In this posting, we are going to take a reality call on where Enterprise Risk Management is today and why the Next Generation of this management function needs to evolve.
If you were to observe an average Enterprise Risk Management unit in a typical business outside the finance sector, it usually comprises of a tight team of people that are casted under the banner of the second line of defense. These souls have a tendency to pester business unit owners in their firms to complete a list of unfastened questions that will eventually be assembled into a formalised risk register. If all runs well, this list of risks may eventually find itself infrequently plotted on a heat map.
When it comes to risk quantification (the measurement of risk), this particular exercise rarely moves beyond exploring specific uncertainties as events, and these items are nearly always given subjective estimates of likelihood and magnitude that are aggregated via very simple arithmetic.
It’s a [ Risk = Subjective(Likelihood) x Subjective(Magnitude) ] effort that attempts to present each risk in the risk registry as an expression of loss in a local currency. While this is far from profound, more concerning is that the risks in this system seldom go beyond the operational risk domain, and it’s abnormal for processes to be present that allow for the assessment of potential upsides that may occur as uncertainty spawns opportunities.
Some of the more profound ERM frameworks may include a loss incident database (all robust risk systems should sample from reality at some point), others may also attempt to identify Key Risk Indicators that are implicative of the potential threats that have been listed in the risk register.
All this said, the incessant desire to keep the risks operational and to persist with heat maps based on the outcome of Likelihood and Magnitude multiplications is a pandemic. Rarely are risks linked to objectives and the commercial value from all of this has its limitations.
Change on the horizon
Late last year the Committee of Sponsoring Organisations for the Treadway Commission (that’s always such a mouthful) or COSO released what it referred to as a highly anticipated framework which integrated Management with Strategy and Performance. It’s an attempt to break from the staid ERM tradition we have described above and it’s potentially a move in the right direction, especially so for PWC is seems. However, COSO’s new work has also been presented as a thematic guide that is a tad detached from the details. It is always those pesky details that are the devil as the saying goes and even more so when it comes to risk management systems. I am sure PWC are willing to fill in the gaps for anyone interested.
“The [new] framework addresses the evolution of ERM, the benefits that can be achieved, and the need for organisations to improve their approach to managing risk”
Miles Everton | PWC Global Advisory
The ISO 31000 camp (it isn’t uncommon for COSO & ISO factions to differ in their opinions, even if these two groups of people are describing the same thing) will soon be releasing some amendments to their treasured guidelines, you know you always have to keep up with the joneses ... Although it isn’t clear whether these stated improvements will be the transformation everyone is hoping to see.
Finally, if you have been paying attention to the banter that carries on in background of social media, there are a lot risk management practitioners harping on that the vocation (if we can call it that) should be about decision-making, not listing risks that are detached from objectives that fail in a business.
Either way, all of this is writing on the wall and should come as an early warning to Enterprise Risk Managers that their world is under flux and begging to evolve.
Although what I describe above is prosaic for those in the know, Risk Management Framework Guidelines such as COSO or ISO 31000 are actually an important aspect of the groundwork that needs to be in place to enable a comprehensive risk management solution.
Causal Capital teaches these ERM foundations to practitioners far and wide, and that takes in ISO 31000, the Risk Taxonomy, a Risk Register right through to an effective reporting system. Our ERM-I Masterclasses are very popular because they impart real life experiences that help practitioners bed-down best practice lessons to ensure they are capturing the right kind of information for an effective risk assessment and decision-making process.
Next Gen ERM | Causal Capital
For the Next Generation, ERM-II if you prefer, you can’t just leap from loosely applied ERM principles to Risk helps with decision-making or strategy unless you have aligned your Risk Management infrastructure to the language which drives your business.
One scary trend I am witnessing at the moment is where risk managers attempt to dump specific artefacts from their toolkit, simplify what they are doing in a desperate attempt to entangle themselves in daily decision-making moments around their business. It’s a story that doesn’t normally end well. Perhaps it's easier to explain why this is the case in the following way; Don’t go into any environment, up a mountain, out to sea, into battle or into a meeting without being prepared and failing to align effective Risk Management Infrastructure with business unit processes, language and policy is doing just that.
In the next month Causal Capital will be running a Next Gen risk management program for Enterprise Risk Practitioners that helps them move into this new ERM Space and smoothly. We take real life case studies that are straightforward to follow and step practitioners through various exercises that will allow them to embed their ERM frameworks into theirs firm's Financial Risk Decision-making processes.
In the near future we will be publishing a set of new blog postings to demonstrate what Next Generation ERM is all about but until then, may your risks have positive outcomes for you.