In a recent blog, an Australian compliance consulting firm posited 10 reasons why ERM programmes fail during implementation. The blog was reacting, purportedly, to a PwC publication on internal audit which was, in turn, based on 1,530 responses to an online questionnaire, supplemented by interviews with, predominantly, audit executives. The headline results indicated that 74% of respondents’ firms had ERM programmes in place, but only 45% reported “they were comfortable with how well their most critical risks are being managed.” Hmmmm. Reviewing the list offered in the blog caused me much concern as, inadvertently, it highlighted many of the problems with what we might call the ‘ERM practitioner community.’ You can see the original list here.
This prompted me to think about what would be on my list. Here we go:
1. Auditors and risk managers who leap for explanations of failure based on culture.
As I discussed in an earlier post, this argument is circular. ‘Unsupportive cultures’ is usually shorthand for either (a) failure to understand the interplay between the many professional, disciplinary and business group behavioural routines or ‘cultures’ that inevitably exist in a firm, or (b) failure to design an ERM programme that executives believed would be effective.
2. Getting the wrong GRC software (or resorting to spreadsheets)
Of all the myths about governance and risk, this one has the clearest self-interest in evidence (but it is only one of many potential candidates for that accolade). GRC software is, typically, simply a relational database which puts downside risk at the core of processes or objectives or business groups or a combination thereof. Yet the same people who call for these databases to be deployed also demand ‘top 10 lists’ for executives. I have heard risk managers boast proudly of capturing in excess of 10,000 risks in a firm. This is self-perpetuating and self-justifying madness – utter irrelevance which deserves to fail.
3. Using the acronym GRC
A material part of the problem is the dangerous conflation of governance with risk with compliance. Each of these things is different. Each has a valid role but risk is not and cannot be allowed to be a compliance activity. Excessive and careless regulation of risk in the financial services sector seems to be principally to blame. But outside financial services, the rot has spread with even greater popular support for digestible approaches that ‘tick the box’. Governance involves the actions and behaviours of the boards of directors who govern (legally) the firm. GRC software reduces its relationship with risk to a compliance process. Again, madness, but profitable madness for the software suppliers.
4. Thinking there is such a thing as a common risk language
This one has a distinct genesis. In a publication for Andersen in the 1990s, Jim Deloach, then Andersen partner responsible for risk management globally, stated this as gospel truth. It is seldom challenged. But it was then, and it is now, utter nonsense. Everybody seeks to make sense of and manage risk constantly in their lives. Yet somehow, at work, we require them to learn a special language that is the preserve of the semantic guardians in the risk management fraternity. We have a language for value in the firm, which (along with human life) is what ERM is supposed to protect. We have a language for uncertainty and for analysis of variance. What we lack is a granular-enough understanding of uncertainty and exposure to uncertainty.
5. The KISS myth and blaming ‘excessive quantification’
If you are not numerate, you cannot claim a serious and additive role as a risk analyst. Life is complex. Organisations and markets are complex. Managers realize this. When you combine that with a realisation that risk management is predominantly about how to handle uncertainties and interactions in those environments, the exercise requires at least an appreciation of uncertainty. ‘Keeping it simple’ is neither realistic nor contributory. Excessive quantification is never the problem (although it may be either unnecessary or inefficient uses of capable analysts). The problem arises when managers (and, sometimes, the analysts themselves) forget that “all models are wrong, but some are useful,” in the words of George Box. The problem is not excessive quantification; it is presuming that the results of the quantification are a reality in and of themselves, rather than a reduction based on assumptions of varying utility in different contexts and operating conditions.
6. Use of linear control or risk models: COSO and ISO delusion
This is the grand-daddy. There seem to be armies of risk managers who, for one reason or another, are devotees on one of the reductionist, process-based frameworks purporting to represent enterprise risk management – ANZS 4360, COSO ERM or ISO. These frameworks have never been shown to increase effectiveness; they are variants of a form of risk orthodoxy that involves stylized workshops, preparation of risk registers and representations of risk as point-estimates in risk matrices. The flaws of each of these activities are well documented. Curiously, in the right circumstances, this form of ‘risk management’ may result in short-term improvements in identification of risk, driven by the increased salience of participation in such exercises, but, equally, it may decline. The idea that making sense of complex phenomena can be reduced to compliance activities or conducted as a linear sequence of mechanistic steps is laughable – or would be if it were not potentially so destructive. For these reductionist, linear models to be taken seriously, there needs to be robust and objective assessment of their impact, which is yet to occur; to the extent it has, the results are not encouraging for the COSO and ISO disciples.
A summary of my view would be: there is nothing essentially wrong with the idealized, linear depictions of a notional ‘risk management process’. But the world is not linear; people try continuously to make sense of it, with mixed results. Presenting risk or handling of uncertainty as if it can be approached using a pre-defined process is seductively simple, but misleading. Risk is not a single construct; it cannot be approached knowledgeably using a single technique.
7. Pretending risk management can be comprehensive
A common feature of ERM programmes is that they purport to cover risks comprehensively or require that executing managers do so through a series of programmed steps. This is not possible epistemologically. Risk management processes cannot uncover things that we do not know that we do not know, variously described as ‘unknown unknowns’ and ‘unknowables’. Programmatic responses to these are not meaningful and cannot be effective.
8. The KRI myth
There is no such thing as key risk indicators – the phrase provides false assurance that we can predict the future and does considerably more harm than good (and makes major chartered accounting firms a lot of money). There are plenty of performance indicators that, with the right supporting analysis, can indicate that performance is moving positively or negatively. More interesting but less robustly, previous correlations and observed lags in variables can indicate that conditions or performance may, in future, improve or deteriorate. But relationships and interdependencies can and do change. Forecasting is an art, not a science. We should treat it as such.
9. Attempting to create a risk profession
Since the mid-90s, all manner of professional institutes (including one of which I was national president in the mid-90s) have made land-grabs for risk management. Actuaries currently lead the field. Also, specific institutions (such as IRM) have emerged representing themselves as the risk profession. The problem is that these is not, nor should there be, a risk profession. Risk is inherent in every human endeavour. “Man must strive, and in striving he must err”, as Goethe pointed out. Similarly, risk infuses every aspect of corporate life. Dealing with it is not the sole province of any professional group or activity, but of all groups and activities – to be effective, risk must be genuinely inter-disciplinary. To be effective at managing risk, we must fuse knowledge from engineering, from economics, statistics and econometrics, from psychology (and, perhaps, neuroscience), from philosophy, from anthropology and sociology . . . the list goes on. That does not seem to lend itself to establishing a ‘risk profession’. A more useful metaphor might be a ‘risk lens’ through which each participating professional group views its practical professional contribution.
10. Underestimating managers
Idealistic, reductionist COSO and ISO theorists forget that most risk management is – and should be – intuitive and judgment-based, albeit well informed. Everybody deals with risk all the time and, often, not very well. Indeed, psychology is continually expanding our understanding of the systematic biases in human perception decision-making both individually and in group settings. The danger with most risk practice is that it risks (no pun intended) classic displacement – by formalizing risks in registers and with a separate function, managers can displace responsibility for the risk: ‘on a risk register’ becomes out-of-sight; out-of-sight becomes out-of-mind. Perhaps being kept awake at night thinking about risk can, sometimes, be a good thing.
In my experience, senior executives and non-executive directors do not find risk management exercises useful because intuitively they understand that reality is messy, uncertainty predominates and stylized point estimates of risks are neither operable nor realistic. But, without a better approach to offer, they nod politely and make soothing sounds. And then something happens that no-one foresaw and they – and everybody else – need to scramble to react. Then they get angry and interrogate their ‘risk manager’. Then they receive an explanation that no system is perfect and the process returns to some sort of equilibrium. Useful or not? You be the judge.
So, what can we do about risk?
Despite these reservations, there is a huge amount we can and should do organizationally to improve our management of risk and uncertainty. Realistic programmes of risk management are not only possible but essential for firms to improve their focus on anticipation, future-proofing, crisis management and their long-term performance. But most risk programmes – most ERM programmes – as they are currently constituted are a compliance-driven distraction and a waste of resources. And that is why they fail.
How we train people in risk is a large part of the problem. There is no place for the “this is how you should do it” school, so prevalent everywhere. We need a lot more thought and a lot more focus on meaningful interventions that assist managers to make sense of the risks and uncertainties they face and their impact on strategy, planning, financing and operations. And a lot more humility about our understanding of culture. That would be a first step to more meaningful ERM programmes and reduce their probability of failing through irrelevance.