Enterprise Risk Management must enable evolution in Strategic and Operational Management systems, or it is failing in its purpose.
In 1965 the Ford Mustang automobile dashboard held five dials reporting fuel, temperature, speed, alternator charge and oil status. In addition, there was a radio with two dials and five buttons. This was the sum total of information and environmental control offered to a driver. In the 2020 Ford Mustang a driver gets more buttons just on the steering wheel, and each dial across the dash and media panel offers many times the original information. For example, tire pressure, steering, engine RPMs, internal indicators from gas mileage, to emission sensors to electrical issues let the driver observe performance as it happens. Many warning systems integrate through a more sophisticated computer system to warn of fluid levels, road conditions, blind-spots, and distance from other vehicles or obstacles. Such systems can even react applying the brake more quickly than normal human response can manage. Environmental controls allow the driver to choose the temperature in the air, seat or steering wheel. They can also choose how to interact with media available or connect personal devices to expand available options while traveling. The car can become an extension of individual needs enabling productivity and comfort.
The Important ERM Question
So, the important question today is: has there been and equal revolution in the quantity, quality, integration and type of data available to an Executive or Manager about their organization? If we looked at what the average manager monitored in 1965 how different is the data monitored today. Of course, data will be more sophisticated based simply on computing evolution, but more importantly what system integration across operations has happened to place all necessary data at the fingertips of the most important decision makers. Data on operational conditions and evolving risks, flows continually through most organizations, but unfortunately that data seldom integrates to the benefit of the driver (Manager).
Enterprise Risk Management theory is first and foremost an acknowledgement by the many types of “risk professionals” that act daily within the organizations interest, that their overall perspectives could more directly help management make important decisions. These risk professionals are those who receive business objectives to mitigate and control negative risks facing the organization. They typically include departments such as Compliance, Insurance & Business Continuity, Information Security, Safety and Physical Security. These functions act like the Mustang automatic braking system or the warning indicators. Other Departments also participate in managing unique risks that are encountered through operations, these are typically Human Resources, Legal, and Quality to name a few. These functions are like dials that show a part of operations heading off the rails, a dying battery or plugged fuel filter. Meanwhile the average Manager is filtering through productivity reports from each component that makes up their operations. Their goal is typically an output goal. Meaning that they will squeeze operations for all the juice it can muster to reach their goal. This motive, while useful to productivity can harm long term operations and capability. Or worse, it can introduce tremendous new risk.
When ERM was first conceived, in 2004 it was treated as a “risk thing.” In short Management did not bite, but granted different risk functions the right to work together to make a list of what they collectively care about most. Then management would respond to the top items on the list. So rather than adding hazard mitigating indicators to management systems the result was event management for a few potentially bad events. In recognition of this misinterpreted ERM attempt, both major ERM standard setters COSO in the US and ISO internationally updated their models (2017-8) to define risk in parallel with objective success, and to emphasize operational integration.
Barriers to Management System Evolution
Even those ERM has been around for 16 years, there are few if any examples of ERM enabling the evolution of Management systems. Why?
So where should a good Executive or Manager seeking management system evolution start? Get acquainted with components that are getting closer to the solution.
ORGANIZING RISK – Progress is being made. Particularly when it comes to standards for risk. For example, ISO 31000 in 2009 defined risk as “the effect of uncertainty on objectives”. In short you cannot get away with defining a risk without defining which business or strategic objective is “at risk.” This gives Executives or Managers a framework for organizing risk information by the business and strategic objectives they manage. Imagine if all the risk concerns and actions taken by risk functions were tagged with and operational or strategic objective or even just the department responsible for that objective. What would each operational manager find in their bucket of risk? This is a start.
INTERNAL CONTROL – The idea of controlling an outcome is natural to a Manager but for years the “controls” risk functions have talked about have not made sense to Managers. That is because they were speaking of different types of internal control. The Internal Audit profession, an originator of internal control concepts, has good examples of different types of internal control.
The world has changed, and tomorrows Executives and Managers need all the information they can get. The path to more effective evolution in management systems lies in the ongoing efforts of Enterprise Risk Management, Internal Audit evolution and the many risk functions across the organization producing valuable information. However, it is on Management to create a system out of that information that benefits its strategic and operational decision makers.