The state of EWRM part I – EWRM’s broken promises

EWRM, the all encompassing solution

In the late 1990’s, EWRM or Enterprise Wide Risk Management held a promise for a lot of organizations. No longer would issues be dealt with in isolation. The same or comparable problems would no longer be solved multiple times in different manners, leading to inevitable incompatabilities between the solutions. And those solutions would never again be implemented without ever being monitored again. Organizational effectiveness would peak. Enterprise Wide Risk Management, Enterprise Risk Management, EWRM, ERM … was an all encompassing approach that would aid organizations in integrating learning, quality and process and controls optimization in the solution of risks, or issues, threathening the achievement of their objectives.

In addition, we would no longer work on trying to get every single problem under control. Rather, a method of prioritizing risk would be put in place and allow us to make conscious choices about what to “manage” first, in effect optimizing our risk treatment solutions.

Taking credit

Except it never really turned out that way, now did it? Most improvements in collaboration within divisions or even between divisions of an organization are not because of E(W)RM, but can be linked to developments in communication technology becoming more and more widespread, used and understood in organizations. Regular adaptations of processes in order to make them more effective in achieving the stated goals are the result of an entrenched, almost intuitive understanding of the Demming quality improvement cycle of Plan-Do-Check-Act, not because we apply ERM methodologies.

There are many more examples to be given, but risk management has not been the big saviour of organizational performance. On the contrary, the biggest proponent of EWRM in the late 1990’s, Arthur Andersen, was not able to protect its own license to operate from being taken away due to its lack of proper internal risk management in the Enron case.

More and more practitioners struggle with risk management, especially with ERM or EWRM. Why?

Disenfranchising process owners

On the face of it, ERM is a no brainer. You cannot say “no” to the intent to manage the risks to your organizational objectives. That is rather obvious. However, who should manage these risks? This is a fundamentally irrelevant question that has created a lot of problems in the proper application of risk management. Let me explain.

Remember internal controls development, such an important part of the original COSO framework? I’ve seen many an organization where internal controls development fell under the responsibility of the internal controls department. As a result, the process owners in whose processes the internal controls were being implemented felt and effectively were disenfranchised and would refuse to take final responsibility for these internal controls, although they were to be an integral part of their processes. Internal controls became separate from the process itself, which resulted that a lot of internal controls were being abandonned once a process came under pressure … the exact time that these controls should be functioning at their optimum.

ERM actually befel the same fate. Risk managers were charged with managing the risks to the strategical and operational objectives of an organization. Few people stopped to realize that ensuring goals are being met by means of the execution of certain activities is a responsibility that has already been assigned. It belongs to the process owner, who manages a process for a certain purpose: to achieve a stated objective. The process he or she engages in is referred to as achieving your objectives, and they are being compensated for that.

However, by putting someone in charge of the “management” of risks, we disenfranchised these process owners again. We took away part of their responsibility, hence part of their accountability. And shared responsibility is often no responsibility at all.

Does that mean that E(W)RM is a false concept, that has no role to play? Do I imply that risk managers have no function? Not really, but I do believe we have been making a number of erroneous assumptions when talking about the best way to deal with risks. I’ll get into that in another blog post in this series.

In conclusion

E(W)RM has overpromised and underdelivered. It disenfranchised process owners and took away from their accountability, thus in effect increasing risk exposures rather than reducing them.

Up next …

In the next blog post, I will give you my view on how and why the E(W)RM model evolved or was developed as it did. We need to examine what does not work but also what E(W)RM got right and how we can use that in the current context.