What’s Wrong with Enterprise Risk Management?

1. Introduction

Over the last twenty years, enterprise risk management (ERM) has gained greater recognition as a key factor in good management and good corporate governance. Many regulatory bodies are now requiring boards of directors to be more involved in overseeing risk management and most companies are seeking to implement ERM or key aspects thereof. For example, the Dodd–Frank Wall Street Reform and Consumer Protection Act recommended that foreign bank holding companies and U.S. bank holding companies (over a certain size) establish a risk committee of the board, among other risk-related requirements.

Unfortunately, the success of ERM implementation has been less than expected. Beasley and Branson (2022) find that only 56% of large corporations reported having complete ERM processes in place. We have found that many organizations struggle with the implementation of ERM despite copious articles and the use of consultants.

In this paper, we explain the reasons for these failures and provide practical advice on how to succeed. Based on our observations and experiences, we identify seven common problems with the way organizations go about implementing ERM. We discuss these problems in the next section.

2. Common Problems with ERM Implementation

In this section, we describe in detail seven common problems that organizations make that impede ERM implementation. We provide guidance on how to avoid these pitfalls so that an organization can excel at ERM.

These common problems are:

• An over-emphasis on reporting
• Not enough injection into the decision-making processes
• Too much adherence to a static process
• Treating risks as discrete items
• The misuse of models
• The belief that all risk is bad
• A lack of role clarity

2.1. An Over-Emphasis on Reporting

Here is a brief summary of what ERM was initially intended to do. In 2000, before the International Organization for Standardization (ISO) and Committee of Sponsoring Organizations of the Treadway Commission (COSO) standards were published, many early adopters of ERM sought to improve their competitive performance and increase value through rational, strategic, coordinated risk-taking; to build transparent cultures where people were comfortable openly discussing risks and sharing their honest opinions about ways they might fail; i.e., stimulate conversations about uncertainty that are used to prioritize actions or alternatives or to allocate resources. From time to time these conversations would result in artifacts such as reports or lists of risks and associated treatment strategies, which might be shared periodically with boards of directors and oversight groups to stimulate more conversations and build understanding of the role of uncertainty in the business. Reporting was a by-product of ERM, and not its central purpose.

Several things happened that knocked many ERM practitioners off of this course in the early days. The first of these was the Sarbanes-Oxley Act (SOX) in 2002. At the time, many organizations lumped SOX in with ERM. ERM conference agendas suddenly shifted from being about building more effective tools and processes to understand risk, to being all about SOX implementation and reporting. In this way, ERM became seen as more about assurance on current controls; about the present state of compliance rather than uncertainties about the future.

The second disruptor was the widespread introduction of Governance, Risk and Compliance (GRC) systems. This resulted in increasingly intrusive and complex reporting tools, more and more elaborate reporting systems requiring lots of people entering data into large databases for tracking and reporting on compliance.

And then third, there was a growing demand from boards for more and more risk reporting. On the one hand, that is a good thing: Boards are getting more sophisticated in terms of their understanding of their role for risk oversight (Fraser 2016). However, the problem is that, for many organizations, the central role of the ERM group has become the production of lists and reports on risks for consumption by the board, as opposed to actually helping the organization by enabling better decision-making under uncertainty. One board director at a large, fast-growing company, recently complained to one of the authors that the only time he ever saw risk assessments associated with major proposals was post hoc, i.e., after the choice had been made. There were no conversations; it was purely one-way presentations to justify recommended courses of action. In his view, the organization was missing out on the benefit of discussing uncertainties associated with these major strategic choices with the board and receiving their guidance, advice, and perspective.

As a consequence of this massive shift toward ERM-as-reporting, in many organizations, managers’ and executives’ only interaction with their ERM group is feeding periodic, quarterly or annual bottom-up reporting cycles. ERM is not seen by them as a tool for making better decisions. Instead, it is seen as a way to describe or justify choices already made, or to placate senior management, boards, or oversight groups.

Recent experiences with COVID-19 are another good illustration of this. One of the authors is a member of the Strategic Risk Council (SRC) for the Conference Board of Canada, a round table of chief risk officers (CROs) and other senior risk executives from a variety of sectors. When the COVID pandemic first emerged, this seemed like an excellent research opportunity. Businesses were going through a once-in-a-century crisis, and all were going through it together, so it seemed like a good idea to diarise the collective experience of all these organizations’ risk management groups. So the SRC got many CROs signed up, and had three or four different small group video conference calls each week where they shared what they were dealing with in real time. What they learned from those sessions was very disappointing, because many were working on similar, short-term problems such as: how to get people working remotely, how to procure and distribute sufficient personal protective equipment, how to maintain supply chain integrity, and other immediate matters. Many CROs were engaged in assembling packages to placate their boards of directors and convince them that they were prudently managing the risks associated with the crisis. But few executives seemed to be asking the important risk-related questions, “What are the long-term implications for our business of this global event? How might this event affect markets, or our competitive position with our customers or stakeholders?” Few seemed concerned with exploring the strategic implications of the pandemic. One organization actually shut down their entire ERM program for two years so the staff could help manage the current crisis.

The global pandemic presented a wonderful opportunity to demonstrate the value of ERM; to help figure out these issues and understand the risks and opportunities. Surprisingly, most risk managers missed it. Why did they miss it? In many organizations, the ERM group is not seen as a support resource for making better decisions under uncertainty. Instead, they are seen as the “heat map people”.

Similarly, partway through the global pandemic, we published a paper recommending how organizations should seize the opportunity during COVID crisis to consider the longer-term implications of risks to their operating environments (see Fraser, et al. 2021a). This advice was largely ignored.

2.2. Not Enough Injection into Decision-Making Processes

In the 1980s, Nike wanted to ‘own’ the basketball shoes business. So they went into big cities in the U.S. where kids were playing streetball. And they found the best players and gave them Nike shoes. They gave their shoes to the “cool kids” so the other kids could see the “cool kids” use the shoes as a tool to succeed, and so the other kids would want them too (see for example, Stonebrook 2021).

This is an excellent metaphor for promoting ERM within organizations. Find the people with the powerful process, or working on the messiest problems, that are open minded and willing to consider innovative approaches, and “give them sneakers”, i.e., give them tools, help support them in making better decisions and also communicating the rationale for their decisions to their boss. Pretty much without exception, in the authors’ experience, every organization that has ERM as a leading practice for a decade or more has followed that kind of approach: they identified the important processes or problems in their business, and then found ways to customize their ERM approach so that it was a provocative force for improving those processes and helping enable better decisions.

ERM must not be a silo. It must be a provocative agent, a disruptor. It is most effective when it gets injected into the most powerful, complicated, and risky decision-driven processes in the enterprise.

The following are several examples of specific ways to improve the impact of ERM through this kind of process-injection:

• Strategic planning. Risks are represented in the O (opportunities) and the T (threats) of SWOT. It is a natural fit.
• Business planning. Using bottom-up risk assessments as a driver for decision making and trade-offs about where to allocate resources, and ensuring the plans are aligned with the business strategy.
• Outsourcing. An outsourcing contract is not just the allocation of money and services; it also allocates risks between the two parties. So why not transparently identify the risks related to the body of work that is being outsourced, use the contract to explicitly assign the risks between the two parties, and figure out how to make sure that they are oriented towards managing the critical things? (Quail 2021c).
• Investment prioritization. For every dollar available to the business, where should that money be used? One of the factors should be where can that dollar do the best in terms of mitigating risks and managing uncertainty about the achievement of the business objectives. Embed risk management right into those prioritization processes (Toneguzzo 2021).
• Technology projects. There is a saying that there is no better way for a chief information officer to lose their job than to try and replace the enterprise resource platform or other enterprise technology in the business. It is risky work. Therefore, it follows that risk assessments should be done; not just the Project Management Office tools and methods, but in terms of scoping, resourcing, timing, vendor selection, and the all-critical go/no-go decision before go-live and the resulting effects (Winters 2021).
• Regulatory compliance management. Many businesses are involved in very complicated regulatory environments and it can be a challenge for organizations to prioritize where to allocate resources for compliance management and control. Risk management can help organizations prioritize resources by exploring this question: Which of these regulatory requirements, if not met, has the bigger potential to cause harm or affect the achievement of the stated business objectives?

2.3. Too Much Adherence to a Static Process

The ISO 31000 risk management process is a good one (see ISO 2018). But one of the problems with any standardized process is it implies that there is only one way to go about it. There are some great thinkers on the topic of ERM in academic circles, in particular Anette Mikes, Associate Professor of Accounting, Saïd Business School, University of Oxford, and Bob Kaplan, Senior Fellow and Marvin Bower Professor of Leadership Development, Emeritus at the Harvard Business School, who have written that they believe that the ISO and COSO standards came out too early, and that they've been a drag on innovation ever since. The models suggest that there is but one process that is the pathway to ‘goodness’ in terms of managing risks as a business (Kaplan and Mikes, 2012).

But there are other useful, valid risk management processes; here are some examples:

• Black Swans, or extreme-end-of-tail risks (Taleb 2010). These risks are very unlikely but have the potential for extreme impact. The tools that one normally uses for prioritizing risks does not work anymore. Instead, one needs to identify other ways to learn from potential Black Swan type scenarios as a kind of thought-experiment: i.e., if one of these scenarios occurs, is the organization resilient enough to be able to react in time, or at least faster and better than the competitors?
• Scenario planning exercises as pioneered by Royal Dutch Shell (see Schwartz 1991 and Wilkinson and Kupers 2013). Remember: the ISO definition of risk is the effect of uncertainty on objectives. What scenario planning does is test to see whether those are the right objectives in the first place. In this way, it's about risks not to the strategy, but of the strategy. We note that, in the wake of COVID and climate change concerns and the war in Ukraine, there has been a recent resurgence in the popularity of scenario planning.
• Custom criteria should be developed to help inform decision making, e.g., developing a technology road map for an organization by applying things like priority, opportunity in capacity as well as an assessment of risks in the organization’s ability to deliver.
• ERM can be dovetailed into strategy setting through exercises like the risk appetite process (Quail 2021b, Ismail 2021).

In other words, there are ways to assess uncertainty and prioritize risks without going through the same old identify-assess-evaluate process as described by the ISO standard.

2.4. Treating Risks as Discrete Items

Most risk professionals who do ERM generate lists of the top risks. Risks are brainstormed or extracted from a risk universe or from a registry or some other source. They are assessed individually using some set of criteria and ranked. There may be some kind of roll up for the organization or maybe workshops or risk assessments with the executive team and senior levels of management. By whatever means the risks assessed are ranked and delivered to the folks in charge to improve their understanding, and hopefully stimulate conversations. For more information on risk management workshops, refer to Quail 2021a.

However, risks do not act in isolation. Risks are not discrete elements. They are inter-connected networks. ERM is a dynamic ecosystem. Failure of one part of the business can affect the success of others. For example, surprises in human resources might affect the technology performance and vice versa. Not enough is done to try to understand and depict how risks interact or fully map out the implications if a risk event in one area actually occurs.

Figure 1 provides a rudimentary example of a visual tool that can be applied to understand how risks are inter-connected. In this fictitious organization that has outsourced its I.T. infrastructure management to control its risk and reduce cost, the risk of mismanagement of outsourcing can affect other things on the map. In the figure, the downstream impact of this outsourcing governance failure on other risks is depicted graphically. This is one simple example to illustrate what every risk manager should be doing -- this kind of modeling and sharing it with decision makers.

In the wake of the COVID crisis immediately followed by the war in the Ukraine, businesses have been operating on a crisis mode or dealing with various fragilities or discontinuities in their business environment. Many aspects of their business, such as the supply chain or human capital, remain fragile. One should fully expect that any organization will experience at least one major surprise -- a “second punch” -- in the next few years. The question is: Can they take that punch and do they know how risks could materialize, multiply, and/or accumulate? For additional information, see Winters (2021).

2.5. The Misuse of Models

Models are useful but they are almost always wrong. In 1976, a British statistician named George Box wrote the famous line, “All models are wrong, some are useful.” The real world is much more complicated than we can ever represent in a single model.

Figure 2 was posted on LinkedIn in 2021 by a “risk expert” as a way to try to convince other people to use their services. What they said is that there are two potential investments: Investment A at the top and Investment B at the bottom, and there is a heat map for each. Readers were supposed to choose one of the two investments based on the heat-map. The question itself was alarming in its naiveté. What was even more alarming, however, was the number of other “experts” who tried to answer it.

There are so many concerns with this question.

• First, a risk is not a single combination of impact and probability. A risk is associated with the range of outcomes of different probabilities; a risk is a curve, not a point. Now, usually when heat maps plot risks, there is a spot on the map that represents something like a worst credible impact. But that's only for prioritization or to give a vivid summary picture for senior executives or the board of directors. It does not convey nearly enough information to allow anybody to make any kind of actual decision.
• Second, these two risks in these two maps may not be defined in the same way. It could very well be that Investment B involves an array of lower level, more granularly defined risks, and if you added them all up, they might add up to something that is at least as big as the risk in Investment A. So that's another problem with heat maps: the definition of the risk, the scope of the risk, and the scale used when evaluating the risks.
• In Investment B, should one of these risk events occur, there may be a domino effect, and once it finishes playing out, there may be a much bigger impact than was identified in the heat map for Investment A.

Heat maps have their very limited purposes, but this kind of decision making is definitely not one of them. And yet, dozens of risk “experts” on LinkedIn thought that they could choose between these two alternatives based on these two heat maps.

Models like heat maps are only constructed to summarize priorities, encourage thinking, and stimulate conversations. They are not realistic depictions of decision-scenarios. Decision makers have to be reminded that risk models have limitations. Simple models like heat maps are tremendous simplifications of very complicated realities.

The point is not just about heat maps. Many of the times there can be real trouble because people trust the models too much. Speculative bubbles are consequences of people trusting valuation models too much. Various banking and financial crises have been about people putting too much faith in metrics, indices numbers, dollars and/or trends (Lowenstein 2000).

2.6. The Belief that All Risks Are Bad

Every organization (including hospitals, government agencies, churches, banks, or software companies), regardless of size or scope or focus, is in the business of putting assets at risk with the expectation of yielding some kind of return. It is how they make money, it is how they innovate, it is how they increase their influence, it is how they beat their competitors. They all put their assets at risk: their money or their intellectual property or their human capital or their reputation. Otherwise, nothing gets done. Risk is necessary. Risk is good.

However, many people, when they interact with ERM, seem to think that all risk is bad; there is this fixation on the downside.

There are two reasons why people perceive risk is bad. First, it can be what they read, e.g., from regulators, also from sources such as Sarbanes Oxley and GRC. These are all about catching and reporting on non-compliance. Much of the upward reporting done seems to focus on the bad stuff, the exceptions, and the gaps.

Second, it can be about where the ERM group reports organizationally:

• Some organizations combine risk and insurance. Insurance is about the avoidance of loss, i.e., downside.
• Others have combined ERM with Internal Audit. The role of Internal Audits is basically to identify potential weaknesses in internal controls, i.e., downside.
• Others place their ERM group so they report to a General Counsel. What's the General Counsel's job? Avoiding legal or commercial risk exposures, i.e., downside.

Consequently, there is this combined problem of using the wrong tools, and reporting to the wrong places. This is why risk appetite is so important. Organizations need to understand their risk appetite and risk tolerance. What risks should be taken? What risks are deliberately chosen? There is no better way to enter into that kind of conversation than getting into an executive discussion about risk appetite. Quail (2021b) presents a practical method for developing a risk appetite that aligns with the strategic ambitions of an organization. If one thinks about the different strategic objectives:

• For which ones do we expect that the pathway, from where the organization is to where it wants to be, is a squiggly/non-linear line, where the organization needs to be responsive and resilient? That suggests a higher risk appetite.
• Which of the strategic objectives are ones where a small change or volatility in a key performance indicator (KPI) is going to indicate that the organization is lacking in control, and it would be better to drop everything and figure out what’s wrong? That suggests that there is a low-risk appetite with respect to that objective.

2.7. A Lack of Role Clarity

In the early years of ERM, many organizations started their ERM function as a spinoff from Internal Audit. The authors have noticed in recent years that there now seems to be a trend toward recombining these functions. More and more regulators are insisting that the chief risk officer should be an independent assurance function that reports directly to the board of directors. Combining ERM and Internal Audit or assurance, or blurring their distinct roles in this way, can weaken both functions. Internal Audit is no longer independent. Also, ERM is no longer a ‘safe’ place to discuss risks and the adequacy of mitigation, because the same person is also an auditor and part of their job is to report to the board on weaknesses in internal control and unmitigated risks. So, combining those two functions, or in fact combining ERM with any assurance function, is a problem.

There needs to be clarity in the organization as to exactly what ERM is to do. It's not just about producing reports for the board. It's not about providing assurance that the organization is in compliance with SOX. It’s not about blowing the whistle when there’s a risk that the organization may think might be excessive. It’s about helping stimulate conversations to allow management to make better decisions about where the organization allocates resources, what risks to accept, and what risks won’t be accepted. It is about building tools and models all the while clearly communicating their limitations to help support better decision-making. For further reading on ERM and emerging roles in the implementation, refer to Mikes (2021) and Fraser et al. (2021b).

3. Conclusions

In this article, we present critical examples of why many organizations fail or flounder in their attempts to implement ERM. Drawing on the extensive experience of an experienced risk manager and consultant, an ex-Chief Risk Officer, and an academic who has researched ERM extensively, we present both the causes and practical solutions to assist risk managers in being successful in implementing ERM. Numerous surveys show that the successful implementation of ERM trails the expectations of senior management, boards, and regulators (see for example, Beasley and Branson 2022). This article provides specific practical explanations of the reasons for frequent failures, as well as simple, effective techniques and guidance on how to improve the chances of success in implementing ERM. We provide references for additional guidance on the ERM challenges presented. This article should be of interest to organizations implementing ERM, to academics teaching ERM, and to risk professionals desiring to learn more on this evolving process.