Views on the future of risk management
Recently, he wrote a white paper that is available through RIMS or Workiva, Next Frontier: Performance-Based Continuous ERM.
I think it is fair to say that James and I agree on many points but disagree on others.
For example, he is focused on managing the downside, while I prefer to think that we need to help decision–makers understand all the potential effects—both positive and negative.
You can decide for yourselves by reading his white paper.
Here are some excerpts that I like, with emphasis added. I will add some comments in a moment.
- The scope and severity of risk is so great that doing so could mean economic destruction. Instead, risk management should become proactive, not simply minimizing negative risk but also maximizing opportunity. To do so, ERM must be a continuous process, constantly monitoring and assessing risk in a forward–looking way that provides companies with a path toward opportunity.
- For these reasons, ERM is entering a third phase in its development focused on continuous monitoring, business decision support, and shareholder value maximization.
- ERM programs must adapt expeditiously. A monthly or quarterly process is no longer sufficient. Just as risks and opportunities are changing continuously, ERM programs monitor and respond on a continuous basis.
- In addition to becoming a continuous process, ERM must support key business decisions and add shareholder value.
- To support strategic risk management decisions, the company’s performance management system must integrate key performance indicators (KPIs) and key risk indicators (KRIs).
- Unfortunately, many companies perform these actions in two distinct siloes. As part of strategic planning, they perform steps 1 and 2 and report the results to the executive committee and full board. Separately, as part of risk management, they perform steps 3 and 4 and report the results to the risk and audit committees. In order to effectively manage strategic risks, these steps must be fully integrated.
- In order to add value, the continuous ERM process must be integrated into the strategic, financial, and operational decisions of the organization.
- The ERM dashboard should similarly organize risk information (e.g., quantitative metrics, qualitative risk assessments, early warning indicators) within the context of key strategic and business objectives. For each objective, the dashboard report might show green, yellow, or red indicators to signal that its achievement is on track, threatened, or off track, respectively. For objectives with yellow or red indicators, the board and management should then be able to drill down to underlying analyses
- A key goal of an ERM dashboard is to highlight potential problems before they become critical. For that reason, the dashboard should include early warning indicators that help foreshadow such issues. A well–designed ERM dashboard would provide KPIs and KRIs that are most relevant to the decision–making needs of each user, whether at the board, management, or business–unit level. Ideally, each metric would include performance thresholds and/or risk tolerance levels to provide benchmarks for evaluation.
I say pretty much the same thing in World-Class Risk Management, but there are some important differences.
- We need to address the combination of all the things that might happen. While James’ piece talks about seizing opportunities, with which I agree, he talks about individual risks and not the combination of good and bad things that may flow from an individual action or decision. He likes to show potential outcomes on a bell curve. I believe that is simplistic. A decision can and usually does have multiple effects and it’s the combination of them, some good and some bad, that needs to be considered when selecting among options. The net of all the good and bad may be positive, but one or more harms may be beyond tolerance while the net is acceptable.
- I very much like the emphasis on supporting decision-making. However, we should put ourselves in the shoes of the decision-maker and ask “what is the information they need to make informed and intelligent decisions, selecting the best among all alternatives?” See this other post.
- I fully agree that a periodic review process is insufficient. However, taking stock every so often is valuable.
- I also agree that it is necessary to integrate KPIs and KRIs, but rather than a yellow/red/green traffic light assessment for each objective, I think you can take a highly valuable extra step. See A revolution in risk management.
- I like the idea of dynamic risk appetite (although I prefer risk criteria that are designed to aid individual decisions). Business conditions change constantly and we need to constantly challenge prior notions of acceptable levels of risk. One of the problems of the concept of risk appetite is that it disregards the potential for reward. I don’t see where James has addressed this. As I said above, it is possible for the net of the good and bad effects to be acceptable while individual harms are not.
I encourage you to download and read James’ white paper. It gets into a lot of areas and provides advice that I have not highlighted here.
I welcome your thoughts and comments.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management