660 words. Updated 10 May 2024.
Need for Enterprise Risk Management vs lack of interest
The State of Risk Oversight (2023, North Carolina SU) [1] sets out a paradox: despite the increase in complexity of risk and the actual occurrence of surprises, executives have shown diminishing interest in Enterprise Risk Management. One of the authors, Mark Beasley, speculated in an interview [2] that managers must be overconfident. But it begs the question: does this lack of interest reflect on Enterprise Risk Management itself? Does it actually have proven effectiveness?
This question has an inherent measurement problem: ERM is not one thing. There is high variability in its definition and implementation. Looking for evidence of effectiveness of Enterprise Risk Management, I found a recent survey article [3]. The authors admit a series of measurement problems, the use of tenuous proxies, and mixed results, yet assert that some evidence is positive.
The definition problem (the variability in practice attached to the name "ERM") and the attributability problem (i.e., no guarantee of the link between supposed cause and observed effect) are not trivial. Consider:
Risk methods are problematic
The Oversight report itself states: “Many tend to view risk management as bureaucratic and non-value adding.”
A 2019 Polish study [4] starts from the premise that “the effectiveness of... ERM systems can and should be analyzed from the point of view of... company's value”, using four financial measures. I take issue with that, because, strictly speaking, ERM has to do with managing the uncertainty associated with goals, not necessarily increasing financial value.
In any case, the author found, rather categorically, that ERM fails in the face of overwhelming market shifts. The implication is that to be deemed successful, it should have operated as a forecasting tool.
A 2017 report of the KPMG Audit Committee Institute [5] concluded that the effectiveness of their risk management was rather poor and the #1 concern of auditors. The study does not explain in detail how they thought their execution of risk management was faulty: somehow things are changing too fast and they can't "understand" or "oversee" the risks.
A 2015 paper out of Old Dominion College, Norfolk, VA., [6] reviews disparities amongst practitioners, and confirms the above picture of methodological fragmentation.
Strategic risk management - seemingly effective
One thread connects three of the above reports. The Norfolk paper, the Polish study and Prof. Beasley all make the observation that ERM seems to be effective when practitioners turn their attention to strategic risk. There is apparent agreement among these practitioners that it delivers value, insofar as it identifies risk affecting strategy.
This is intuitively correct, but thin. Why isn't risk management just as effective at the operational level? Why do their methods collapse when applied to a project, business unit or department? We can't answer, because we don't know the details of the methods used by these disparate practitioners -- the measurement problem again.
As an example: people in a single organization often do not conceptualize and state risks in a consistent manner. Many will look at extant conditions that are largely known, and characterize them as "risks".
There is no differentiation between correct and faulty procedure. The C-suite is quite right to reject ERM when it is so poorly specified.
Conclusion
We started with the question: Is ERM effective? Answer: Some version of it is undoubtedly effective. But which? To assert the effectiveness of Enterprise Risk Management with any credibility, the practitioner must first define terms and methodology with precision, and then point to evidence.
Notes
[1] The State of Risk Oversight: an Overview of Enterprise Risk Practices (ERM Initiative at North Carolina SU, in partnership with AICPA (2023).
[2] Why the disconnect? Journal of Accountancy Podcast, Neil Amato
[3] Horvey; Odei-Mensah (2023) The measurements and performance of enterprise risk management: a comprehensive literature review.
[4] Jonek-Kawalska, I. (2019) Efficiency of Enterprise Risk Management (ERM) Systems
[5] KPMG (2017) Is Everything Under Control?
[6] Bromiley, P. et al. (2015) Enterprise Risk Management: Review, Critique, and Research Directions