Norman Marks recently posted some thoughtful comments on the state of risk management after reading the latest Ponemon survey, “The Imperative to Raise Enterprise Risk Intelligence.”
The survey showed some expected results like the centrality of reputation and cyber risk concerns. It also found little recent progress in bridging silos between legal, IT and finance, which is needed for operational risk management to be effective. Sadly, half of the polled organizations lack a formal budget for enterprise risk management.
The Ponemon report differentiates ERM from enterprise risk intelligence by characterizing ERM as the application of rigorous and systematic analyses of organizational risks and enterprise risk intelligence as the insight needed to drive business decisions related to governance, risk and compliance.
Noting that only 43 percent of respondents said risk intelligence integrates well with the way business leaders make decisions, Marks astutely observes that we should not be surprised that ERM lacks budget. If the CEO and board don’t think risk management works, then why fund it?
Marks writes often on the need for an overhaul of ERM doctrine. I share this view. In his post on the Ponemon report, he offers eight observations, each implying a recommendation for fixing ERM. I strongly agree with six and a half of them, and would like to discuss those where I see it differently.
His points 4 and 5 are:
4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
My interviews in recent months with boards and CEOs indicated those leaders thought almost the exact opposite. They suggested that risk managers should support business decisions by doing a better job of
- identifying risks – more accurately, identifying unwanted outcomes (hazards, in my terminology)
- characterizing hazards and investigating their causes, effects (and therefore severity) and relevant systems
- quantifying risks by assessing the likelihoods for each severity range of each hazard
- Enumerating reasonable responses, actions and mitigations for those risks
Note that this list is rather consistent, at least in spirit, with Basel II and some of the less lofty writings on risk management.
My understanding of the desires of business leaders is that they want risk management to be deeper and better, not broader in scope. Sure, silos must be bridged, but risk management must demonstrate much more rigor in its “rigorous and systematic analysis” before ERM will be allowed to become Enterprise Decision Management.
It is clear, from ISO 31000’s definition of risk and the whole positive-risk fetish, that ERM aspires to be in the decision analysis and management business, but the board is not buying it. “Show us core competencies first,” says the board.
Thus I disagree with Norman on point 4. On point 5, I almost agree. Point 5 is not a fact, but a fact with an interpretation. Risk practitioners don’t connect with business executives. Norman suggests the reason is that risk managers talk technobabble. I suggest they too often talk gibberish. This may include technobabble if you take technobabble to mean nonsense and platitudes expressed through the misuse of technical language. CEOs aren’t mystified by heat maps; they’re embarrassed by them.
Norman seems to find risk-appetite frameworks similarly facile, so I think we agree. But concerning the “techno” in technobabble, I think boards want better and real technical info, not less technical info.
Since most of this post addresses where we differ, I’ll end by adding that Marks, along with Tim Leech and a few others, deserves praise for a tireless fight against a seemingly unstoppable but ineffectual model of enterprise risk management. Pomp, structure, and a compliance mindset do not constitute rigor; and boards and CEO’s have keen detectors for baloney.