The Fallacy of Managing Big Risks: Why Enterprise Risk Management (ERM) Often Fails to Deliver to Boards and What to Do About It

This article was originally published in RegTech Insight. By Andrew Smart.

Anyone who has served on the executive team or board of a regulated capital markets firm will have at least a passing familiarity with Enterprise Risk Management (ERM). Many have probably experienced it first hand, perhaps sitting through a presentation of the firm’s latest ‘Top 20’ risks. The usual suspects will likely have included market, credit, liquidity, counterparty, technology, cyber, third party / outsource, people, and conduct risk.

Enterprise Risk Management is a holistic, integrated, portfolio approach to risk management that focuses on consistently managing risks, regardless of type across the enterprise. The purpose of Enterprise Risk Management is to improve the firms’ ability to deliver its objectives and sustainably create shareholder value. One of the key outputs from the ERM process is an integrated view of the firm’s overall risk profile and how it is changing overtime. Risk exposures are typically consolidated through a risk taxonomy or hierarchy, thus enabling the reporting of ‘the big risks’. (Figure 1)

Figure 1 – Typical view of risk management 

An often-overlooked benefit of ERM is its use as a framework to understand the relationships and interactions between risk types as well as individual risks within these categories. Viewing risks through an ERM lens also highlights how individual risks rarely fit within a single risk type, as shown in figure 2.

The real value of ERM is the generation of insights that are not possible to uncover within the traditional risk type silos. These insights are the drivers behind better risk management and business decision-making.

Figure 2 – Understanding the relationships and interactions within risk types

Therefore, ERM delivers two core capabilities:

1. The ability to consolidate risk exposures through risk types to provide a holistic, enterprise view of risk
2. The ability to understand the relationships and interactions between risk types and individual risks to generate powerful insights that support better-informed business decision-making

Firms that leverage ERM platforms often focus on the first of these core capabilities, i.e. ‘the big risks’, leading them to miss out on the benefits that can be derived from the holistic view of relationships between different risks.

Typically, this means that for many executive teams and boards the implementation of an ERM approach results in a series of colour-coded dashboards which identify their ‘big risks’, but fail to provide an in-depth analysis to enable them to ask the right questions, challenge the right topics and drive the right conversations for better strategic and operational decisions.

Too often, those risk dashboards present the consolidated and aggregated risk exposure for the ‘Top 20’ risks types as defined at one point in time and have since been reported on each month or quarter, failing to take the rapid evolution of the risk landscape into account. Insights into the firm’s real risk profile, including the dynamic interaction between risks and the possible emergence of future risks or control weaknesses, therefore get lost within these consolidated and aggregated risk exposures. Whilst providing a consolidated view is of some value, it rarely provides actionable insight, leading to ERM fatigue on the executive and board level.

To drive board engagement in the ERM process and deliver powerful business insights, firms need to ensure that their ERM processes and systems deliver on both core capabilities. By understanding these relationships between risks, firms can drive a more engaging conversation with their boards, generating more insightful analysis and efficient reporting.

The fallacy of ERM is that it is about managing the ‘big risks’; in fact, this is, or should be, just one part of an ERM programme.

An ERM programme should deliver two core capabilities:

1. The ability to consolidate risk exposures through risk types to provide a holistic, enterprise view of risk
2. The ability to understand the relationships and interactions between risk types and individual risks to generate powerful insights that support better-informed business decision-making

Importantly, when implementing an ERM programme, firms should never lose sight of its real purpose – to enhance the firms’ ability to deliver its objectives and create sustainable shareholder value.

Start typing and press Enter to search

I'm interested in the Enterprise Risk Cockpit
I'd like to purchase a business licence for the Enterprise Risk Cockpit.
I'm interested in the Enterprise Risk Cockpit
I'd like to purchase enterprise licences for the Enterprise Risk Cockpit.

Bitnami