This week, I was working with the SOX team of a large US-based financial institution. At one point, the senior executive and leader of the team asked me something I had never heard before.
“Our ERM team wants me to provide them a number they can include in their calculation of the company’s residual risk. This is something, they say, is required by the regulators. What do you think of that?”
I have to admit to being stunned. Silent.
Then I couldn’t hold it in any more.
“It’s stupid!” I blurted out.
ERM at this organization sounds like something from a 1920’s horror movie.
How could anybody believe there is value in a single number ‘residual risk’ for a large organization?
Does it make sense to aggregate risk levels for a variety of risk sources, including cyber, compliance, credit, liquidity, competitor, and internal control over financial reporting?
Does that help management make any decision? How is it actionable?
Does it help the regulator understand whether management is putting the interests of stakeholders in jeopardy?
What I will bet is happening is this:
- Each type of risk at the organization (including but perhaps not limited to those I listed above) are individually assessed. They use a single number for the potential impact (in other words, they don’t consider a range) and then calculate a ‘risk level’ by multiplying that by the likelihood of an event or situation occurring that might have that effect.
- They then add the risk levels of individual types of risks together.
- They then, perhaps, compare that number to a pre-determined ‘risk appetite’.
This is wrong on so many levels. I have discussed why many times in this blog and in my books, but:
- There is a range of potential effects, not a single point
- Multiplying one point on that range by its likelihood has minimal limited meaning
- Adding these risk levels together is mathematically unsound
- The whole process ignores the fact that any event, situation, or decision gives rise to many potential effects – some of which are positive
- The context for risk-taking is ignored: objectives and strategies, what the organization is trying to achieve. How does this help you assess whether the organization is likely to achieve its objectives?
- The calculation does not provide the regulators with information that will help them assess whether the organization is unacceptably likely to become illiquid, etc.
- This is not how people make (or should make) decisions
- This exercise is likely to mislead rather than provide meaningful and valuable information
I would appreciate your comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- When enterprise risk-based audit plans are not enough - November 15, 2023
- More useful information about cyber risk - October 18, 2023
- How do you measure internal audit effectiveness? - October 3, 2023
