Mark Beasley, Deloitte Professor of Enterprise Risk Management at North Carolina State University, recently interviewed Jim DeLoach, Managing Director with Protiviti.
Mark's Enterprise Risk Management Initiative has a wealth of information about ERM, although it seems limited (IMHO) by a focus on COSO ERM and traditional enterprise list management.
Jim, on the other hand, has been working with boards and executive management teams on governance and risk management for many years. While he is an advisor to COSO he is also familiar with the ISO 31000:2009 global risk management standard. Full disclosure requires that I mention I consider Jim a good friend, although we may agree to disagree on occasion.
Recently, Mark interviewed Jim and you can view the video here. (There is a transcript but it has not been edited and contains mistakes, so please watch the interview.)
Please watch and then see my comments, below.
So what did you think?
IMHO, the interview has two parts: The first is poor but later Jim makes some excellent points.
The discussion focuses on something they both refer to as a "risk profile." I believe this is a nice way of describing a list of risks – more enterprise list management rather than risk management.
They discuss whether the profile is complete and how the board can obtain assurance about the process for developing and managing the risk profile.
But there are several problems with thinking that risk management or risk oversight is about the risk profile:
1. A list of risks is never complete and is always out of date.
Risks are created or modified with every decision and sometimes with devastating effect. The Deepwater Horizon disaster was the result of cumulative decisions made many levels below the executive team and I seriously doubt this sort of operational risk would ever appear on any list of top risks.
Further, we live in a dynamic and disruptive world. It takes time to develop and then present for review and discussion a list of top risks (a.k.a. risk profile). During that time, risks change.
2. You need context to consider risks
It's not about risk. It's about the achievement of enterprise objectives; it's about risks to the achievement of those objectives.
Considering just the risk profile tells you nothing that is actionable, helping you determine which risks might affect which objectives, to what degree, whether that is acceptable, and what to do about it.
3. Focusing on the risk profile lulls the board and top management into a false sense of security
Boards and executives may feel they have effective risk management because they are satisfied that the risk profile is complete and accurate (which it is not).
They need instead to know whether management is considering what might happen and whether that's ok with every decision they make.
It's not about the process for maintaining the risk profile. It's about the processes for setting strategy, making decisions, monitoring performance, and delivering value to stakeholders.
There is a degree of value in a risk profile or list of the more significant risks to strategies and objectives. It provides insight and context for the setting of strategies; selection of objectives, goals, and plans; and the continuing monitoring and adjustment of same.
As ISO31000:2009 explains, you need to understand both the external and internal context for the organization before you can govern or direct the organization effectively.
Unfortunately, this is not mentioned in the short interview.
It's also only a small part of effective risk management.
This all gets better as Jim moves on.
Jim makes a few excellent points in a row.
He talks about the board understanding how ERM can provide value to them. While he doesn't say it explicitly, I believe he means that it helps them understand the context within which strategies and objectives are established, decisions made, and performance managed and delivered.
He makes the excellent point that the consideration of risk must be part of the rhythm of the business, part of how decisions are made across the [extended] enterprise.
Then he highlights the issue with many practices today: risk management is an "appendage" to the business, rather than an integral part of effective management and oversight.
As he says in a segment that starts at around 4:00 minutes into the interview:
"…what is 'enterprise risk management'? Just coming to grips, grappling with that question, coming to grips with it, is a big challenge and makes CEO's uncomfortable. They hear the term. They don't know what it means. And CEOs don't want any undue burden put on their organization. They want to do the right thing but they don't want to do anything that puts a lot of burden on the organization. So how it fits and what it is, and then there's the value proposition question. That's the question around what am I going to get out of this if I do it? So that's a big challenge as well. And I think there's the question of ok, if I implement this, how is it going to impact the way I run my business? So if it ends up being an appendage from the rhythm of how I run and manage my business, it's a disaster. It never works. An appendage has very little impact. But how you implement it in the context of your strategy setting and execution, your performance management, and those kinds of core management activities is very important."
1. "CEOs don't want any undue burden put on their organization." If they don't see how it helps them be successful, they won't fund it beyond the minimum necessary to satisfy regulators and so on.
2. "…if it ends up being an appendage from the rhythm of how I run and manage my business, it's a disaster. It never works." That is the case with many risk management functions, especially when risk management is set up as an independent check on management.
3. "…how you implement it in the context of your strategy setting and execution, your performance management, and those kinds of core management activities, is very important."
Towards the end, Jim makes another critical point by talking about integrating risk management into decision-making.
I met Mark Beasley just once, many years ago (although we are connected on LinkedIn) at an IIA leadership conference on risk management. I am not sure where he stands on the issues of taking ERM beyond enterprise list management and making it an integral element in the rhythm of the business: how value is determined, objectives and strategies selected, performance measured, and decisions are made.
I invite him to comment on this post.
In fact, you are all invited to comment. Please click on the Subscribe button to join the conversation.