Some say Enterprise Risk Management (ERM) is the only solution for managing risk across organisations. But, argues Gerry Robinson, it’s time get real and tell it like it is

I first became involved in risk when I worked in Finance in Telstra in 1987 and placed its first insurance for property and liability. My brokers told me I should get into enterprise risk management (ERM). I thought that sounded great so I asked them to introduce me to one of their clients who had implemented it. I’m still waiting.

Let’s have a look at the facts about ERM.We have a massive weight of methodology coming from COSO and the Australian Standard AS/NZS4360: 2004. We have a global industry of heavy hitting consultants with teams to help you implement their own special approach to ERM. We have regulators turning up the heat on company directors. We have had nearly twenty years to get our act together.

What have we achieved? A recent US survey found ninety per cent of executives want to implement ERM yet just eleven per cent had.The KPMG study in 2005 identified the following: more than 50 per cent of respondents had board risk committees; 60 per cent didn’t have an integrated risk management strategy; 54 per cent didn’t evaluate controls effectiveness; and 35 per cent didn’t conduct enterprise wide risk assessments.

We have had twenty years to get this right. Why are we still getting ready to get ready?

There is compelling evidence that ERM is a dead parrot, but why don’t CEOs come out and say ERM doesn’t work. This simply won’t happen. The whole COSO/ERM thing has become so lofty that no CEO would be game to come out and say ‘look, its feet are nailed to the perch’. You would come across as soft on risk and heresy doesn’t go down well in the boardroom.After fifteen years as a risk consultant I wrote the RiskThinkers Guide. At the time I wasn’t too concerned with ERM. I just wrote a book explaining how to develop a risk management process in a day and implement it in a few weeks. I steered clear of lofty ERM ideas.

I explained the fundamentals of corporate governance, risk management and compliance and provided pragmatic templates for an enterprise risk library, a risk ranking criteria, a set of minimum standards for managing each risk, a minimum standards gap analysis allowing you to diagnose major weaknesses and develop low cost improvement plans, and manual or electronic monitoring enabling you to embed risk management and have a dynamic, sustainable process.

I knew I was in for trouble as soon as I signed the publishing contract because I was saying risk management isn’t a big mystery. This would invite ERM consultants and devotees to unleash a bombardment of criticism and question the sanity of my approach. So, I decided to make a comparison of my approach with the ERM process and after a little research I found the first nail for the ERM coffin. This quote appears in the bible of risk management, the COSO Enterprise Risk Management-Integrated Framework September 2004.

“Enterprise Risk Management is a process, effected by an entity’s board of directors, management, and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

If this is what ERM is about, no wonder the parrot is on the nose. Imagine ringing a CEO and saying, “Hi, I have a risk management process to provide you with reasonable assurance regarding the achievement of your objectives. It’s called ERM.” Would anyone be game enough to put such a statement in the prospectus to float a company?The regulators would come down on you like a ton of bricks. This isn’t an achievable objective. It’s the risk management Holy Grail.

Trying to implement ERM has involved companies in a lot of time, management energy and significant cost. What have people got to show for it? I wish I had a hundred dollars for every time I have seen a doorstop-sized risk assessment report.

These weigh a couple of kilograms and contain a beautifully presented process for risk management. Why do these reports become a doorstop? Either the consultants were met with passive resistance, the risk management process was guaranteed to fail because its detailed demands would have prevented people from achieving their daily business objectives, or the risk review created a catharsis and was seen as an end in itself. Everyone took a self-satisfied break. By the time people came back to the report the company had moved on.

The other major issue is that ERM supporters keep raising the bar. It’s now all about strategic risk and identifying opportunities. The fact is most companies have a CEO and few key people deciding the company’s future. They are risk takers and didn’t get where they are by worrying about what might go wrong.

Their energy goes into innovative thinking, deciding what to do and how to make it happen. Here’s the second nail in the coffin. A CEO will never implement an ERM process applying in a strategy setting across the enterprise. Commercial good sense dictates they should never surrender the strategic decision process and neither will they admit to this.

Will the parrot be laid to rest? Perhaps – but don’t expect to hear a death rattle. The Holy Grail of best practice exerts a deep attraction for major corporations. However, I am expecting some action from people who know they have to take risks and can never reasonably assure their objectives. You take risks to make money, so that means you have risk taking culture. Do the simple things and make it a rational risk taking culture.

Gerry Robinson is a consultant and is the author of The RiskThinkers Guide