In Kaplan's view of the world of risk, Enterprise Risk Management needs to move towards a contingency theory, it is currently immature but at the very least an evolving discipline.
Last month, Robert Kaplan and Anette Mikes released their paper "Towards a Contingency Theory of Enterprise Risk Management" which is based on a ten year field project of over 250 interviews with senior risk officers. Their findings are quite disturbing or to cite the author's words "many organisations remain dissatisfied with existing risk management practices" and the risk management standards of ISO 31000 and COSO come under direct line of fire.
Last month, Robert Kaplan and Anette Mikes released their paper "Towards a Contingency Theory of Enterprise Risk Management" which is based on a ten year field project of over 250 interviews with senior risk officers. Their findings are quite disturbing or to cite the author's words "many organisations remain dissatisfied with existing risk management practices" and the risk management standards of ISO 31000 and COSO come under direct line of fire.
K&M Critique
It is the opinion of the authors (Robert Kaplan and Anette Mikes) that risk guidelines which aspire to being applicable to all organisations and all types of risk introduce a major risk in themselves. Such standards inhibit risk practitioners from searching for and experimenting with innovative risk management processes.
Yet, it is my honest opinion that all businesses need a starting point on risk management and standards such as ISO 31000 are attempting to be nothing more than this.
Even though every business has suffered from uncertainty within its objectives since the beginning of time, it is only recent that an international standard on risk management has been proposed, drafted and published. Surely we can't expect any single standard to be all encompassing in a handful of years, these things do take time. Best practice needs to acquire decades to find its footing, if that is what risk managers are searching for, I am not so sure the professional ones are driven entirely with that end in mind.
Even though every business has suffered from uncertainty within its objectives since the beginning of time, it is only recent that an international standard on risk management has been proposed, drafted and published. Surely we can't expect any single standard to be all encompassing in a handful of years, these things do take time. Best practice needs to acquire decades to find its footing, if that is what risk managers are searching for, I am not so sure the professional ones are driven entirely with that end in mind.
The author's proposition that they are able to postulate a complete solution for enterprise risk management and through the same manner in which other risk standards are written, falls under the same critique the paper is attempting to describe. Mind you, there are some key findings in this paper that are worthy of 'bullet-pointing'.
- The effectiveness of risk management depends on the people who set up and coordinate the risk management processes ~ I personally would deeply agree with this statement and have found it to be congruent with my own observations of successful risk frameworks I have reviewed.
- Having a risk management department and a CRO should not predicate the belief that such functions have the backing of the executive committee ~ We all know too well that this was a major driving factor for the credit crisis.
- Risk management in some firms consists of only policing the business ~ Good risk managers are also aware that tick box exercises are not what risk management is about, risk management is far more than this, actually I am not sure it has ever been this.
- By treating red flags as false alarms rather than early warnings of danger incubates threats ~ This too has been proven in the industry of risk management at large and it featured deeply in both the Tepco nuclear reactor disaster and JP Morgan's whale trade fiasco.
- Group think with dominant leaders often inhibits good thinking about risks ~ This is certainly a difficult conundrum to resolve and it needs to be carefully addressed by a risk management unit. Risk management is perhaps more people focused than some practitioners would like to let on.
K&M View of Risk
Kaplan's and Mike's view of risk is relatively straight forward to take on board. It comprises of three supposed sources of risk, three ERM factors that need to be enabled and a set of six leading features that are found in any successful risk framework.
Nice, simple, concise or so it seems. Personally I believe that this view of risk management is neither profound nor particularly leading guidance and there is a lot more to bringing a risk management framework into operation than these factors alone. If risk management is this straightforward, the problem would have been solved when uncertainty first became a realization for businesses a millennium or more ago.
The Kaplan and Mikes paper can be downloaded from the following [ LINK ].
Kaplan's view of Enterprise Risk Management
Nice, simple, concise or so it seems. Personally I believe that this view of risk management is neither profound nor particularly leading guidance and there is a lot more to bringing a risk management framework into operation than these factors alone. If risk management is this straightforward, the problem would have been solved when uncertainty first became a realization for businesses a millennium or more ago.
The Kaplan and Mikes paper can be downloaded from the following [ LINK ].
This is really a nice blog. Contents over here are so informative. For more information about Contingency theory, have a look here. Contingency Theory – Introduction to Management (ITM)
ReplyDelete