A large retailer gets hacked, and customer data is taken, which costs millions in expense and lost revenues. A product recall is perceived to be badly handled, which tarnishes a manufacturer’s reputation and seriously erodes revenue, as well as margins. An acquisition fails to produce the expected profit lift and hurts a technology company’s share price. These organizations have implemented ERM, and, clearly, ERM has failed. Or has it?
Let's look at three criticisms of ERM:
ERM Cannot Identify and Protect Against All Significant Uncertainties
This criticism is fair in the most literal sense only. Even a very robust and well-administered ERM process cannot find every major risk that an organization is subject to, nor can it protect against all risks, whether identified or not. However, without ERM, the ability to identify a majority of significant uncertainties facing an organization is greatly diminished. Not only that, without an ERM approach to risk, the mitigation of known risks is more likely to be addressed silo by silo even when an enterprise-wide solution is necessary.
In addition, with ERM, organizations are generally better prepared to rebound from unexpected, unidentified risks that do hit them. For example, ERM organizations typically have very robust business continuity and business recovery plans, have done tabletop exercises or drills that simulate a crisis and have maintained a lessons-learned and special expertise file that can be called upon, as needed.
According to a post by Carrier Management, citing RIMS, “A whopping 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies."
These survey results do not suggest that chief risk officers or risk managers, who are responsible for the ERM process, are cyber experts or that all cyber risks can be specifically ascertained. Rather, the survey suggests that ERM better positions a company to discover cyber risks, just as it does with other categories of risk.
If ERM can reduce business uncertainties and surprises by identifying risks and managing them better than other forms of risk management, despite not being able to do so 100% of the time, it has not failed. In fact, it has most probably added great value. Consider a CEO who can avoid even one unnecessary sinking feeling when realizing that a risk that should have been spotted and dealt with has hit the company. How much is it worth to that CEO to prevent that feeling?
ERM Focuses on the Negative Rather Than the Positive
This criticism is not fair in any sense. It requires an upside-down view of ERM. Think about it. In almost any definition of ERM, there is some sort of statement as to the purpose or mission of ERM. The purpose is to better ensure that the organization achieves its strategy and objectives. What could be more positive?
By dealing with risks that challenge the ability of the organization to meet its targets, ERM is fulfilling an affirmative and important task. That most risks pose a threat is not disputed. But by removing, avoiding, transferring or lessening threats, organizations have a better chance of succeeding.
This is not the only positive result that can emanate from ERM’s handling of risk. Often, a thorough examination of a risk will result in opportunities being uncovered. The opportunity could take the form of innovating a product or entering a new market or creating a more efficient workflow.
Consider a manufacturer that builds a more ergonomic chair because it has identified a heightened risk of lawsuits arising from some new medical diagnoses of injuries caused by a certain seat design. Or, consider an amusement park that is plagued by its patrons throwing ticket stubs and paper maps on the ground, thereby creating a hazard when wet or covering dangerous holes or obstacles. Imagine that the company decides to reduce the risk by increasing debris pick-up and offering rewards to patrons for turning in paper to central depositories, then turns it into “clean” confetti sold to a party goods manufacturers.
These are hypothetical examples, but real-life examples do exist. Some are quite similar to these. Many risk managers, unfortunately, are reticent to share their success stories in turning risk into a reward. For that matter, many are reluctant to share their successes of any kind. One could speculate why this is so. It may be as simple as not wanting to tempt the gods of chance.
ERM Is Too Expensive
Those who criticize ERM for being too expensive to implement may lack information or perspective. Consider the following questions:
- Has ERM been in place long enough to produce results?
- Has the organization started to measure the value of ERM (there are ways to measure it)?
- Can an organization place a dollar value on avoiding a strategic risk or a loss that does not happen; does it need to?
- Has the number of surprises diminished?
- Are there successes along with failures?
- How much is it worth to enhance the company’s reputation because it is seen as a responsible, less volatile company because of ERM?
- How efficiently has the ERM process been implemented?
- Is too much time being spent on selling the concept rather than implementing the concept?
- Has the process and reporting of ERM results been kept clear and simple?
- Embed the process, as far as feasible, into existing business processes, e.g. review strategic risk during strategic planning, hold ERM committee meetings as part of or right after other routine management meetings, monitor ERM progress during normal performance management reviews, etc.
- Assign liaisons to ERM in the various business units and functional departments who have other roles that complement risk management.
- Do not try to boil the ocean; keep the ERM process focused on the most significant risks the company faces.
- Measure the value that ERM brings, such as reduction in suits or lower total cost of risk or whatever measures are decided upon by management.
