Risky business: The pitfalls of ERM
James Field of CompliSpace speaks to Corporate Risk & Insurance about the pitfalls of ERM and how to best structure your risk management strategy.
Video transcript below:
Interviewer: You say that ERM won’t work in an organisation that doesn’t have an engaged management team that encourages open debate. Why is that?
James Field, Complispace
James Field: Look the essence of it is, with risk management, it’s all about looking into the future, it’s about predicting events that will impact either negatively or positively on your business and in order to do that, you’ve4 got have a culture that allows debate within the organisation, so that individuals can raise up right from the bottom, from the frontline all the up to the Board of Directors. They can actually raise issues and bring those to the attention of the Board. Without this sort of culture which allows that, it simply won’t happen.
Interviewer: What can risk managers do to foster a good working culture?
James Field: It’s really about walking the talk. So it’s not the risk managers so much, but it’s also the Board of Directors and the executive management team. So you know they have got to walk the talk from the beginning, they have got to actually truly believe in the process and start, get the debate going, encourage debate among their staff, you have got to have a culture that allows people to actually say what they mean, without being having their heads chopped off essentially. So that’s the first thing.
The second thing is you need a really communication strategy internally, so people are actually getting the information you want. The third thing I think is that they need to, you need to ensure that there is a very robust risk framework put in place. So you have got a common risk language, you have got a way of identifying risks, you have got a way of controlling risks, that all helps build the culture and probably you know to raise you know another area is aligning risk and reward. So a really good example of that is things like, performance reviews for staff. If you are going to do performance reviews and you want them to comply, build compliance into the performance review for the staff member.
Interviewer: What can risk managers do to demonstrate the value of ERM?
James Field: I think the key thing here is to remember that risk management is just good management at the end of the day. You could nearly cross the word risk out and put the word good management and the other thing is that you need to realise it’s the basis of running a business, because risk management, you are in business, you are taking risks because you are going to get reward. So if that’s the starting point and all the board and executive understand that, all the ERM is really a formalising the methodology around risk management, alright. So you know, the key thing there is, the first step in the risk management process is what they call, communicating and consulting. So communicate and consult being the first step in the process, don’t presume that your Directors and your senior executives actually understand core enterprise risk management principles like the ISO 31000 principles because quite often they won’t because they didn’t get taught it at University, it’s quite a new concept. So start with that, make sure that they understand those principles. Once they understand those principles, the likelihood is that they will automatically just see the value, because it’s really just collating information within the organisation, so that information can get up to the Board in a manifold fashion.
Interviewer: Why do you think Excel spreadsheets don’t work in an ERM context?
James Field: Yeah, look they just, they can’t work by definition. They are very useful, spreadsheets are useful to identify risk, to put the likelihood and consequence against the risk, you can use Vlookup tables and make it fancy. Where risk, excel spreadsheets just completely fail is when you come to controlling and trading risk, because you can’t monitor actually what’s happening with the underlying control and treatment, okay. And also if you are looking at adding risk indicators in, there is no way an Excel spreadsheet get that information. So I have seen lots of organisations that have all the good intention of doing risk management, they put everything up on the excel spreadsheet, they work very hard, then they all just run out of puff and they end up with an excel spreadsheet that’s about four years out of date and all try to do the right thing but it just fails, okay. So GRC software really brings it all together, there’s a lot of data, it’s really simple, it’s not very expensive and it’s just a basic necessity.
Interviewer: What should a risk manager look for when selecting GRC software?
James Field: Okay, so when you’re looking at GRC software, probably the first thing is to make sure that there is a very clear link between risk compliance and incident reporting. So those, so you can link a risk across to a compliance obligation. You can link a, you can capture an incident whether it be a complaint or whether workplace health and safety incident. You can link it across again to the risk, that’s all important because you can to get the reporting outcomes. The second thing is that I think you need to look for, is customisation, because what you can’t have is, you can’t have the GRC software driving the business’s enterprise risk program in the first place. And I have seen that happen on a lot of occasions.
So organisations have an idea of what they want to do, they buy the software, the software has certain fields and they start filling in the fields because they actually just think I better do that just to make it work. So you’ve got to go the other way around. The software has got to be flexible, you have got to be able to customise fields, you have got to be able to put change language if you want. So you can actually design the system and the software that is just an enabler to get you where you want to be. That’s absolutely critical. And I must say a lot of systems don’t do that. So you have got to look for that. Another key area is in reporting, it’s got to be ease of report, avoid those systems that have lots, hundreds of proforma reports that you can’t get through, you got to be able to customise reports to individual views, it’s got to be very simple to use and I suppose that’s the last part. If it’s difficult to use, no one is going to use it. So you have actually got to make sure the software itself is easy to use, quite frankly at an executive level.
So the executive can just walk back to their desk, they can get a risk, and go and plug it in, they can write it, they can link it to a control, they don’t need to go to a technical person to go and get all of that done. As soon as you get that nexus, where you’ve got the technical person, the whole things starts to fall over again.
Interviewer: Many organisations consider risk management as part of their compliance strategy? What problems has that created?
James Field: The essence of this is really a bit of the history of risk management, where it’s come up from. It started off in various silos. So in Australia for example, workplace health and safety has always been built on risk, then you brought in the Australian financial services licensing, then the ASA exporting their governance principles and then that’s followed by IMLCTF money laundering, credit and now a lot of the not for profit areas are doing it. So when that comes in, it hasn’t been enterprise risk management per se, but each of these organisations have had to deal with risk management in the silo that they have been given and quite often they never crack out of that. So basically what they do, make sure they comply with the obligation they have as a either a financial services organisation or whatever and they never change the mind set into enterprise risk.
So enterprise risk is another level up. I think the problem is that if you are just complying there is, with basic risk management principles, it’s not really adding any value to the organisation and what I mean by that, you know the Directors and Executive team, look at the risk register, it really doesn’t mean anything to them, doesn’t add any value. ERM is all about moving it up to the next level, making sure that the risk information is highly relevant, it’s based, it’s used for decision making within the organisation. When you can get to that stage of risk maturity, then you are starting to get positive return on investment from the process, as opposed to the whole thing being a compliance blackhole.