There’s some good material in KPMG’s Enterprise Risk Management Benchmarking Study, subtitled Evolving to an active, integrated and agile approach amidst change and disruption.
Here are some excerpts, with my comments, in the order in which they appear in the report.
- Companies are rightly questioning the strength of their ERM programs in the face of rapid change, competitive disruption, an unrelenting news-cycle, and a global crisis in trust. Unfortunately, this questioning may come after a major risk incident for an organization, when vulnerabilities become apparent. Despite seismic shifts in the environment and a critical need for risk agility, the evolution of ERM is slow.
Comment: While it is important for organizations to “question the strength of ERM”, they should start with questioning why they have a program in the first place. No significant progress is going to be made unless and until organizations realize they are not in the business of managing risk; they are in the business of managing the business for success, which means achieving their objectives. Then they should question hot ERM is supposed to help that, and the answer is that it should provide actionable information about what might happen so they can make the intelligent and informed decisions necessary for success.
Evolution is slow because too few are replacing the management of risk with the management of success.
- ERM has the potential to contribute significant organizational value, helping organizations navigate both the opportunities and threats that risk present. In our survey, companies are making the right moves to address risk, but the question is… are they are moving fast enough?
Comment: I concur that we need to manage both opportunities and threats. I only wish more people understood that the same tools and techniques can and should be used to understand both upside and downside – and then make a decision that weighs all the things that might happen and their effects on achieving objectives. I don’t concur that organizations are making the right moves. They don’t understand the basic nature of the problem – it’s not about managing risk, it’s about managing success.
- Risk registers and heat maps are commonly used to document, prioritize and report on risks. However, ERM leaders see the opportunity to reduce the administrative burden of documentation and evolve to higher-impact reporting. An annual risk assessment process is still the predominant practice, but some organizations have been able to evolve to a more continuous approach.
Comment: KPMG points out the failure of most to do more than a periodic review of so-called top risks. But they still focus on reporting risks instead of reporting whether enterprise objectives are likely to be achieved.
- A majority of surveyed companies expressed a desire to better connect risk and strategy, often citing the 2017 COSO Guidance on Enterprise Risk Management – Integrating with Strategy and Performance. Most indicated that while their executives informally consider risk during strategic planning, ERM often didn’t have ‘a seat at the table.’ For those organizations that have integrated ERM and strategic planning, natural advancements have been made in emerging risk management and consideration of risk as not just a threat, but an opportunity.
Comment: How can you set the right objectives and strategies without a disciplined approach to considering all the things that might happen to affect their achievement? You can’t, unless you are lucky.
- One company has been able to correlate enterprise risks to potential impacts on strategic priorities and understand risk connectivity by adopting a dynamic risk assessment approach*. This has allowed business leaders to more deeply understand top risks, the interrelationship between risks, and the impacts of risk contagion, which has improved the clarity of what they must get right and what they cannot afford to get wrong.
Comment: It is easy to start with risk and then link to affected strategies. It is perhaps less easy to start with the strategies and ask (my questions, thanks KPMG for adopting them) what must go right and what can’t we afford to go wrong?
- Study participants acknowledged that while the concepts of risk appetite and tolerance are sound, they struggle with practical application.
Comment: No surprise here! Guidance needs to be provided to decision-makers at all levels on how to take the right risks. Risk appetite at enterprise level simply fails that test. At best, it’s an after-the fact check to see whether undesired risks have been taken. Too many fool themselves, investors, and regulators by expressing their risk appetite in aspirational language (such as “we have no tolerance for fraud or failure to comply with laws and regulations”) that is not actionable.
- ERM leaders recognize that executive leadership needs to be more than just aware of top risks, rather they need to adopt a risk mindset, model behaviors and integrate appropriate risk management (including risk taking) practices into their approach. Leaders need to “walk the talk” in order to realize the value of ERM and grow a risk-aware culture. Respondents described a number of tactics to drive leadership engagement including concentrating effort on key leaders and influencers, evaluating the frequency and duration of risk discussions, improving reporting (e.g. dashboards and scorecards), and the formation of a dedicated risk committee.
Comment: How about having success or strategy performance discussions instead of siloed and out-of-context discussions of risk? Stop trying to get business leaders to use the language or risk and start having risk practitioners use the language of business. Talk about the likelihood of achieving objectives instead of whether the risk is high.
You don’t want to create a risk-averse culture that is afraid of seizing opportunities because something might go wrong – and they don’t know how to weigh the upsides and downsides together.
- In general, enterprise risks are being discussed by senior leaders on a quarterly cadence, with the broader support of a risk champion network. For most organizations, the Audit Committee has responsibility for risk oversight at the Board level. Board level reporting was generally semi-annual, with a focus on the top 5-10 enterprise risks inclusive of strategic risk, status reporting on priority risk response efforts, and ERM program updates for more mature programs.
Comment: This is enterprise list management, not management of the business for success.
- Many companies equate risk culture with tone at the top because you can’t have a healthy risk culture without it. A strong risk culture starts with leaders, who are not only engaged, but actively modeling desired risk management behaviors, setting clear expectations for their teams, taking a longer-term view and showing through their actions that risk management is something all employees must embrace — not just senior leaders and risk practitioners.
Comment: This is true, except that risk management is not about focusing only on threats. Learn what to talk and only then walk it.
- Attention should be given to sharing stories of success and lessons learned to make the impacts of risk and the connection to routine decision-making real.
Comment: Excellent, especially the reference to decision-making.
- It is more important than ever to get risk management right. Effective ERM will empower leaders to take the right risks, realizing significant strategic benefits (e.g. first mover advantage), support organizational agility and learning, and strengthen organizational resiliency and sustainability in a very uncertain climate.
Comment: Correct. But that means enabling and empowering decision-makers at all levels to make informed and intelligent decisions that lead to success – not just avoiding failure.
I welcome your opinions.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021