Risk managers frequently come to me in fear and doubt asking for advice on how to move forward with their Enterprise Risk Management programs. Here is a typical recent inquiry:
"I am researching and reviewing for the best approach for my organization. I have also talked to some consultancy firms. My initial thoughts is to select a suitable Enterprise Risk Management software package which could guide us through the various stages of risk management and generate different risk reports to different levels of management. However, in the course of my research, I also came across some sources which advised that ERM software should be the last thing to consider in the implementation of risk management. Could you help clarify my doubts and concerns."
Below are a few of the self serving myths told by consultants to create fear and doubt in the hearts of risk managers:
Myth: Software is the last thing to consider - The first priority is to get buy-in from the CEO and the senior management team that enterprise risk management is needed and establish the mandate and timeline to get this accomplished. After appointing a responsible executive to manage your ERM program, software is the next on the list as the best way to adopt best practices within a sustainable process. Select software that has embedded industry best practices. Best practice frameworks include the Australian Risk Management Standard, COSO ERM, COBIT 4.0, Standard & Poor's ERM among others. Make sure you select a software package the requires little or no training. Speak with the software vendor's customers about how easy the software is to use. Consulting proposals greater than 5-10% of the software purchase price is a red flag on ease of use. Note that a consulting first or consulting only approach without the software infrastructure is the biggest red flag, as these best practices and methodologies will quickly be forgotten and consultants will have a perpetual source of income training and re-implementing their services.
Myth: Quantitative risk assessment is better than Risk Control Self Assessment. The right answer is that you need both. According to a recent survey by the Global Association of Risk Professionals (GARP), only 12% of companies are doing a quantitative only approach, 29% a qualitative only approach, while 59% are doing both. (You can access a copy of the GARP Survey on my website.)
Enterprise risk management is about bringing together a risk picture from the entire enterprise (credit, market, operational risk, etc.) using a variety of qualitative methods like Risk control self-assessment along with complimentary quantitative methods. Here are the reasons why:
a) There is insufficient data available to use traditional quantitative methods to quantify operational risk. Risk Control Self Assessment is best suited for this purpose.
b) Coverage is the main issue for Enterprise Risk Management: Quantitative methods are 10 times more expensive and at best can be applied to only 10-15% of the risks threats facing an enterprise. The risk control self assessment approach is proven to help management discover and uncover risk across the entire enterprise. Risk control self-assessments prioritize risk threats and performance opportunities that need follow-up with deeper analysis, including quantitative methods.
The next time a wolf suggests you not to put a perimeter around your hen house, consider the source and the agenda behind the recommendation.
Leave a comment