ERM: Doing It, and Doing It Right
Steven Minsky | April 28, 2014
Jeffery Reynolds’ article in ABA Banking Journal, “ERM: Getting it, and getting it right”, equates the definition of Enterprise Risk Management with happiness.
Before you start with ERM, you have to define it. If it were only that easy to nail down the definition of ERM—but it is not…Defining ERM is like defining happiness. Happiness is not the same for me as it is for you. Nor is it the same for me today as it was 20 years ago. And what drives happiness today will likely not be what defines happiness in a year or two.
Although Reynolds makes key points about the “interconnectivity” of ERM and its misinterpretation as a check-the-box activity, ERM is not like happiness. ERM is an action. You either do it, or you don’t.
Organizations do not need to do Enterprise Risk Management the same way, focus on the same goals, or follow the same best practices. But those best practices – a root cause approach, the iterative steps of identify, mitigating, and monitoring – do not require discovery. They are known, and they can be implemented at any organization of any industry or size.
Consider GAAP, a set of accounting standards that can be used in any given jurisdiction. GAAP includes rules, standards, and conventions that assist in the creation of financial statements and help accountants do their job well. GAAP is to accounting what ISO, COSO, and other such frameworks are to ERM. Your accounting department uses a general ledger software to turn these best practices from a good idea into practice. The general ledger is to accountants what ERM software is for risk managers. It makes their work real, their results actionable, and ensures they follow best practice.
Reynolds argues that the process of moving through a discovery phase and discussion of risk creates value because ERM becomes, like happiness, a mindset that can drive strategic decision making.
The problem with relying on the discovery process is that the very value that Reynolds’s recognizes in the process cannot be made actionable without tools that make the “interconnectivity or risk” transparent for risk managers and executives alike.
Have you ever been in a meeting with a fantastic exchange of ideas, but watched helplessly as those ideas floated off the second each stakeholder stepped out of the room?
ERM software is designed to capture those ideas by linking what your organization is doing, the controls, metrics, policies and so forth, directly to the risks and goals being identified. Without that link between good ideas and concrete activities, a mindset is just a mindset, and boards make decisions based on metrics, not mindsets.
The “interconnectivity or risk” that Reynolds correctly identifies as the value or ERM cannot effectively exist as a mindset, it requires a taxonomy. In trying to define happiness, Reynolds says that people “seek the counsel of experts and ‘gurus’… They attend seminars, buy books, and hear testimonials.”
He’s right. Those activities don’t create happiness, nor would they generate value for an ERM program. The value is made in executing the steps of an ERM process, and utilizing the correct tools to connect those results to the strategic goals of your organization.