Is ERM valuable?  This was the theme of an online discussion hosted by Alex Sidorenko and Hans Læssøe.  StrategicRISK caught up with both risk practitioners ahead of the debate to find out more.

Why is ERM such a divisive issue? 

Alex: For all the hype and marketing since 2004, management still doesn’t see the value of risk management and perceives it as BAD at best. The challenge is that ERM is not divisive at all, 99% of the risk community, fueled by unethical risk management associations and big4 consultants, genuinely believe there is huge value. Hence putting their jobs on the line. Life expectancy of a risk manager in Russia is approx 1 year. Europe and Australia are more tolerant of bs and hence they keep risk managers for longer.

Hans: I agree with Alex, but perhaps not in such harsh terms. ERM emerged as a combination of the big 4’s wishing to get more business (for themselves), started building on the general discontent with risk the siloed management practices, and seeing companies fail, despite risks being managed. They started advocating for the need of an enterprise wide “overview”, which were not helping managers lead anything. The consulting and risk software industry are still pursuing this – to a large extent based on a compliance approach, which will take a lot of effort, and add precariously little value.

PwC drove this a bit further by collaborating with the COSO on writing a standard for risk management which can only serve as help to start a fire. The original (COSO) was downright dangerous to deploy, the update (COSO II) was bad, and the latest (2017) update is (only) worthless. Still companies, especially in the US still wish to build on it for some or another reason. The worthlessness comes from not being focused on or enable/support any decision making for the company.

Then again, the purpose may be as simple as allowing executives to say “I have ensured we have an ERM program, so the failure of the company is not my fault – I am not to blame”.

What are some of the challenges with implementing an ERM strategy?

Alex: Whatever ERM strategy is, the way it is implemented is often contradictory to the fundamental research in risk psychology, probability theory and decision-making theory. Risk managers are so delusional, they implement something which has zero chance of working, doing it again and again.

Hans: The first challenge is, that no-one appears to be clear about what the target fo this is. Implementing ERM in an effort, an approach, a “strategy”. Too few have taken the time to ask, to what end this should be taken. This leads to following the loud voice of the big4 and other consultant, and deploy yet another compliance regime, where executives find themselves supporting risk managers (rather than the other way around).

What are some of the common mistakes RMs make when implementing an ERM program?

Alex: Even talking about it is a mistake. Everything good risk managers for some unknown to me reason try to market as ERM is decision making 101 and probability theory 101 and has been covered in textbooks for 50 years. The innovations created by PwC in 2004 and dressed up as ERM as well as publications by associations and other consultants are straight up flawed. You can tell most ERM proponents are frauds because as soon as someone points out the many fundamental flaws with ERM approach and tools, thy claim it was what they meant all along :))

Hans: Lack of specific target is one common mistake made. Given a defined target, pursuing a path of high effort/little value for the sake of having an ERM report of some kind (which driven nothing, whatsoever). Wanting/implementing ERM for the sake of being able to say “we have ERM,” and then think the holy grail is at hand is dangerous – alas a lot of companies do exactly that.

What is your advice for RMs if their current ERM program is not functioning as well as it could be?

Alex: Read a book on decision making and forget ERM ever existed.

Hans: I concur with Alex as a first move. I still believe in the value of having an overview of the consolidated exposure of a company, given it’s current ambitions and strategies. I also believe in having some process to spot and address risks which emerge from outside of the company. Not all risks are the results of decisions – some leads to decisions needing to be taken. So – I would suggest there is a clear target defined for ERM efforts (how this should add value to the organisation), and based on this establish the simplest process/approach possible – probably based on the insights of specialists throughout the company and combining their insights into a support to executives.

Anything else you want to add?

Hans: I believe, you can define and establish a value-adding ERM program, which as one element, can inspire executives to take on more risks when needed to meet company goals in a competitive market. Done well (note: current standard implementation is NOT doing it well) can provide the company with a competitive advantage. Done poorly, it is dangerous … as stated by others “Bad risk management is worse than no risk management

You can watch the full debate here: