Former Yankee baseball player Yogi Berra, known for his insightful malapropisms, once said, “In theory there is no difference between theory and practice. In practice there is.” This would be an apt description of the current state of enterprise risk management (ERM).
In theory, ERM is useful in addressing the question, “What is the best use of corporate resources to create or protect the most value for the enterprise?” Yet in practice — except for a few exceptions like that of the successful avionics firm Rockwell Collins — it has fallen woefully short of meeting this objective.
Over the past decade-plus, organizations have found ERM extremely difficult and costly to implement, with many early ERM adopters now shying away from it. There are several reasons why, among them being the top-down nature of ERM. The definition, design, and rollout of any enterprise-wide process requires significant funding as well as continuing senior management attention and support, both of which are always in short supply.
In addition, while ERM is intuitively attractive, it is hard to quantify exactly how much benefit it actually produces for an organization. It requires proving a negative; that is, showing that a risk mitigation action the organization took kept the risk from happening — even though it might not have occurred anyway, whether risk mitigation was done or not.
Furthermore, ERM demands consensus among various stakeholders with competing organizational objectives and agendas as to what does or doesn’t constitute a material risk and when, how, or to whom a risk should be communicated. ERM requires a major change in an organization’s risk-taking and communication fabric, which has proven difficult to knit together in practice.
Organizations have also found, from a pure bureaucratic standpoint, that the processes needed just to identify, collect, assess, and then prioritize risks in some meaningful manner are extremely time- and resource-consuming. As a result, ERM has come to be viewed in many organizations as a disruptive “check-in-the-box” burden that does not inform decision making and is best avoided if one wants to get “real work” done.
Besides the sheer logistical and training issues involved in implementing ERM across an enterprise, there is the unintended consequence of making risk management look “elitist” and as the responsibility of risk managers, not everyday line managers. In other words, enterprise risks and their management have become isolated from the day-to-day decision making that takes place, which it is supposed to improve. This is ironic, as a major raison d’être behind ERM is to highlight risk as a requisite consideration in enterprise decision-making conversations.
Then there is the “tyranny of small decisions” issue. Intel Chairman Andy Grove once noted that Intel’s corporate strategy is formulated at the fingertips of his people; Intel’s employees create the corporation’s future through the thousands of small decisions they make every day in their dealings with customers and suppliers.
While poor strategic decisions bring about corporate failures (witness the numerous dot-com company failures, such as Webvan and Pets.com), often failures are the result of an accumulation of numerous small decisions that, in retrospect, can be seen as being drivers of future organizational failure. At the time and in their context, those decisions may have been seen as entirely reasonable from the decision maker’s point of view. The problem is that the decisions, which represent the commitment of scarce organizational resources, may be locally optimal but globally suboptimal in terms of enterprise risk exposure. The classic example from economics is called “the tragedy of the commons,” in which herders are all able to graze their cows on a town common. Since there is no incentive for an individual herder to restrict his or her cows from grazing, the grass on the common will soon be depleted. Similarly, a single line manager may take an outsized risk that doesn’t appear dangerous to the organization by itself, but the cumulative effect of a number of managers taking comparable risks can be fatal. The JPMorgan situation is one example.
In an analogous way, an organization’s program, project, and operational managers will often make decisions that optimize their local success at the expense of organizational success. This “corporate risk-taking disconnect” happens because managers typically will tend to make decisions based on avoiding the potential for personal loss rather than on increasing enterprise success.15
The most contentious aspect of ERM, and the one that leads to its eventual demise in organizations, is the issue of defining an agreeable risk appetite (i.e., how much risk is the organization as a whole willing to accept to accomplish its objectives?) and then translating that into a risk tolerance limit that managers at the organization’s operational level can use to make decisions involving risk. A related obstacle — the need to find an accepted approach to risk estimation that is logically consistent, is mathematically sound, and can be related to both risk tolerance limits and the organization’s risk appetite — is similarly challenging. We find that the inability of organizations to confidently answer the questions “How large is the risk?” and “Is it material to the organization?” can be found at the heart of every failed ERM effort.
For risk to be managed successfully across the enterprise, it must become an integral part of daily decision making. The only way to achieve this objective, we believe, is to create a level playing field among risks, problems, and opportunities.