Admittedly we, the authors, are enthusiastic fans of enterprise risk management (ERM). Fundamentally we believe that good management and ERM are synonymous. However, does that mean that all organizations should implement a formal ERM system or framework? The answer to that is no. While ERM has many attractive qualities, there are costs associated with implementing and maintaining an ERM organization. Sometimes the costs and disadvantages outweigh the advantages and the benefits. In this chapter, we explore some of the advantages and disadvantages of implementing ERM and provide some issues to think about before deciding whether ERM is right or not for your organization.
The popularity of ERM implementations in a wide variety of both for-profit as well as not-for-profit organizations clearly demonstrates that there is a belief that ERM is a value-added activity worth exploring. However, it is also equally clear that ERM is not always welcomed in all these organizations, nor is it having the excepted positive effects on outcomes. Implementing ERM, like any major operational change of processes, can be difficult and costly. A dispassionate analysis of the pros and cons should be the first step of whether an organization adopts ERM or not.
Advantages of ERM
The primary purpose of implementing ERM is to enhance the understanding of, the appreciation of, and the management of risk in an organization. Given our previous definition of risk, this means increasing the probability and magnitude of good risk while decreasing the probability and severity of bad risk. Changing the probability and outcomes of risk events is obviously the major reason that ERM is implemented. This point is almost axiomatic. It also sounds like ERM is just strategic management; after all isn’t the role of strategic management to simply position the organization in such a way that the likelihood of positive outcomes is maximized, while negative outcomes are minimized?
Seen in such a way it might be reasonable to ask why ERM is needed if the firm is already strategically efficient. That ERM is in alignment with a strategic is a major advantage. What ERM adds to good strategic management however is a set of frameworks, tools, and processes that assist in strategic advantage. It also brings an explicit mindset that risk is a reality, and despite the best of strategic plans that those plans will fail unless risk is accounted for, managed, mitigated when appropriate, and exploited and leveraged when appropriate. Enhancement of the strategic vision, instead of risk management for its own sake, is thus in our opinion the most overlooked advantage of implementing ERM and should be the primary reason for adopting ERM.
Seen in this way ERM is a strategic implementation tool. It is a way of formalizing strategy in the context of appreciating and respecting that risk is an ever present reality throughout the organization in a consistent and transparent manner. Taking this point of view significantly changes how ERM implementation is accepted throughout an organization and how it is applied and ultimately the success of ERM in the organization.
Case Study: Hydro One
In Chapter 1, we introduced the case study of Hydro One. Hydro One successfully introduced ERM, and a key part of that successful introduction was their tying ERM to the strategic plan and integrating the capital budget expenditures to ERM. In essence, it was almost as if Hydro One had ERM managing the strategic plan.
As an example of how Hydro One tied their enterprise risk program to their capital budget was that their risk framework was developed to balance the business risks with the returns for those associated risks. There was not a strategic goal to eliminate risk all together. Let’s look at their capital expenditure process. Hydro One managed their risks in the capital expenditure process through their risk tools. Risks were identified in all major risk categories (i.e., regulatory, financial, reliability, safety, and reputation, etc.). Risk was then assessed based a scale of Minor to Worst Case. Hydro One chose to focus on the “Worst credible outcome” and they put into place one of their seven risk mitigation techniques to deal with that risk.
Hydro One quantified their risks based on three categories. The first category as discussed previously was the five point risk tolerance scale of minor to worst outcome. This was the estimated measurable impact on a specific corporate goal. The second category was a five point risk probability scale which went from remote to virtually certain. This category ranked on the probability that an event and the impact of that event will happen and is measurable. The third category was the ability of the controls and the mitigation techniques/tools in place to reduce the risk.
The last step in the Hydro One ERM for capital expenditures was the structured approach to determining the capital expenditures and ranking them. They had a ranking protocol from red zone which was a capital expenditure that needed immediate funding due to the risk all the way to a level four which was a minimal impact expenditure to the business objectives. All expenses were categorized. From here a grid was developed to show the magnitude and the probability of the risk. When the expenditures meet the resources then that is the work that is being done for the year which takes into account the probability and the risk impact of the events. The capital expenditures were allocated based on the largest overall risk reduction per dollar spent.1
Further to the link to the strategic plan, the next major advantage of ERM is that a well-designed ERM implementation will provide the firm with more of the risk that it wants and less of the risk that the firm does not want. Associated with this is that risk becomes a focus throughout the firm. Defining risk again as future uncertainty, this focus on risk is what the management of the firm should be focused on, as the certain parts of the organization’s operations should be more or less able to run themselves. The focus on risk as future uncertainty implies a focus on true management rather than going through the motions. It is an active form of management rather than a passive or reactive form of management.
This is related to the next major advantage of implementing ERM, namely that a strong ERM allows management to focus on managing the business and setting the strategic agenda, rather than using valuable time and energy wondering about all the things that can alter the strategic plans. In essence, ERM permits management the luxury of “sticking to their knitting” to a much greater extent than they might without ERM. ERM leads to less fire-fighting and crisis management and more time thinking about how to move the organization forward.
ERM increases confidence of management and employees to experiment more, adapt faster and embrace risk in a dynamic matter rather than with timidity that encourages stagnation in thinking and action. The confidence boosting factor has spin-off effects to human resources and the ability to retain good employees and enhanced ability to attract new employees.
The confidence boosting factor of ERM also extends to other stakeholders. Creditors in particular are likely to look more favorably on companies with ERM in place than they would otherwise. A strong ERM system has the potential to not only increase the availability of financing but also to lower its cost. The rating agencies have been including the strength of a company’s ERM system for some time and is considered as relevant for a ratings analysis as the financial metrics of the firm. The positivity of ERM by stakeholders also extends to insurers who view ERM implementation as a strong positive when it comes to setting insurability. Equity investors are increasingly active in examining a company’s risk policies and an effective ERM is seen as a strong positive.
Regulators may be the stakeholder most often associated with ERM. Admittedly ERM implementation is often seen as a regulatory imperative. While we do not deny this, we believe that regulatory appeasement should be a secondary reason to adopt ERM. This is a point that we will return to in more detail later in this chapter. Adoption of an effective ERM process that is integrated with compliance and regulatory issues has the potential to turn the costs of compliance into a positive rather than a negative.
Bringing risk explicitly out into the open is an often overlooked advantage of ERM. When risk is the focus of the operations of the company then risk gets talked about in a healthy fashion, rather than something that is hidden from management and stakeholders. Having positive, transparent, and ongoing discussions about risk is a major driver of the value of implementing ERM. For successful ERM implementations it is frequently the biggest positive surprise. Risk is too often purposively hidden within organizations. Managers try to downplay the risk of their project proposals for fear that being explicit about the risks may lead to the project’s rejection. In such cases risk becomes like a game of hide and seek where managers try to hide or disguise the risks of their projects while other stakeholders try to find the risks in order to alter or shut down the proposal. ERM changes this dynamic for the better and makes risk a natural, expected and visible part of operations. This transparency by itself increases the effective management of risk and certainly improves the dialog surrounding risk.
There are a variety of other ancillary benefits of ERM. ERM is an excellent aid in making significant corporate change. Having a robust risk management framework allows for change to occur more efficiently and confidently. Again, the transparency about risk in the conversations ease the fears and complaints that almost always accompany change. This is a major benefit in an environment of change.
Having a solid handle on risk, and its close cousin uncertainty, also aids in the planning process. Greater certainty and increased stability in results allows for easier and more accurate planning. It also allows for better and more reliable customer service. Financial stakeholders appreciate the more predictable results which in turn has a positive effect on financing costs.
Ultimately, the major advantage of ERM is simply that it is good risk management. It is a value-added function that increases the efficacy of an organization that effectively implements ERM. Unfortunately, that is not the final bottom line on ERM as the next section discusses.
Disadvantages of ERM
For a book focused on ERM it might seem incongruent to include a section on the disadvantages of ERM. However, we firmly believe that risk is two sided, and so is ERM implementation.
The major disadvantage of ERM is that it is very difficult to do properly. While the focus of this book is on how to successfully implement ERM, there are many common traps that companies fall into, or fail to take proper account of when they start on their journey with ERM.
ERM is difficult to implement for a wide variety of reasons. The main reasons are based on previous biases about risk and the inability to recognize and overcome these biases. The major bias is the inability of the firm, and of its employees to embrace a more fruitful definition of risk, namely that risk has an upside as well as a downside.
In Chapter 4, we will discuss at length setting the objectives for risk management, but at this juncture it suffices to point out that if risk is viewed as simply a negative to be avoided, then that negative attitude will carry over to the implementation of ERM. The one-sided view of risk will diminish many of the advantages of ERM and limit its effectiveness.
Related to the objectives is getting an ERM system that will work with the culture of the organization. This is perhaps one of the most challenging implementation issues. The objectives can be correct, and the correct frameworks and processes for ERM chosen. However, if the ERM does not fit with the organization’s culture, or the culture of the organization is not capable of adapting to the ERM system then everything is doomed to failure.
The issue of culture is not a problem of ERM per se. In fact, culture management is a key issue in risk management whether a risk management system is in place or not. Adopting ERM does not by itself create a bad culture. Although adoption of ERM can be a catalyst for cultural change, it will not automatically bring about change on its own. We suggest that fixing a dysfunctional organizational culture is a separate issue and a topic for a different book than this one. Admittedly, ERM adoption can be a part of a culture change initiative, but it is not the culture change itself. Having said that, an effective ERM system can change the dialog about risk to be much more positive and value-added. However, implementing ERM will be an adjustment for the culture, and as with all such major implementations the fit with the culture is a must. Too often ERM is implemented and the culture forced to adjust. This rarely works without significant effort.
One of the biggest issues with implementing ERM is changing the attitude or the definition about risk. In many institutions, the risk department is seen as “The Department of No!” In such organizations the implementation of ERM will be seen as simply more of “The Department of No!” Obviously such an initiative will not be greeted with positive enthusiasm. As with most implementations, implementing ERM can be an issue of culture management. Positioning ERM as a positive value-added mindset that changes “The Department of No!” to “The Department of How to Manage Risk So Yes is Heard More” is a cultural change that needs to take place. Without such a change, ERM implementation will face many cultural headwinds.
Implementing ERM is costly in terms of the cost of systems, the necessary training, the energy required to change mindsets around risk, and of course the simple hassle of changing the ways of doing things. Additionally, the costs will vary based on whether the organization does an in-house development or incurs the costs of external consulting services. While some outside advice may be helpful, excessive reliance on consultants brings on the usual set of concerns that are involved whenever consultants implement any major imitative; namely lack of internal ownership, the view that the new system is being forced onto the organization and finally the lack of internal learning that comes through hands-on doing. Additionally, consultants whether consciously or unconsciously have a bias toward what they know best which implies that there is a high likelihood that the implementation will not be sufficiently customized to the specific needs of the organization.
ERM implementation takes a lot of management (Board, employee, and stakeholder) time to set the correct objectives and align the ERM objectives with the strategic objectives of the organization. Additionally, it takes time and effort to actually implement all of the necessary ERM components and processes. There will be a learning curve in seeing which ERM tactics are best suited for the organization and there will undoubtedly be missteps along the way. ERM is a process, and a process does not get finalized on the first pass through. However, rather than viewing these issues as costs, we believe that they should be viewed as investments. The time spent thinking and learning about ERM and how it fits into the organization is not time wasted, but instead is time and energy that develops valuable understanding of how the organization functions and how the organization can best move forward and more effectively achieve its objectives and develop new more far-reaching objectives.
One of the dangers of starting an ERM process is that it tends to become a bureaucracy of its own. Few large organizations have a desire to add another layer of bureaucracy to its probably already bloated structure. One of the authors was attending a training session where the speaker spent two days going through checklists for implementation of each of the 128 cubes for the implementation of the COSO framework. The major risk of attendance was dying of utter boredom. ERM needs to be custom designed for each organization with efficiency and efficacy built into each part of the process. Blindly following a standard framework is an almost certain guarantee of developing a bloated risk management bureaucracy that will be loved by no one (except maybe the charge-by-the-hour consultants) and will be a value destroyer (again for everyone except the hired consultants).
Factors in Deciding Whether to Adopt ERM
There are many more possible advantages and disadvantages of ERM for your organization. When it comes to deciding whether to adopt, the decision should ultimately be based on whether ERM will add value to an organization. ERM adoption should be considered just like any other major capital budgeting project. Do the expected outcomes justify the economic costs, the time and energy required to implement, and the ongoing operational costs of ERM?
Many commentators, including us, suggest that ERM adoption should be subject to not only an economic analysis, but also a strategic analysis such as a SWOT (strengths, weaknesses, opportunities, and threats) analysis. As discussed in this chapter, there are a variety of benefits, as well as potential pitfalls in adopting ERM. A thorough strategic analysis such as a SWOT analysis will highlight these advantages and disadvantages in the specific context of the organization.
While a strategic analysis should give the same ultimate results as an economic analysis, doing both has some added benefits. Firstly, doing both types of analysis gives extra confidence that the right decision to adopt or to not adopt is being made. Secondly it highlights potential areas of difficulty and of opportunity to respectively avoid or exploit if the decision to adopt ERM is made. Additionally, having both an economic and a strategic analysis helps the organization to ensure that its ERM implementation is following according to its intended objectives and schedule.
The starting point for any analysis concerning ERM is to examine the role of risk within an organization. How important is risk and uncertainty in the organization? Does the organization operate in a stable economic, competitive or operational environment, or are things subject to wild swings or in a state of constant change?
A key factor to ask about the risks of an organization is how interrelated are they? To use an old expression, “when it rains, does it always seem to pour”? If the risks are not highly interrelated, then a more siloed approach to risk management may be more appropriate and more efficient to implement.
Related to this is whether the risks are complicated or complex in nature. You will recall from Chapter 1 that issues that are complicated are subject to management by rules, or laws, such as the laws of science. Complicated risks have well known methods for being managed, and they can be managed in a reductionist manner; that is they can be managed in isolation from each other. Complex risks on the hand exhibit a property called emergence. Complex risks are not subject to rules or laws, and different results can occur even though the management actions are the same. Furthermore, complex risks cannot be isolated and managed in a complicated manner. Complex risks are holistic in nature, and acting on one part of the issue affects the other parts of the issue. Generally speaking, the greater the amount of complexity in an organization the more beneficial, and the more necessary it is to adopt an ERM approach to risk management. Traditional siloed risk management techniques are notoriously ineffective when dealing with complex risks.
The diversity of stakeholders is another factor in determining the role of complexity of the risks. The more diverse the stakeholders, and the more diverse their expectations of what superior performance is from the organization then the greater the argument for ERM adoption. ERM can be used an effective mechanism for communicating with stakeholders what the organization is doing in regard to managing their risks and in managing the communication about those risks with stakeholders.
One consideration in adopting ERM is the current state of risk management in an organization. If risk management is currently an area of strength and competitive advantage for the firm, then ERM may not be necessary and may even in fact be inappropriate. Note that the question of assessing the current state of risk management is not a matter of asking whether or not the firm has experienced negative effects of poor risk management. Risk management is a forward looking, not a backward-looking discipline. The question to assess about the current strength of the risk management function is how well it is preparing the organization to face future risks that may affect the organization. The difficulty of doing this is that if risk management is currently poor within an organization then it is not likely to have the expertise to correctly answer this question. In such cases an outside assessment would be justified.
The commitment of stakeholders is key. As previously discussed, ERM requires a significant amount of strategic input and a commiserate amount of resources. Without buy-in from the Board and Senior management, including buy-in to make the necessary investment in strategic thinking required, the adoption of ERM will be sub-optimal. Buy-in will also be necessary throughout the organization. ERM is not the operational job of a specific function—ERM becomes everyone’s function, and the organization from top to bottom must be prepared to accept this and to embrace this.
Just because an organization is subject to a high level of risk does not necessarily mean that ERM is the most appropriate method of risk management. If the risks are not complex in nature, and if the risks are not interrelated, then ERM is not likely to be the most efficient, nor the most effective method of risk management.
Further Reasons Not to Implement ERM
There are two main reasons that are commonly used to start an ERM implementation that generally do not work out well. The first is to develop ERM as a compliance mechanism. The second is to implement ERM because it is faddish to do so, or in a related vein to do it because a key competitor implemented ERM.
ERM is not compliance management, nor is it audit management. Although ERM as a discipline started in response to some of the corporate debacles and the associated regulatory responses such as the Sarbanes-Oxley Act in the 1990s, ERM should not be considered to be a regulatory management tool. Additionally, although many of the ERM frameworks in existence have as their genesis auditing frameworks, ERM is not an auditing tool. Conversely auditing is not risk management. Auditing measures what has been done and if what has been done is being done correctly. Risk management is more forward looking and asks what should be done to be manage the future.
While ERM can certainly play a major role in compliance, and additionally help in auditing, ERM should not be thought of as a compliance or an auditing tool. The first reason is that having a comprehensive and integrated risk management system such as ERM for compliance is overkill. Most compliance and regulatory requirements are in response to isolated risks and thus are managed in a complicated manner. ERM however is a discipline that focuses on the interrelationships between risks and thus has a much higher standard for management than required by compliance. In part this might be why regulations so often not only fail to prevent the very risks that they are put in place to prevent but also exasperate the risks. Furthermore, regulators have an objective to eliminate or minimize risk, while a company with an effective ERM system should have the objective of managing risk.
ERM should also not be done simply because it is faddish to do so or because a competitor has adopted ERM. We worked with one small organization that had very simple processes and a well-defined function with simple risks. A Board member however, based on their experience with a very different and much larger, and much more complex organization, insisted that best practice demanded that the firm adopt a highly detailed ERM system that was advocated by a leading consulting firm. It was a classic case of putting a pin-nail in the wall for a picture frame by using a sledge-hammer. The breadth and depth of ERM processes that the small firm attempted to integrate into their operations cost a tremendous amount of time, energy and resources for a set of negative outcomes.
ERM should be adopted based on the unique characteristics, the unique situation of each organization and the unique objectives of each organization. While we believe that a major reason for adopting ERM is for competitive advantage, adopting in response to a competitor means that the organization is responding instead of focusing on the core objectives and what is best for their own needs and purposes.
Concluding Thoughts
The ultimate question about whether to adopt ERM is whether the expected benefits outweigh the costs. The costs of ERM are significant. So too however are the benefits. Organizations wishing to adopt ERM should be very open and realistic about what the expected costs and benefits are expected to be. The benefits of ERM adoption are very significant, and some are totally unexpected. However, the costs can also be significant with negative unintended consequences. Adoption of ERM can be viewed as a risky project in its own right. Careless, or thoughtless implementation has a low probability of producing positive outcomes, while a well thought out approach to ERM implementation has a high probability of producing significant and wide-ranging benefits for the organization.
We, the authors, believe that ERM is a strategic imperative. In the dynamic environment that we find ourselves in, ERM can be a powerful and valuable tool to aid the functions of an organization at all levels. However, like any tool, it needs to be used carefully, thoughtfully and appropriately. Furthermore, it needs to be used consistently and proactively. ERM is not nearly as effective, and in fact may be value-destroying, if employed as an afterthought to a given project or strategic plan.
1 Aabo, T., J.R.S. Fraser, and B.J. Simkins. 2005. “The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One.” Journal of Applied Corporate Finance 17, no. 3, pp. 62–75.