Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Why Does ERM Fail So Often?

Comments Views

​When I say enterprise risk management (ERM) fails, I am referring to the belief of many executives that it is a compliance function. When only 13 percent say (Deloitte survey) that it makes a significant contribution to the setting and execution of strategies, I think it fails.

My good friend John Fraser (and you should know about his books on ERM) shared with me a series of 2010 posts by Dr. Rick Naser, who teaches a course in ERM at Dalhousie University in Halifax, Canada.

Naser writes about whether and how ERM should be taught as part of an MBA program. That issue does not interest me as much as the suggested final exam questions he includes, one per blog post.

These are the posts. (The Introduction in each is the same. Read it in the first post but skip it in the others.)

You are welcome to look at all the questions, but the most interesting by far is the first:

Question 1: ERM has created a lot of excitement, but very few successful examples. Explain why you believe ERM has so few successful implementations.

I like the first two and the fifth points he makes as he attempts to answer his own question:

One reason in particular sticks out with me. That reason is that most companies that embark on an ERM initiative have no idea what successful implementation looks like from the get go. In other words, very few companies that start an ERM program can finish this sentence — "This ERM initiative will be successful if …" If you do not know what success looks like, then how will you know when you get there?

A second reason is that ERM is usually not tied sufficiently into the strategy of the business. ERM should be a value-added enabler of the strategy. The setting of the strategy should also be done in conjunction with the ERM capabilities. If the strategy cannot be successfully risk managed, then I would argue it is not a good strategy. Thus strategy cannot be set independent of the ERM capabilities, and likewise ERM cannot be done independent of strategy.

A fifth reason is that the ERM function is often seen as the "Department of No!", when it should be the "Department of We Will Figure Out How to Do This Prudently." ERM as the "Department of No!" creates several problems. To begin with, competent managers do not want to be associated with a career killing "Department of No!" assignment, and thus the ERM team frequently winds up being the "Department of People No Other Department Wants." Hard to recruit good people for that team! Furthermore the "Department of No!" does not exactly increase morale anywhere within the organization. 

Knowing where you want to go before you start the journey should be obvious, but how many chief risk officers (CROs) and other executives think about how risk management should add value and contribute to the success of the organization before they start a program?

In fact, how many CROs are concerned with how they are contributing to the success of the organization, rather than focusing exclusively on avoiding failure?

The second point is close to a vital truth.

The management of risk is about, to quote Felix Kloman, "piercing the fog of uncertainty."

As we work towards achieving our objectives, it is important to see through the fog and perceive what lies between where we are and where we want to be.

It's not only about setting strategies with an understanding of what might happen, it's about executing on them. I don't see that as much as being part of the strategy process as much as performance management — and daily management of the organization.

The fifth point is something I have been saying for a long time (about internal audit as well as risk management): that we need to stop being the department of "no" and become the department of "how."

Our professor includes a few other important points in his list of "other" reasons for ERM failures:

  • ERM implementation is seen as "risk-washing." (Think green-washing and its implications and reputation.)
  • Inability of an organization to look upon itself from the outside to see the real issues.
  • The pitiful frameworks implemented by the most junior associates at the major bulge bracket accounting firms that now call themselves consulting firms (was that too harsh of a statement on my part?).
  • Inaccurate expectations about what an ERM implementation can and can not do for the organization.

I'm not sure I understand the "risk-washing" point, but I think he is referring to what I would call "checking the box." In other words, being satisfied that it looks like we are managing risk when all we are really doing is reviewing a short list of top risks every so often.

What do you think of this and the other questions in his series of blog posts?

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • IIA Quality_July 2020_Blog 1
  • IIA Online Testing_July 2020_Blog 2
  • IIA Training_July 2020_Blog 3