In reflecting on the state of Enterprise Risk Management (ERM) recently, (I will use the term ERM generically for all its current variations) I have come to conclude ERM is far from reaching its potential and may be in a state of decline.
As a profession we have developed what I will call Enterprise Risk Accounting (ERA) capabilities. ERA practices are, sometimes useful and in some cases mandatory. But they differ dramatically from Enterprise Risk Management (ERM) and should not be mistaken for or substituted for ERM.
Much of what we call ERM today is, in fact what I would call ERA. They are far from the same thing. Confusing ERA for ERM may be blocking progress.
Characteristics of Enterprise Risk Accounting (ERA)
Very little real “management” is involved in ERM today. Todays risk “management” practices look much more like “accounting” for risks than managing them. (Fair disclosure: I am a professionally qualified accountant and former auditor and have been an unwitting risk accountant as well as a risk manager).
Many of our risk management initiatives are guided by the risk management standards and guidance we follow but seem to embrace the paradigms of the accounting profession.
Enterprise Risk Management, as often practiced today, is focused on past events, not the future, it is focused on what is known or clearly predictable rather than decision making in uncertainty, and is focused with identifying, classifying and reporting what has happened, not really managing uncertainty and making decisions.
In my assessment most risk responses today are largely limited to COSO Control Activities. But we have fallen into the “I have a hammer; we need to find nails” way of thinking. Only risks susceptible to Control Activities tend to be accounted for. If risks were the same as debits, we try to balance the ledger with Control Activities.
For a risk to be included in the scope of most ERM initiatives, it probably has already happened. If it is likely to happen but hasn’t yet, it might be “accrued” by adding it to the Risk Ledger (aka Risk Register).
Risks that have already happened or are clearly predictable exist in mature business processes. Why do we focus on these risks? It is self defeating.
Let me be clear. I am not opposed to” risk accounting”. But risk accounting is not risk management and it may not help the business.
Characteristics of Enterprise Risk Management (ERM)
While ERA is focused on identifying events, ERM should be focused on predicting them. That’s often not the case today. COSO ERM guidance for example classifies risks into one of four types; Financial, Compliance, Strategic and Operational. I agree that these are useful ways to classify business activities. And when risk events occur, maybe we can use these categories to assign them to. But risk management needs to predict risks, not account for them after they occur, and to anticipate risks we require an understanding of the events and conditions preceding the risk event. These COSO risk categories tell us where we can “book” the risks in the Risk Ledger but nothing about their cause. That’s risk accounting not risk management.
The first step in ERM should be identifying broad categories of risk drivers. If we want to prevent fires, we need to understand what causes a fire. Fire extinguishers don’t prevent fires. If we rely on fire extinguishers, we are accepting that the risk event will occur. That’s risk accounting. If we want to prevent fires, we need to eliminate flammable materials and sources of ignition. That’s risk management. Underlying every risk is some type of preceding vent or condition. Understand those events and conditions and how they behave is risk management. Classifying the risk event after the fact is risk accounting.
ERM must focus on key value adding activities where the future is uncertain and volatile. Evidence suggests that most of what we call risk management takes place in mature operational processes where most risks are known and predictable. By my definition, 90-95% of risks in operational process are well known. Listing and assessing them is risk accounting.
Risk management for example should tell us how trade barriers and tariffs will impact supply chains, currencies and markets. And it should have told us that two years ago. Evidence of the lack of anticipation of risk drivers is the newly “emerging” field of Digital Risks, and 3rd Party or Supply Chain Risks? Why could we not anticipate fraudulent financial reporting by examining executive compensation trends years ago? If we were managing risks, we would have seen them coming. These examples are all risk management failures, but we can consider them risk accounting successes.
Every year I see lists of “emerging risks”. Every “emerging” risk I have seen on anyone’s list has already emerged. It wouldn’t be on the list of it hadn’t. We’ve been looking over our shoulder for emerging risks when we should be looking over the horizon.
Risk managers must look at emerging risk driver before they drive the risks. Risk managers today should be evaluating the impact of digitization and other significant technological, social, economic, political or environmental trends.
I attended a presentation recently where a well-known clothing brand was evaluating whether social changes would result in the elimination of gender-based clothing and what they needed to do to survive in that environment. That’s risk management. If they wait for the risk to happens, its too late to manage it. It becomes another risk accounting story. Ask Blackberry or Blockbuster.
Practicing Enterprise Risk Management
I’m not sure how to make the conversion from ERA to ERM. Its probably best to keep them separate. There is room for both but let’s recognize the differences. Here is some advice to get you may wish to consider. Please also take another look at
- Focus ERM on value adding activities rather than mature operational processes. Value adding activities probably make up no more than 30-40-% of your overall business activities. Risk management is useful where your business is investing capital and where you want it to grow.
- If you are having risk or control issues with the performance of mature operational, financial or compliance processes, you probably need to shuffle or replace management. ERM and ERA will delay the solution.
- Consider risk drivers; the social, economic, political, competitive and other external forces that will impact your value adding activities. Learn how to exploit them for gain by managing those risks. Your competitors will be doing the same thing.
- Engage the business, especially the 1st Line of Defense. They are the risk managers. They make things happen. If you cannot engage them, you are probably asking them to be risk accountants. Chances are they are already engaged and motivated to manage risk.
- If you produce and distribute Heat Maps or Risk Registers, you are a Risk Accountant. If you provide opinions on “control effectiveness” you are a risk accountant. Try assessing the effectiveness of risk management instead.
- If more than 30% of your recommendations are COSO Control Activities, you are a risk accountant. I am not a fan of COSO, but it was intended to be, and is, a valid root cause of failure model. If you rely only on Control Activities, you do not understand COSO and if you do not understand and manage root causes of failure you are accounting for and not managing risks.
- Evaluate the risk management technology, if any, that you use today. Is it really risk management technology or is it risk accounting technology?
- Exploit the risk management technology that is available today. It may not be called risk management technology. And what is called risk management technology is probably risk accounting technology.
Use key risk indicators to trigger alerts and actions. Use predictive analytics to discern patterns and trends. Use modelling and quantitative techniques to help with decision making. Use surveys and collaborative tools. These are the tools of risk managers.
- Focus all your risk and compliance activities on business performance and business objectives. If you report on “internal control effectiveness” you are a risk accountant.
The Bottom Line: Do the Right Wronger and Learn.
Enterprise Risk Accounting is not a bad thing. Some of our standards and regulations require it.
My point is that if we believe ERA is ERM, we are missing an opportunity to serve our companies and clients. We need ERM as much or more than ERA.
Visit me and see more blogs at www.riskrevisionist.com
In the words of Russell Ackoff:
The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter. Therefore, it is better to do the right thing wrong than the wrong thing right