What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto

Monday, January 16, 2012

Is enterprise risk a journey or a destination?

A couple of days ago a customer asked me; is Enterprise Risk Management the end game in the world of risk? 

After reading a recent question on an ERM Linked-in forum, which goes something like this: "Is enterprise risk a journey or a destination?" I have been encouraged to write briefly on this subject here.
So then, is Enterprise Risk Management a journey or a destination?

An Evolving System
In my opinion, if I had to only pick between the journey or destination aspect of this title, I would probably choose the journey delineation but I am not sure Enterprise Risk Management is really that either. Being a journey would mean that at some point in time there has to be a destination. Surely every journey has a destination doesn't it?

Perhaps Enterprise Risk Management can be thought of as a vocational journey which is forever evolving.

If that is the case then, two additional questions beg to be answered: The first being, what is a typical evolutionary path for Enterprise Risk Management and where would most businesses be positioned on this path?

Enterprise Risk Journey | Causal Capital (Click to Enlarge)

The diagram represented here can be thought of as a collection of individual initiatives which will be constructed and then integrated into a broader Enterprise Risk Management framework. Some of the activities listed in the diagram are quite detailed or convoluted, others long winded, some facilities are easy to achieve but either way; a good risk framework will leverage future efforts off existing work and hopefully in a harmonious manner.

It is important to note that if a firm hasn't completed all the activities listed above, one mustn't worry. Many elements of a risk framework are optional and while some processes or systems are an absolute requirement, we need to accept that not all aspects of a typical risk framework will be treated with equal importance.

In other cases, different industry sectors place different emphasis on specific elements of their enterprise risk system. That is very common and a typical outcome of dealing with risk management in varied environments and what is important for a bank, may not be for shipping company.

Industry Experience
If one was to compare risk experience across the entire economy of a developed country, it would be optimistic to state that businesses in general are even at Phase 1 of this Enterprise Risk Journey. I know this sounds awful but in reality most professional firms I have reviewed have only just initiated their programs in some way or another.

There are of course some industry sectors that seem to be better than others at kicking off an Enterprise Risk framework. Although, after looking at the collapse of the banking sector over the last few years, it also appears that there are some massive enterprise risk mirages out there as well.

One big misunderstanding is that as the maturity of the model increases, so does the difficulty in achieving each phase. This opinion is also not always the case and some optimisation exercises risk teams entertain, especially in the economic capital arena are quite well understood and they can be profound but they may not be difficult to build into the framework at a macro level.

One point not to overlook is that many enterprise risk advanced elements in phase 4 or phase 5 have to exclusively leverage off previous exercises in the program. This happens by simply extending and expanding previous work in some cases. With this in mind, certainly as the overall risk management project gathers momentum, the risk analyst can generally expect the time for delivery of each component to decrease as the framework matures. In the short of it, it becomes easier to add elements to the risk framework once the foundations are in place.

There are many "handicapping factors" that seem to hold back the evolution of enterprise risk, let's take a look at a couple of these hurdles.

Most commonly, executive management often perceive Enterprise Risk Management to be a compliance initiative and a cost center for the firm. This kind of perspective makes for difficult budget assignments when risk departments are trying to grow their practice.

In respect to the experience factor; very few firms have walked the entire path, so there is also a really limited industry-wide best practice pool to draw from.

The introduction of the ISO 31000 risk standard over the last few years should seriously move the Enterprise Risk Management field along. However, we must also consider that the ISO 31xxx journey has itself only just begun and I fair we can expect some businesses, whole industry sectors to take a few years before they implement the ISO 31000 standards properly.

From within the risk discipline itself, there are still a lot of practitioners who lack insight around fundamental statistical models or who don't possess an understanding of finance. It is important to note that both these knowledge sets are going to be required if a business is to mature its risk framework overtime. Reaching a phase 2 level in the evolutionary journey is fine but without additional knowledge, the other phases found in Enterprise Risk Management will be unobtainable for the average risk analyst.

Curiously, if the economy moves towards a recession, then it may be the firms with the more resilient and mature risk frameworks that survive.

1 comment: