Few companies can grow without taking risks. But poor risk management leads to surprises in business operations that can impact shareholder confidence, regulatory oversight and the bottom line. An unprecedented wave of regulatory oversight in recent years has convinced many organizations how inadequate their enterprise risk management (ERM) policies and procedures really are.
Many of the world's largest companies have responded to external and internal pressures by embarking on a journey to unify governance, risk and compliance (GRC) management across the enterprise. Yet, many organizations that don't have a historical foundation in risk management are still struggling to come to grips with this new discipline and how to embed risk management into the business.
With that in mind, here's a Letterman-like look at the top 10 myths regarding ERM.
Myth Number 10: IT Risk Management = Information Security
Most information security programs place far too much emphasis on the how and what, and far too little on the why. Information risk management, on the other hand, is inherently focused on the why.
Unfortunately, there's always far too much for information technology (IT) staffs to do. There are too many vulnerabilities to remediate and too many controls to implement, so some critical deficiencies will go unmanaged.
True risk management requires a business perspective on these deficiencies to better manage and prioritize the issues that threaten the organization. A check-list approach to information security ignores business impact and criticality.
Myth Number 9: CIOs Embraced Enterprise GRC
To address Sarbanes-Oxley compliance, many companies put in place technology platforms that now support a variety of risk and compliance initiatives. Sarbanes-Oxley solutions were generally purchased with the tacit approval of IT, but few IT organizations standardized on a strategy for managing risk and compliance data. As a result, different parts of the problem are addressed by a wide and disparate range of solutions, including spreadsheets, custom and commercial applications.
In numerous buying decisions, IT is too often at the table in a support role, rather than as a strategic thinker focused on the long-term strategic benefits of a common GRC platform. Scattered risk and compliance data marts will cause an immense amount of pain for risk managers trying to get a clear picture of risk throughout the business.
Myth Number 8: A Rigid, Standardized Approach Is Best
ERM, similar to most business processes, is not a "one-size-fits-all" solution. It has to be customized and tailored for each firm. As Mark Olson, chairman of the Public Company Accounting Oversight Board (PCAOB), notes, "An effective enterprise-wide compliance-risk management program is flexible to respond to change and is tailored to an organization's corporate strategies, business activities and external environment."
Companies that try to implement an out-of-the-box methodology will likely fail. ERM methodologies and taxonomies must be adapted to a company's legal, regulatory, economic and competitive environment, all of which can vary dramatically by industry. Further, the risk framework must be able to adapt to change over time to avoid losing competitive advantage.
Myth Number 7: You Can Manage Risk Only from the Center
No one is likely to argue that strong, central risk management is a bad thing. Unfortunately, many organizations make the mistake of investing only in a centralized function because it's too difficult to federate, and they don't know how to push risk management to lower levels of responsibility in the organization. It's a classic issue of consistency vs. quality of information.
But, accurate information lies at the business line level. Organizations must augment their centralized risk management efforts with localized, distributed data, and the only way to reliably and cost-effectively do mat is to invest in automated technology solutions.
Myth Number 6: You Can Manage Risk and Compliance with Spreadsheets
Spreadsheet wizards have carved out a significant role in managing financial and operational data in many companies. The problem is that this approach is: a) manually intensive; and b) highly reliant on the individuals that manage and operate these spreadsheets. Further, the processes for linking, updating and archiving data in spreadsheets is mostly ad hoc, leading to significant risks.
In its 2005 annual report, for example, the Federal Home Loan Mortgage Corp. (Freddie Mac) noted that reliance on "end-user computing systems" (read: spreadsheets) posed a significant risk to its ability to report accurately on financial data. Using spreadsheets and file shares for risk and compliance data is a dead end; risk managers have trouble getting visibility into the data because of poor reporting capabilities, and will rightly question the accuracy of the data itself.
Myth Number 5: Traditional Audit Planning Is Good Enough
A traditional model to planning the audit process typically examines 10-20 risk factors for each element of the audit universe, and runnels each auditable entity into a risk category that will drive its audit frequency. But the known risk universe gets bigger by the day, and investing in a massive risk evaluation for each entity may not be the best use of resources.
Is it worth tying up valuable stakeholders in management and on the audit committee to assess the risk inherent in the coffee procurement process for a remote sales office? Progressive organizations are turning toward a more agile, top-down approach to risk assessment to drive audit scheduling. This will lead to more efficient resource allocations, ensuring that auditors are focused on the truly risky areas.
Myth Number 4: Enterprise Risk Management Is Dead!
David Martin and Michael Power assert in "The End of Enterprise Risk Management," a report published last year by the AEI-Brookings Joint Center for Regulatory Studies, that ERM frameworks are outmoded because they embody an unrealistic and outdated theory of organizations -- hierarchical, "bird's-eye views" from the top that are progressively detached from the reality of modern financial organizations.
Truth be told, the current regulatory climate has resulted in control-based ERM frameworks that have a bias for analysis versus action, and the production of evidence for regulators and auditors in some instances has become more important than managing real risks. But that doesn't mean we should abandon ERM.
ERM needs to be deployed bottom-up so that business managers are the first-line managers of risk, embedding enterprise risk management within the day-to-day business processes of the firm. They must understand the risk/reward trade-offs involved in their own decision-making. Risk management should create a bias for action, surfacing problems as they arise and empowering the entire organization to be risk managers.
Myth Number 3: It Just Takes Common Sense
"There are really no cookbook solutions. One has to use creativity and a lot of common sense." This was a May 16, 2000 email response from Enron Corp. risk expert Vince Kaminski, when asked by a colleague to recommend a good book on operational risk.
As Enron proved, creativity is a no-no and common sense alone just doesn't suffice when it comes to risk management. As business activities have become more complex, so has risk management. The sheer magnitude of the regulations leaves many firms struggling to put in place processes and infrastructure that are able to identify and control the compliance risks they face.
Risk management covers a wide variety of risk disciplines, including operational, compliance, financial controls, legal, liquidity, business strategy and technology, each of which has its own nuances and specialized models for assessing risk. It may not be rocket science, but it does require application of sophisticated models and analytics, aided with accompanying software tools.
Myth Number 2: TJX -- It Can't Happen Here
The TJX. Cos. data breach, perhaps one of the biggest business stories of 2007, involved the inadvertent dissemination of as many as 94 million credit card accounts. It is only one of the breaches that were publicly reported. Attrition.org maintains a list of public, high-profile data breaches that is staggeringly long, going back to the year 2000. When you consider companies have a vested interest in not making such events public and the many more breaches that undoubtedly go undiscovered, only the tip of the iceberg is visible to us.
But, shouldn't we be getting safer? Preventative technology and knowledge gets better and better every day. Unfortunately, the villains also get better and better every day, so the gap persists. Your organization is susceptible, and it's critical you do everything you can to keep the gap as narrow as possible to minimize your risk.
The Number One Myth about ERM: You Can't Plan for the Unknown
You may not be able to predict events that lie outside the realm of regular expectations, but risk managers have to plan for their occurrence. No one could predict or even imagine the series of events that occurred on 9/11, but some firms did plan for the possibility of a long-term disruption of their business operations due to a catastrophic event taking place in Manhattan and were up and running from alternate operational centers within hours of the fatal events of 9/11.
Key risk exposures, whether they are operational, market or credit risks, do not always follow a normal distribution or bell curve. Some risks have fat tails, and it is the events that lie at the lower and upper ends of the distribution curve that are most important to consider and plan for. You have to fight the natural tendency to focus on the known, the tangible and the repeated and devise strategies to cope with the unknown -- your company's viability may depend on it.
Companies that try to implement an out-of-the-box ERM methodology will likely fail. ERM methodologies and taxonomies must be adapted to a company's legal, regulatory, economic and competitive environment, which can vary dramatically by industry.
© 2008 Financial Executive, Morristown. All rights reserved.
© 2008 CIO Today. All rights reserved.
3 comments:
I feel really happy to have seen your webpage and look forward to so many more entertaining times reading here. Thanks once more for all the details.accounting firms in dubai
useful information
transportation risk management
There are many myths regarding enterprise risk management solution that needs to be eradicated. It is very necessary that people understand the value of enterprise risk management. Thanks for sharing this blog. It will definitely burst many myths.
Post a Comment