Evolving Management Systems – Leveraging ERM
Enterprise Risk Management must enable evolution in Strategic and Operational Management systems, or it is failing in its purpose.
In 1965 the Ford Mustang automobile dashboard held five dials reporting fuel, temperature, speed, alternator charge and oil status. In addition, there was a radio with two dials and five buttons. This was the sum total of information and environmental control offered to a driver. In the 2020 Ford Mustang a driver gets more buttons just on the steering wheel, and each dial across the dash and media panel offers many times the original information. For example, tire pressure, steering, engine RPMs, internal indicators from gas mileage, to emission sensors to electrical issues let the driver observe performance as it happens. Many warning systems integrate through a more sophisticated computer system to warn of fluid levels, road conditions, blind-spots, and distance from other vehicles or obstacles. Such systems can even react applying the brake more quickly than normal human response can manage. Environmental controls allow the driver to choose the temperature in the air, seat or steering wheel. They can also choose how to interact with media available or connect personal devices to expand available options while traveling. The car can become an extension of individual needs enabling productivity and comfort.
The Important ERM Question
So, the important question today is: has there been and equal revolution in the quantity, quality, integration and type of data available to an Executive or Manager about their organization? If we looked at what the average manager monitored in 1965 how different is the data monitored today. Of course, data will be more sophisticated based simply on computing evolution, but more importantly what system integration across operations has happened to place all necessary data at the fingertips of the most important decision makers. Data on operational conditions and evolving risks, flows continually through most organizations, but unfortunately that data seldom integrates to the benefit of the driver (Manager).
Enterprise Risk Management theory is first and foremost an acknowledgement by the many types of “risk professionals” that act daily within the organizations interest, that their overall perspectives could more directly help management make important decisions. These risk professionals are those who receive business objectives to mitigate and control negative risks facing the organization. They typically include departments such as Compliance, Insurance & Business Continuity, Information Security, Safety and Physical Security. These functions act like the Mustang automatic braking system or the warning indicators. Other Departments also participate in managing unique risks that are encountered through operations, these are typically Human Resources, Legal, and Quality to name a few. These functions are like dials that show a part of operations heading off the rails, a dying battery or plugged fuel filter. Meanwhile the average Manager is filtering through productivity reports from each component that makes up their operations. Their goal is typically an output goal. Meaning that they will squeeze operations for all the juice it can muster to reach their goal. This motive, while useful to productivity can harm long term operations and capability. Or worse, it can introduce tremendous new risk.
When ERM was first conceived, in 2004 it was treated as a “risk thing.” In short Management did not bite, but granted different risk functions the right to work together to make a list of what they collectively care about most. Then management would respond to the top items on the list. So rather than adding hazard mitigating indicators to management systems the result was event management for a few potentially bad events. In recognition of this misinterpreted ERM attempt, both major ERM standard setters COSO in the US and ISO internationally updated their models (2017-8) to define risk in parallel with objective success, and to emphasize operational integration.
Barriers to Management System Evolution
Even those ERM has been around for 16 years, there are few if any examples of ERM enabling the evolution of Management systems. Why?
- The Cowboy Manager – the person sitting in the driver seat, brings with them intuition, experience, and skill, but all too often they also introduce error and fall prey to a variety of biases. For example, “Because I am in this chair, I know what needs to be known to make the right decisions.” Or, “I do my job and everyone else will do theirs.” This biased reality is illustrated in many studies on critical thinking. Only the Executive or Manager has the power to open the door to the creation of additional integrated data, intended to guide them more effectively. They must work with risk professionals and their operational engineers to set higher data expectations, and leverage ERM.
- Broken Governance – The deepest and longest lasting scars on any organization are created when the Board of Directors and the Executive Team do not understand their roles or are indifferent to them. Boards that overstep their oversight and begin managing the organization violate the trust of the Executive Team, and cause cascading and damaging survival of the fittest cultural scenarios. Boards who are a rubber stamp to Executives, enable their Executives to build little kingdoms of power supported by their favorite cheerleaders – nearly every large failure started here. Healthy Board Oversight, codified in Bylaws, Board Policy and Executive Policy is the only fertile ground capable of growing a trusting culture that can more easily evolve valuable management systems without fear of political reprisal.
- Standards – Whether you are speaking of light-bulbs or batteries standards are important. There are important here as well. What standard, can integrated Management and ERM data? Without standards, we can end up with a lot of useful items that do nothing for us. Risk and Control data has come a long way over the last decade, but it still requires an interpretive perspective. If you are receiving risk and control data from your SOX auditor, it will be about a financial control. If it comes from Compliance, it will be about a rule or regulation. What is missing for the Manager is organization and/or interpretation of the data that can show what will matter to business choices and decisions.
- Enabling Technology – In 2002 several big tech companies got together with consultants and auditors to define what the ideal application for enabling risk and control data getting to managers would look like. The applications created out of this effort started the GRC technology evolution. Now generating more than $20B annually. Unfortunately, due to management saying ERM was a “risk thing” most of these applications turned into tools enabling risk function objectives rather than prompting management system evolution.
So where should a good Executive or Manager seeking management system evolution start? Get acquainted with components that are getting closer to the solution.
ORGANIZING RISK – Progress is being made. Particularly when it comes to standards for risk. For example, ISO 31000 in 2009 defined risk as “the effect of uncertainty on objectives”. In short you cannot get away with defining a risk without defining which business or strategic objective is “at risk.” This gives Executives or Managers a framework for organizing risk information by the business and strategic objectives they manage. Imagine if all the risk concerns and actions taken by risk functions were tagged with and operational or strategic objective or even just the department responsible for that objective. What would each operational manager find in their bucket of risk? This is a start.
INTERNAL CONTROL – The idea of controlling an outcome is natural to a Manager but for years the “controls” risk functions have talked about have not made sense to Managers. That is because they were speaking of different types of internal control. The Internal Audit profession, an originator of internal control concepts, has good examples of different types of internal control.
- Hazard Controls – Are typically the expectations of a risk function that the a negative risk be directly mitigated by a management action plan. Think of a legal exposure that requires some mitigation plan. Or a new law. Most risk functions, with business objectives to mitigate a type of risk prefer managers who take direct action about the risk, even when it is not efficient to overall operations.
- Operational Controls – In the last decade the internal audit profession, whose 2015 mission notes the professions mission is to “enhance and protect organizational value” has done much to talk about effective Management Controls. In short these “operational controls” include expectations of what a good management does. For example, a good manager sets up oversight for objectives, and a good management assembles people, process and technology in a way that increases and grows capacity over time. Innovation in internal audit has leveraged capability maturity models to comment on the maturity of management oversight and operational alignment controls. These should be the controls most familiar to good managers. However, these are still the least understood controls by risk professionals outside internal audit.
- Strategic Controls – As ERM began to fail often around 2010, and Managers started to do the math on the investment in ERM verses the value it delivered, a few innovative souls looked to save ERM with a focus on Strategic goals. In 2016 this effort focused on Strategic Risk, integrated nicely with the concepts of formal Decision Making. Decision Science more than 40 years old, focuses on objectively clarifying the choices involved with the best available data. It then tests that data against cognitive biases, helping management then be prepared to take known risks. This created an easy checklist of what should happen for the best strategic choices to be made, (i.e. Strategic Controls.)
The world has changed, and tomorrows Executives and Managers need all the information they can get. The path to more effective evolution in management systems lies in the ongoing efforts of Enterprise Risk Management, Internal Audit evolution and the many risk functions across the organization producing valuable information. However, it is on Management to create a system out of that information that benefits its strategic and operational decision makers.