The title of the new COSO ERM guidance issued in the summer of 2017 is “Enterprise Risk Management: Integrating with Strategy and Performance”. The COSO report says many right things, but what it doesn’t simply and bluntly state is that the fact that the vast majority of ERM frameworks in place in the world today really don’t integrate very well with strategy and performance and, of even more importance, why that unsettling fact is true.
In reality, the core reason most ERM frameworks don’t currently integrate well with strategy and performance is very simple.
The majority of ERM frameworks in place are “risk centric”, not “objective centric”. When an ERM framework starts with an organization’s top value creation and preservation objectives as a foundation (i.e. is “objective centric”) it naturally forces integration with both strategy and performance and, ideally, leads to better decision making.
When an ERM framework starts by asking what top of mind bad things could happen linked to what people assume are the organization’s top objectives it takes things in a very different direction.
5 Reasons why has progress been so slow?
If the path to realizing COSO’s central goal of an ERM framework that really does integrate with strategy and performance is so simple (i.e. implement objective centric ERM), why has progress been so slow?
Reason 1. COSO tried but simply wasn’t candid, blunt and pragmatic enough in 2017.
COSO issued its first guidance on ERM in 2004. The simple reality is that a very large number of organizations interpreted that 2004 COSO guidance as calling for creation of “risk registers”, “risk heat maps” and “risk profiles”.
COSO ERM 2004 is a significant cause of why there are hundreds of thousands, perhaps millions of risk centric/risk register based ERM processes in place in organizations around the world. While COSO 2017 does state “Enterprise risk management is more than a risk listing”, that was as close to COSO ERM 2017 comes to stating risk centric, risk register based ERM is not the route to “integrating with strategy and performance”.
Nowhere in their guidance does COSO clearly state that ERM processes should start by agreeing what are the top value creation/strategic objectives and value preservation objectives, documenting them, and then making conscious decision where to apply formal risk assessment and at what level of risk assessment rigor.
Reason 2. Regulators have supported risk centric/risk register based ERM.
Prior to the 2008 global financial crisis the vast majority of the players at the heart of the crisis heeding regulatory demands had implemented risk centric/risk register based ERM. Post mortem work by regulators around the world conducted by the Financial Stability Board (FSB) concluded “The October 2011 FSB progress report on enhanced supervision noted that effective risk appetite frameworks (RAFs) that are actionable and measurable by both financial institutions and supervisors have not yet been widely adopted.”
This conclusion led to the FSB issuing “Principles for Effective Risk Appetite Frameworks” in 2013. While containing many valuable insights and suggestions, the emphasis of this guidance is still “risk centric” not “objective centric”. Regulators globally when assessing “risk appetite frameworks” continue to look for the existence of “risk appetite statements” and “risk registers”, not ERM that integrates with strategy and performance and supports better decision making.
Reason 3. Consultants globally have promoted building and maintaining risk register based ERM.
A very usual path for companies that believe they need to do something they haven’t had much, if any, experience doing in the past is to call on consultants for assistance. At the root of the hundreds of thousands, perhaps millions of risk register based ERM processes in place globally is one or more brand name consulting firms that provided direction on how to implement ERM. The vast majority of these consultants recommended implementing risk centric/risk register based ERM.
Reason 4. Professional risk associations and the IIA have supported risk centric ERM.
Prior to 2000 few companies globally had formal risk functions or processes. As calls from regulators, credit agencies, and much later institutional investors to implement some demonstrable form of risk management process escalated professional associations, including the IRM, PRIMIA, RIMS, GARP and the IIA, provided guidance via conferences, books, seminars, certification training and other forms.
The vast majority of this guidance and influence fostered risk centric/risk register based ERM.
Reason 5. C-Suites and Boards have assumed ERM means creating and maintaining risk registers.
Not surprisingly as result of points 1-4 companies and their boards have, perhaps quite reasonably, assumed implementing ERM means creating and maintaining risk registers and receiving periodic reports from risk specialists on what those risk registers contain.
Focus On Objective Centric ERM
The benefits of implementing objective centric ERM using an objectives register focused on an organization’s top value creation and preservation objectives are numerous and persuasive. These include:
- A clear and simple path to integrating ERM with strategy and planning.
- A tool to help senior management and the board make better resource allocation decisions, particularly on objectives that conflict like profit maximization and compliance with the law. (e.g. Wells Fargo)
- A vehicle to assign responsibility to the most logical and accountable management person or persons to report upwards to the CEO and board on the state or residual risk linked to top objectives to assess if it is, or isn’t, within the company’s risk appetite/tolerance. This makes ERM more “real time” as opposed to an annual or semi-annual exercise.
- A simple mechanism to link formal risk assessment work with performance data.
- Transparent decisions on where to apply formal risk assessment that costs money (as opposed to informal risk management that happens every day at all levels) and the level of risk assessment rigor and independent assurance the objectives warrant.
- Ability to “optimize” risk treatment strategies – the lowest possible cost combination of risk treatments to achieve an acceptable level of residual risk status linked to the objective being assessed.
- A clear path to enhancing the risk assessment and management capabilities of staff at all levels to better achieve the company’s most important objectives.
The benefits of objective centric ERM are clear and persuasive but resistance to change from risk centric/risk register based ERM that still has the tacit and often active support of influential players is formidable. It will take active support for objective centric ERM from multiple players to drive change. The business case for change is clear. How quickly change will occur and real ERM integration with strategy and performance happens is very much uncertain.