First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

An ERM horror story

risk levels

This week, I was working with the SOX team of a large US-based financial institution. At one point, the senior executive and leader of the team asked me something I had never heard before.

“Our ERM team wants me to provide them a number they can include in their calculation of the company’s residual risk. This is something, they say, is required by the regulators. What do you think of that?”

I have to admit to being stunned. Silent.

Then I couldn’t hold it in any more.

“It’s stupid!” I blurted out.

ERM at this organization sounds like something from a 1920’s horror movie.

How could anybody believe there is value in a single number ‘residual risk’ for a large organization?

Does it make sense to aggregate risk levels for a variety of risk sources, including cyber, compliance, credit, liquidity, competitor, and internal control over financial reporting?

Does that help management make any decision? How is it actionable?

Does it help the regulator understand whether management is putting the interests of stakeholders in jeopardy?

What I will bet is happening is this:

  • Each type of risk at the organization (including but perhaps not limited to those I listed above) are individually assessed. They use a single number for the potential impact (in other words, they don’t consider a range) and then calculate a ‘risk level’ by multiplying that by the likelihood of an event or situation occurring that might have that effect.
  • They then add the risk levels of individual types of risks together.
  • They then, perhaps, compare that number to a pre-determined ‘risk appetite’.

This is wrong on so many levels. I have discussed why many times in this blog and in my books, but:

  • There is a range of potential effects, not a single point
  • Multiplying one point on that range by its likelihood has minimal limited meaning
  • Adding these risk levels together is mathematically unsound
  • The whole process ignores the fact that any event, situation, or decision gives rise to many potential effects – some of which are positive
  • The context for risk-taking is ignored: objectives and strategies, what the organization is trying to achieve. How does this help you assess whether the organization is likely to achieve its objectives?
  • The calculation does not provide the regulators with information that will help them assess whether the organization is unacceptably likely to become illiquid, etc.
  • This is not how people make (or should make) decisions
  • This exercise is likely to mislead rather than provide meaningful and valuable information

I would appreciate your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.