Causes of Failure in ERM Implementation
IERP’s first Tea Talk for March 2022 was presented by Group CRO of GHL Systems, Dunstan Gerald Maurice. A certified Enterprise Risk Manager (ERM®) and Faculty Member of IERP®, he has more than two decades’ exposure in banking and financial services, and compliance advisory. The focus on the pandemic over the last two years has shifted amid rising tension between Russia and the rest of the world over the Russian invasion of Ukraine. With many organisations still recovering from the economic ravages of the pandemic, there is an increased need for more concerted application of ERM.
“ERM is a top-down strategy that aims to identify, assess and manage the organisation’s potential risks,” Dunstan said. “Its main goal is to achieve strategic objectives, not to stop business entirely or to stop projects entirely.” It is also about gaining more opportunities and increasing competitive advantage. Properly applied, ERM results in better decision-making, and improved organisational sustainability, agility and resilience. Embedding ERM in the day-to-day decision-making process is beneficial to the firm. It involves the whole organisation, and is not about just the risk management department doing it; it cannot be developed or implemented in siloes.
Before expanding on why ERM implementation sometimes does not achieve the desired levels of effectiveness, Dunstan covered its benefits, such as developing the organisation’s ability to respond to risks, increasing its operational efficiency and effectiveness, and saving time, resources and assets. This is in addition to developing greater awareness of risks confronting the organisation in its efforts to achieve its objectives and improve stakeholders’ confidence. “The end goal is to achieve the organisation’s objectives and, of course, improve the confidence of business partners, associates and clients as they see how you manage the assets.”
He also gave an overview of the ERM implementation process, from developing the ERM foundation, to identifying stakeholders and assessing risk, to risk response, mitigation, measurement and reporting. “ERM is not about the risk management department doing it,” he said. “Everyone identifies and assesses the risks in their respective units, and then these are channelled up. That mindset, that culture – needs to change. Everyone needs to understand who the stakeholders are.” Cautioning that checks and balances were necessary to ensure that mitigative measures worked, he said, adding that these should also be challenged, because mitigations need to change as situations change.
He listed six causes of failure in ERM implementations, i.e.:
- Poor governance or tone at the top
- Reckless risk-taking
- Immature ERM projects
- Lack of transparency in high-risk areas
- Ineffective risk assessment or identification
- Ignoring the dysfunctionalities and ‘blind spots’ of the organisation’s culture
“Effective leadership and management drives risk management to perform at their greatest capacity,” he pointed out but, unfortunately, many companies tend to view ERM as a paper exercise if they are not regulated by central bank regulations. Citing an example where every department, instead of having proper RCSAs, for instance, had just a checklist with the department’s daily activities to check against. The boxes were checked off by the designated person, then handed over to the department head at the end of the day – and that was considered the organisation’s risk assessment! “Failure to get top management to understand what risk management is, is always a challenge,” he said.
Remarking that not all board members fully understand risk and risk management, he said that this often prevents them from further exploring the potential of ERM because they are not confident enough that it is the right thing to do. This lack of confidence at board level can also affect management’s attitude towards risk management, as management often takes their cue from the board. “Management often focuses on short-term goals and achievements, which they can see. The rest is secondary to them,” he said. Believing that the board knows best, management may sometimes also fail to realise that there are shortfalls in this area.
ERM relies on disciplined, not reckless risk-taking, he said. Boards only have information that is provided by management, even when they want to grow the organisation or enter new markets; the whole picture may not be given to them. ERM puts processes in place so that the organisation knows what it is getting into. Indicators of reckless risk-taking include the lack of oversight by the board and the lack of an independent risk function. “There are no risk appetite statements or anything which ensures well-guided risk-taking within boundaries,” he said. “If you don’t set boundaries, you will keep pumping more money into the business just to survive.”
Immature ERM projects concern mainly mediocre efforts in implementing ERM which fail because they are constrained by resources and watered down. Cautioning against sugar-coating risks and information, he said that this will turn into start-stop activity that cannot be sustained when it goes live. Long-term, ERM is rarely escalated to a strategic level although the problems are known but no one wants to highlight them. “Nobody wants to be the bad person who is seen to be preventing the company from growing,” he said. “Nobody wants to rock the boat, so they hide information and pretend they don’t know about it, and it doesn’t get recorded.”
If there is no organisational policy or emphasis on ERM, compounded by a lack of support from management and key stakeholders, there will be no buy-in from senior management; if the board doesn’t understand, the organisation will see no need to apply. The implementation of ERM may just be delegated to officers who lack the authority to drive it and follow through effectively. This leads to the inability to respond to the board. “No one will be able to give a clear explanation (to the board) about what is being done,” he said. The lack of transparency in high-risk areas will ultimately lead to a lack of information which will make decision-making difficult for management.
“They will not be clear about the risks which may or may not happen,” he explained. “All of this will lead to increased complexity in communications, resulting in a blurring of the ERM function, and the end goal of the organisation.” He urged practitioners to thoroughly think through the processes of the project, and consider its possibilities and pitfalls. The true level of risk that the organisation is taking, is not known. The board wants more transparency across the organisation but cannot get it because everyone is operating on their own. “The board of directors becomes ‘blind’ when it comes to decision-making,” he asserted.
When key risks are not identified properly and effectively, it leads to uncertainty and unexpected surprises. Documentation may be done correctly, but nobody checks or confirms this; follow-up may be lacking, and this shortfall may appear only when it is too late, and the organisation may experience losses. Every organisation deals with risk differently because they have different products, processes and businesses; thus, they will differ in terms of risk assessment. “ERM has to be used in a way that is specific to the organisation’s needs or requirements,” he advised, adding that it is always good to have several other ‘fresh eyes’ looking at the mitigative measures that have been put in place.
Mitigations may not be reviewed; there are no challenges. Independent or unbiased observations can help the organisation to better gauge the effectiveness of such measures. As for dysfunctionalities and blind spots of an organisation’s culture, he said that as risk management gains traction, a culture change becomes necessary so that everyone understands what risk is – not just the board and management. They need to understand why ERM is important. “Risk is not fraud, it is not trying to stop you from doing something,” he said. “It is not Audit saying that you’ve done something wrong; nor does it mean looking at risk as a bad thing.”
Having covered the main reasons why ERM implementation often has less than stellar success, he suggested several ways of addressing the challenges, starting with getting management buy-in. Emphasising the need for lower levels to communicate with upper ones, he said this was imperative for channelling information to senior management and the board, although there was the constant fear at lower levels of being reprimanded. He urged the building or relationships so that staff at all levels will not hesitate to communicate their problems or issues. Merely giving instructions will not work.
Besides an appropriate tone from the top and the proper attitude of the board and management towards ERM, an appropriate risk culture should be developed throughout the firm, to determine risk tolerance and risk appetite. The authority to deal with different risk functions should be delegated accordingly, and there should be clear communication throughout the organisation. The risk function should not be diluted as part of someone else’s role; it has to be an independent role. “Top-down (communication) drives the tone, bottom-up gives the information,” he said. A comprehensive risk framework should guide the implementation of ERM.
Either ISO 31000 or the COSO ERM framework may be used, with adaptation to the organisation’s particular needs. Processes need to be constantly updated and refreshed. “It’s not a one-time exercise,” he said. “It is an ongoing one.” He said that despite implementing ERM in his organisation almost five years ago, the uptake was currently only at about 60%-70%. This could be attributed to the extent of cultural change that is necessary, and the acceptance of ERM. “Getting everyone aligned does not happen overnight,” he cautioned. ERM is at the core of decision-making, and needs to be applied at the start of projects; it needs to stay continuously at the core of the business.
Concluding, he said that risk management does not eliminate risk; rather, it provides a platform to manage risk. “Don’t use it as a tool to stop the business,” he said. “If there’s no risk, there are no returns. Risk managers assist the organisation make risk-based decisions. They know what the pitfalls are, and how to avoid these. They help businesses implement their projects. If something happens, they know how to react to it.” While most traditional business models tend to look at threats, ERM focuses on opportunities, he added, but the tone at the top is key. “The top-down approach is important, supplemented by bottom-up communication,” he stressed. “It’s two-way, not one-way communication.”