It’s is very hard to talk or write intelligently about risk and its management when your language gets in the way.
A new COSO paper, written by two individuals I have known a long time and for whom I have great respect, is trapped by one awful word, a true four-letter word: ‘risk’.
Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management is based on COSO’s 2017 update of its 2004 ERM Framework. Their intent is to explain how effective ERM can add value to an organization, and to give some guidance on how to implement or upgrade it.
But it is bedeviled by this four-letter word.
There is no common and shared understanding of what the word means. Is it:
- The possibility of something bad happening?
- The effect of uncertainty on objectives? (ISO 31000)
- The effect of what might happen on the achievement of enterprise objectives, effects that can be good, bad, or both? (Marks)
Let’s start with some excellent language from the document. They say (my highlights):
- COSO’s 2017 Framework, Enterprise Risk Management – Integrating with Strategy and Performance, defines enterprise risk management as: “The culture, capabilities, and practices, integrated with strategy-setting and performance that organizations rely on to manage risk in creating, preserving, and realizing value.
- …in today’s risk environment, improved risk management processes are needed to ensure that organizations are successful.
- …the role of ERM [is] not just that of a separate staff function but [is] integral to how an organization creates and preserves value.
- …improved risk management practices can contribute to improving performance and helping the organization create and enhance value.
- The 2017 Framework clearly positions ERM as an activity whose role and objective are helping the organization to create and protect value. It accomplishes this by helping the board and management make better informed decisions…. The overall objective of ERM is accordingly, enhanced performance of the organization. It is not a separate activity with its own objectives but an integral part of the organization’s strategy setting and performance processes.
- …its benefit is improved decision making and ultimately improved performance of the organization as it strives to meet its mission and achieve its strategies and business objectives.
I have noted these because, as COSO states, the objective of ERM (or whatever you want to call it) is helping the organization succeed. It is not limited to protecting value from harm. It includes enabling the organization to create and realize value.
Focusing on avoiding failure is not the path to achieving success.
The authors note that the benefits of ERM include:
- Increase the range of opportunities by considering both the positive and negative aspects of risk
- Increase positive outcomes and advantages while reducing negative surprises
This is spot-on from the authors:
Another way to look at the benefit and value of ERM is its contribution to better decision making. Boards and management are constantly faced with decisions ranging from strategy decisions to day-to-day decisions. An ERM process provides additional risk information related to the strategies to enable them to make better informed decisions to create and protect value.
But then language impairs the message as the authors continue.
They are sucked into focusing their total attention on the possibility of harm. Even though they have talked about achieving success, and that there are possibilities of both loss and gain from events and situations, they limit ERM to addressing things that might happen to impair (i.e., ignoring the possibility of enhance) the achievement of strategies and objectives. They are concerned only with protecting and not creating value – despite the title of the paper.
- Following the updated Framework, the organization is trying to identify those events that might impair its ability to achieve its strategies and business objectives.
- The key risks that ERM is focused on are those events, and the resultant outcomes, that could impair the organization’s ability to implement its specific strategies.
- It accomplishes this by helping the board and management make better informed decisions that enable them to effectively manage those risks that could impair their ability to achieve their strategies and business objectives.
- ERM helps not only identify risks but also assesses which risks are significant enough to impair the organization’s ability to achieve its objectives.
When the South African Institute of Directors updated their code of corporate governance, providing us with the excellent King IV code, they changed from talking about ‘risk’ to talking about ‘risk and opportunity’. That is better, but still doesn’t entirely get us to where we need to be: talking about the ability to increase the likelihood of success.
Manage success, not failure.
Here’s a simple example of why focusing exclusively on the possibility of harm will lead to the wrong business decision.
The company is considering making an acquisition. The acquisition is expected to increase the potential for credit loss for the post-acquisition enterprise by $5 million based on the prior experience of the acquired business. The risk manager worked with the company’s Credit Department to assess the total company credit risk and says that there is a 10% likelihood that the company will exceed the defined risk appetite.
The CEO correctly points out that while he doesn’t want to incur additional credit losses, the acquisition is 80% likely to deliver an additional $50 million to the company’s bottom line.
The point is that the acquisition will not only increase the possibility of harm, but the possibility of reward.
Effective risk management (in my world) is about providing decision-makers with all the information they need on all the more significant things that might happen, both good and bad, so they can make an informed and intelligent decision.
I’m fine with the idea of starting an ERM program with the ways in which the enterprise can deliver value to stakeholders.
Then, ‘what might happen’ is factored in when setting objectives and related strategies. It’s not after-the-fact. It’s an integral part of objective-setting and then deciding which strategies to adopt to achieve the objectives. (In other words, don’t assume that the right objectives are set, which is what COSO ERM does.)
Once objectives and strategies are set, understanding and monitoring what might happen is appropriate. But don’t monitor only the possibility of bad things happen; make sure you are able to take advantage of the good, the opportunities that may arise. For example, will you know when a competitor stumbles or a customer has a greater than expected need?
When you consider the possibility of harm, weigh that against the possibility of reward.
Ongoing decision-making should be based on am understanding not only of what could go wrong and what needs to go right (glad to see the document using my language here), but also what could go even better than expected.
But limiting ERM to managing a list of risks is not effective management of the organization for success.
- Stop using the awful four-letter word. Instead, think about how you should consider what might happen so that you have an acceptable likelihood of achieving your objectives: being successful.
- Talk about how you can increase the likelihood of success; talk about what might happen. (Read my books)
- Don’t monitor and address only the possibility of harm but also the possibility of greater than expected reward.
- Weigh all possibilities and make informed and intelligent decisions.
- Make sure that all decision-makers know how to make the informed and intelligent decisions necessary for success.
- Make sure all decision-makers know how their decisions might affect the likelihood and extent of success. (Risk appetite is generally less useful than people think because it focuses exclusively on the possibility of harm, without considering the possibility of reward.)
I welcome your thoughts.
- The risk is assessed as high. So what? - March 15, 2023
- Putting cyber risk into business perspective - February 15, 2023
- Twitter and risk - January 18, 2023