By Ray Vazquez on December 09, 2021
Vertex11 was recently invited to speak to over sixty leaders of Enterprise Risk Management (ERM) practices across the United States. At the conference we conducted a survey, which actually reinforced what we already knew. Before we dive into some of the results, it is important to mention this was a bit of an experiment on our part. An ERM survey was conducted by PricewaterhouseCoopers (PWC) in 2004, then again in 2008 (You can see the 2008 survey here.) Many of the issues facing ERM did not change during that timespan. There was also a 2013 survey conducted on the state of ERM by the Risk Management Society (RIMS) revealing how its perception had not changed between 2008 and 2013 as well. It was our hypothesis that the same issues that plagued ERM back in 2004 are still present today in 2021. Let’s dive into some results and then we will give you our takeaway.
ERM is more important than ever, yet not reflected in organizational actions or culture.
Today, risk is on every organization’s mind to a certain extent. As long as it does not get in the way of an agenda, timeline, or budget.
In 2008, the PWC study revealed: “ERM programs may simply be perceived as an additional layer of bureaucracy within the business rather than being integral to how it runs.”
Our 2021 survey reveals not much has changed in nearly twenty years.
Here are some of the results we found most telling.
Signs that ERM is seen as a roadblock and not a collaborator
ERM is not:
• Involved in company strategy (54% say no or not often)
• Invited to review new products in development (61% say no or not often)
• Poached by other aspects of the business (56% say no or not often)
• Needed to keep up with demand (58% don’t grow their teams)
• Engaged in significant transactions (68% say no or not often)
Some high-level perspective on why ERM has been frozen in time.
Reason #1: Three lines of defense does not work.
We feel each line is worried about keeping other lines accountable versus working together. Plus, the 2nd and 3rd line use their role to influence strategy versus helping to achieve the strategy.
Reason #2: ERM is perceived as a compliance versus a strategy.
ERM needs to be a strategic approach to find every risk and assume every deficiency is a risk management failure. Twisting it up in compliance does not make sense.
Reason #3: There is an inability for ERM to demonstrate value.
Programs continue to be perceived as irrelevant to helping management, and as a team they are not a trusted advisor.
What ERM can do to break out of this vicious cycle and gain the respect it deserves.
There is an old saying about the definition of insanity. It is doing the same thing over and over and expecting different results. Organizations need to look at what they have been doing for the past twenty years and ask why very little progress has been made. It is not from a lack of investment in ERM. Companies have poured significant amounts of capital into big ERM consulting firms to find answers, yet not much has changed. At some point, programs need to stop drinking from the same old wells and try digging a new one to achieve a different result. If you do that, maybe the insanity stops, and a better path is revealed.