-implement ERM at a fraction of the cost of traditional methods!

What do you think?

This piece was originally shared on the SOLUXR site and is republished here with permission.