Why do we need risk management?

The latest report from the Enterprise Risk Management  Initiative at North Carolina State details risk management practices.
Too often we do things without understanding why.
Look at the latest report from the Enterprise Risk Management Initiative at North Carolina State. Their 2018: The state of risk oversight is intended to provide “an overview of enterprise risk management practices”.
I will come back to that claim.
But first let’s consider why we need to consider risk.
Some time ago, Deloitte conducted a survey and asked board members and top management the right question:
Does risk management at your organization help you set and then execute on strategies?
Tell me whether you agree with these assertions:

• The only purpose of risk management is to help leaders select and then execute successfully strategies to deliver optimal value.
• They do this by making intelligent and informed decisions (which include strategy selection).
• Those decisions are made every day across the extended enterprise by the people running the business.
• Risk management is about considering what might happen and enabling decisions across the organization to be appropriately informed.
• Effective ERM is not focused on avoiding failure; it enables the achievement of success.
• If leaders of the organization do not believe risk management is helping them be successful in setting and executing strategy, it is failing.

The study reports that only 5% assessed their ERM program as “robust”.
But what does that mean?
The respondents were asked to self-assess their program and not provided guidance, such as asking whether ERM enables informed and intelligent decisions.
So, I personally doubt that even 5% would pass that test.
In fact, the authors continue to position ERM as assessing and providing information on risks, rather than on whether enterprise objectives are likely to be achieved.
The report says something that is strikingly odd, indicating that yet again people see risk management as all about avoiding failure rather than achieving success.

…a majority of the respondents in the full sample indicated that their organization’s risk culture is one that is either “strongly risk averse” (8%) or “risk averse” (45%). Similarly, just over one-half of the largest organizations, public companies, and financial services companies indicated their risk culture is “strongly risk averse” or “risk averse.” The overall lack of ERM maturity for the full sample is somewhat surprising, when the majority of organizations are in organizations with notable aversion to significant risk-taking.

If you are not willing to take risks, you will wither away and die.
The key is to take the right level of the right risks. In fact, I strongly recommend doing away with the idea of “accepting” risk, replacing it with “taking” risk.
No self-respecting CEO or board will say they are risk-averse! That is what they are paid to do – take risks!
The report is a study of failure in action: a failure to implement risk management in a way that adds huge value in the setting and execution of strategy.
It describes these barriers:

• Competing priorities 29%
• Insufficient resources 27%
• Lack of perceived value 24%
• Perception ERM adds bureaucracy 19%
• Lack of board or senior executive ERM leadership 18%
• Legal or regulatory barriers 4%
• If leaders across the organization see ERM as a bureaucratic compliance exercise that gets in the way of success, then we should not be surprised that they are neither supporting nor funding it.

Maybe they tolerate it to appease the regulators and the board.
If only they could see how it should function!
That takes courage from individuals, whether in executive leadership, on the board, as CAE, or as CRO.
Don’t do traditional, failing, ERM.
Help people make informed and intelligent decisions.
Is ERM at your organization effective?
By the way, I congratulate my friend and OCEG colleague, Jason Mefford, on his latest book. Rock N Roll Risk Management Guide #1: Tips for Making Risk Management More Proactive, Practical, and Profitable. It’s still a draft, so watch for the final publication.
I like this advice:

• Think of risk management as a means to achieve objectives, not as liability management
• As the world continues to accelerate, we need to slow down and make mindful decisions
• Consider the full impact of events, so you make the best risk-informed decision
• Those managing risk have been trained to look for negative impacts and are often expected to minimize any liability or exposure (i.e. stop “bad things” from happening). Risk management is about helping an organization achieve its objectives in the face of uncertainty. In order to take a risk, we must expect a reward and; therefore, risk and reward must be considered together in a holistic way.
• Consider the bigger picture of what you are trying to achieve (your objectives) and focus on getting that, instead of focusing on all the “bad things” that could happen but probably never will. Spend more of your time and resources on getting the positive, while expending the minimal effort to manage the large obstacles to achieving the objective.

• About
• Latest Posts

Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Latest posts by Norman D. Marks, CPA, CRMA (see all)

• The state of SOX compliance - October 20, 2020
• Rethinking internal auditing - April 27, 2020
• What makes for effective decision-making? - April 20, 2020