Why ERM Doesn’t Get a Chance to Save The Day – Even Though it Should…

This is another installment in the series of articles which address the “Current State of Enterprise Risk Management in American Companies.” It leverages findings, questions and insights related to Enterprise Risk Management (ERM), derived from an extensive conducted by the AICPA in conjunction with NC State University: “2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices - 14th Edition”, and can be found at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.

I. Why Isn’t Enterprise Risk Management (ERM) Fulfilling its Value Promise?

Enterprise Risk Management is a set of processes, policies, and staff that has the potential to help companies avoid both routine pitfalls and more importantly, existential crises.  It also helps companies meet their strategic goals and avoid the humiliation of yet another quarter or year of falling short of the Board’s expectations.  Despite this potentially critical role within a company, ERM is often given short shrift, especially when it comes to prestige, funding, and necessary tools.

This article addresses this apparent paradox, and offers some suggestions for improving ERM so that Senior Management and the Board Risk Committee can finally get a good night’s rest.

II. Why Don’t Companies Rise to the Challenge of Improving their ERM Capabilities?

If the reasons for having rock-solid ERM structures and processes in place are so compelling (and what could be more compelling than saving your company from ruin?), then why do only ~ 1/3 of companies have end-to-end ERM processes or feel that their ERM processes are mature? (1).

The AICPA / NC State survey highlighted a number of excuses that Senior Management employs when justifying decisions not to fund / staff ERM upgrade efforts.  The chart below summarizes the reasons given and their relative frequency.

For this review, it’s instructive to group these reasons into clusters:

Objections / Impediments “Clusters”:

A. “Lack of Leadership / Vision” – 35%

• “No impetus to change” (22%) (1)
• “No one to lead effort” (13%) (1)

The most often-cited impediment to embracing / improving ERM was “Lack of Leadership / Vision” cluster.  Addressing this cluster would require ERM management to lay out a future-state vision for the function and mobilize internal resources.  We laid out these steps in a previous article. (2)  This appears absent, however, since Senior Management is not animated.  Beliefs such as “we’re using other methods” and “I don’t see a clear ROI for this function” suggests there is nothing animating the C-suite to change the status quo:  

B. “We’re Already On It…” – 29%

• “Other methods for Monitoring” (besides ERM) 24% (1)
• Would overcomplicate what can be best done ad hoc 5% (1)

Yesterday’s news and performance may have been ok.  However, complacency is usually not a solid foundation for most businesses or business functions, and sooner or later, especially in today’s environment, threats are bound to present themselves.  And giving the answer of “we just weren’t as vigilant as we thought” will not suffice.

C. “We’re too busy fighting fires” – 24%

• Too many other pressing needs 24% (1)

This one has just a touch of irony, as it’s akin to a homeowner saying, “we’re too busy to install smoke detectors” or “they’re too expensive,” but in the meantime have had three minor brush fires in their yard, due to three different causes.  When will the big one hit?  You don’t know, but you don’t want to find out, either.

D. “Show Me the Money” – 12%

• “Do not see benefits exceeding costs” (12%) (1)

At first glance, this argument appears sound, as ERM does not have a clear ROI, unless one is sure that a certain risk(s) would manifest, at a known dollar magnitude, in a given time frame, and the ERM system would have definitely detected it and enabled mitigation.  That scenario would have clear, hard-dollar returns.  

But that scenario doesn’t “exist in nature.”  Most of ERM’s benefits are of the soft-dollar variety, i.e., Cost Avoidance, reduction in time and effort for risk reporting and remediation, satisfying key stakeholders such as the Board, Ratings Agencies, Regulators, etc.  The good news here is that this reason wasn’t cited more often.

III. Overcoming the ERM Inertia

Everyone has heard the quote from Isaac Newton that “an object at rest tends to stay at rest” which implies that you have to apply a force to that object to get it moving.  And Enterprise Risk Management processes and organizations which have been “stuck in neutral” for a while likewise need some force applied.  Here are some ideas / messages that can get an organization moving:

1. A leader must emerge to knock over the impediments:  An ERM champion must begin the process of knocking down the impediments detailed above, using facts and exercising influence.  It won’t be easy, but this is a case of getting people to do what they know they should do.
2. The Journey of a Thousand Miles Begins with the First Step:  There are other clichés about eating elephants, but the fact is that Senior Management must be convinced that this can be approached as a series of small and manageable efforts, and not a single herculean task.
3. Prioritize based on Need / Bang for the Buck / Likelihood of Success:  A company may look at the People / Process / Technology framework for selecting ERM improvement efforts.  However, to make the best decisions on how to spend company money and focus, it would be best if the working team considered the following when making their selections:
   • Culture:  Build an inclusive function where Risk Management is part of everyone’s job.  ERM managers need to involve the first and second lines of defense with thought leadership, accountability, and ongoing participation and leadership.  New technologies now enable this much better and are currently being overlooked.
   • Need:  Which areas of Risk Management have been problems over the past several years, and more importantly, which areas have been under the Management / Board microscope because they’ve been problems?  This will provide you with a good starting point.
   • “Bang for the Buck”:  This is where the Cost/Benefit argument is to be made.  Each of the potential efforts should be costed out and presented side-by-side with the benefits delivered.  The visibility of these improvements should also be considered, as benefits not noticed “didn’t happen,” at least in the context of company management.
   • Likelihood of Success:  This is where the organization must be brutally honest about its resources, culture and organizational will.  Change efforts need quick and successful outcomes to create momentum, and build rank and file enthusiasm for a new risk culture. Start slow and ensure that you don’t over-promise and under-deliver.
4. Don’t be afraid to ask for help:  In the 21st century, most companies don’t have available bandwidth “just sitting on the bench, waiting to be put in the game,” especially for projects requiring specialized expertise.  If the company needs help with making the business case, structuring and managing the project, and rolling it out to the rank and file, it should avail itself of those kinds of help. 

The year is still young – there is still ample time to make some changes that move the needle in ‘24.  All you’ve got to do is start the ball rolling.

Learn more here: https://www.srarisk.com/post/improve-your-enterprise-risk-management-capabilities-in-6-months-or-less-even-if-your-people-are-busy

‍

Sources:

(1) 2023 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 14th Edition

(2) https://www.srarisk.com/post/are-risk-managers-at-risk-a-7-step-action-plan-to-save-your-company-and-secure-your-job‍