No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Featured

ERM is Dead! Long Live ERM!

by Peadar Duffy
July 16, 2018
in Featured, GRC Vendor News, Internal Audit, Risk
two Kings in chess: one upright, one lying down

Driving Change to Improve Resilience and Agility

Enterprise risk management (ERM) is a framework organizations use to manage risks and seize opportunities related to the achievement of their objectives. More and more frequently, upper-level management refuses to acknowledge ERM properly, which leads to missed opportunity and lost revenues. Read more to find out what world-renowned entrepreneur Peadar Duffy has to say about ERM and its business implications.

ERM is Dead!

I spent a couple of hours talking with the senior independent director of a major FTSE recently. He opined that in his experience, risk management consistently fails to deliver value. It is led by people who are more administrators than leaders, and more bureaucrats than doers. The SID in question has himself been a spectacularly successful CXO in a number of significant organizations.

Around the same time, another senior executive with impressive credentials remarked that in his experience, “risk has been done to him” by folk in risk management. He speaks of the parallel universes of the operational front lines, risk support and audit. Whereas the theory and rationale (three lines of defense) is sound, the method of execution is often suboptimal and sometimes even counterproductive.

I am sympathetic to these perspectives, as I think that whilst harsh, they are representative of generally held opinions of many in both front-line decision-making and strategic leadership positions.

The accounting and internal audit professions are alert to these and other emerging issues, as is evidenced in:

  • IFAC’s seminal paper, From Bolt-on to Built-in, which describes how “effective management of risk helps organizations achieve their objectives, while complying with legal, regulatory and societal expectations, and enables them to better respond and adapt to surprises and disruptions … and positions the management of risk as an indispensable and integral part of decision-making and subsequent execution in order for boards and management to ensure their organization makes the best decisions and achieves its objectives.”
    The paper also “a) demonstrates the benefits of properly integrating the management of risk, including internal control, into the governance, management and operations of an organization; b) provides ideas and suggestions on how such integration can be achieved; and c) furnishes practical examples of how professional accountants in business can support their organizations with this integration.”
  • Internal Auditing Poised for the Future: Global Outlook by IIA CEO Richard Chambers, wherein Chambers outlines how the profession is responding to the changing and increasing expectations of stakeholders. This presentation, and others like it, follow some poor results on stakeholder satisfaction with IA contribution to enterprise value creation.
    Moves to reposition risk management from its (de facto) traditional, task-oriented focus to a more enlightened strategy setting is also apparent vis a vis:
  • COSO Enterprise Risk Management: Integrating with Strategy and Performance, June 2017. The essential message here is … risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its potential effect on an already-determined strategy… However, the risk to the chosen strategy is only one aspect to consider… (as the COSO) Framework emphasizes, there are two additional aspects to enterprise risk management that can have far greater effect on an entity’s value: the possibility of the strategy not aligning and the implications from the strategy chosen. The first of these, the possibility of the strategy not aligning with an organization’s mission, vision and core values, is central to decisions that underlie strategy selection.
    The implicit call to action here is that CROs must ensure that they are in the room and actively influencing strategy selection before it is delivered as a foregone conclusion to the enterprise at large.
  • ISO 31000:2018 (Risk Management), which emphasizes the immutable fact that risk management is essentially about the quality of thinking, discussion and decision-making when addressing uncertainties affecting the achievement of objectives. Whereas nothing profoundly new emerged with this revision, the simple restatement of the fundamentals should remind business leaders and risk practitioners that they should stick to fundamental principles, framework and approach when evaluating pros and cons as they advance, and strive to achieve, new objectives in our uncertain world.

Fast forward a couple of months from my two encounters above to a recent meeting of a risk management “innovation” group of which I am a member. At that meeting, a colleague shared what she had heard at a Top 4 Accountancy risk briefing that enterprise risk management (ERM), having failed, is now being replaced by “integrated risk management (IRM).”

ERM being replaced by IRM was lauded as breakthrough and the next big thing!

I first came across this notion a few months ago when I read a (GRC technology) rating report promoting the same philosophy and thought to myself, “what else would you expect” from a firm which independently rates GRC technologies in return for significant annual subscriptions?

It also occurs to me that most GRC platforms are sold on the back of massive compliance drivers to the extent that the “C” is the proverbial foghorn and the “R” has become much louder since the global financial crisis, but the “G” is virtually silent!

What does G sound like?

Governance discussions and decisions are fundamentally about:

  • The purpose, stakeholders, vision and values of the organization (i.e., value definition* and the things that influence the direction that is set for the organization over time),
  • Internationally accepted corporate governance principles and protocols now common in most of the international codes and guidelines (i.e., the high-level control frameworks that ultimately permeate throughout the organization),
  • Those operational imperatives required to fulfill purpose, realize vision and ensure corporate values are “built in and manifest” in day-to-day decision-making behaviors” (i.e., value creation* and delivery* vis a vis the intricate play of resources and maneuvers required to stay in the game and outperform the competition,
  • Long-term financial sustainability and viability in a manner which adheres to ESG/CSR principles much sought after these days by most of the Tier 1 Investment institutions (i.e., value capture* vis a vis the steady flow of returns for all stakeholders over the longer term),

*CGMA Business Model Framework: (Note: final version due for publication end May 2018)

Whereas “Risk and the Management of Risk” is today a standing board agenda item and exists in board subcommittee terms of reference, the reality is that most CROs rarely, if ever, participate directly (as distinct from report into) board subcommittees other than audit and/or risk.

Similarly most CROs rarely, if ever, attend the annual/biannual strategy away days where the grown up discussions take place and decisions are made.

Exceptions to this rule do exist, but they are in the minority, particularly across nonfinancial industry sectors.

This big and basic reality goes some way to explaining why most GRC platforms/solutions are sold into compliance and internal audit and almost never directly into “parent company” CXOs.

(Note: Over the past 18 months, I have noticed one GRC platform provider advocate fourth-generation GRC (first-generation was Excel, etc.) with a business case that switched emphasis from compliance to enhanced business performance. This is good news, but most GRC vendors are still painfully slow in getting on the train, which is already pulling out of the station.)

No wonder, therefore, that:

  • GRC rating firms see no evidence of much other than integrated risk and compliance and thus talk of integrated risk management (IRM), and
  • Top four firms (which should know better) follow the vendor line as a pull-through for their risk assurance engagements, apparently content that the G in GRC remains silent… save for where strategy engagements are separately sold in by more heavyweight consultants.

And so the game continues!

There is clearly a fire-break between the CXO; front-line business discussions and decision-making where business language (business model, strategy formulation, execution, capital allocation, operations, revenue growth and assurance, margins management, KPIs, etc.) is spoken, and the second line, where risk administrators talk in technical risk language of risk identification, analysis, evaluation, KRIs and treatment, etc.

Long Live ERM!

The world (ISO and COSO) has agreed what good risk management looks like. The “what” is universally accepted, but the “how” is proving to be elusive – more hit and miss.

What does the “how” look like?

First; there are three things we need to understand:

  1. The days of Excel, Word, PowerPoint and disparate GRC deployments are well and truly over,
  2. The commercialization of affordable machine learning technologies (AI is still too loose a term, and in any event is not the correct term in this “particular” context) means that you can now run queries across strategic data sets derived from “human sensors” (i.e., your front-line decision-makers) in real time. (I explain what I mean by this in an earlier article, “New Paradigm Corporate Governance: Fink’s Big Ask and Distributed Decision Making using Machine Learning.”)
  3. To unleash the power of machine learning in ERM you just need to know:
  • What (business) questions to ask … if you can’t converse in the language of “real risk managers” (i.e., front-line P&L owners and operational decision-makers), your days are numbered! Risk jargon is for risk technocrats, not mainstream folk!
  • How to interrogate the answers … vis a vis (1) first-level interrogation of patterns gleaned from “algorithmic analysis” of large data sets derived from operational front-line decision-makers’ answers to questions; (2) second-level interrogation of outliers; (3) third-level interrogation of drill-down reports segmented by topic analysis.
  • How to join the dots (information and structured corporate knowledge gleaned from decision-makers across your distributed organization), paint the picture (so to speak) of what might be around the corner such that you can best anticipate, prepare, respond and exploit opportunities – or, conversely, preserve value.

The how therefore, is technology-enabled risk management expertise augmentation and automation.

Because we know “what” good risk management looks like, we know what questions to ask (risk identification), how to interrogate the answers (risk analysis) and how to anticipate/prepare/respond (risk treatment).

On this basis, “evidence-based” risk management can be operationalized (real-time performance monitoring, situational awareness and communications) in a manner that drives data to information, at speed, and information to structured corporate knowledge, thus:

  1. Insights … into what’s really going on across your operational and front-line decision-making populations,
  2. Foresight … into what your own decision-makers see coming around the corner,
  3. Board Oversight … in the form of “evidence” that risk management policies (i.e., risk appetite, risk culture, ESG/CSR, etc.) are influencing day-to-day decision-making behaviors across the enterprise.

Use cases today include operationalized insights, foresight and board oversight of:

  1. Strategy: The nonfinancial operational activities today that will underpin strategic/financial performance tomorrow.
  2. Execution: The validity of principal business assumptions from the boardroom to front-line decision-makers.
  3. Capital Allocation: Proof that people have thought things through as they draw down scarce capital.
  4. Disruption: Competitor strengths and weaknesses/emergence of business model disruptors identified before it’s too late.
  5. Culture: “How we do things around here” as distinct from “how we hope/pretend we do things as defined in our corporate values statements.”
  6. ESG/CSR: Conduct of third party suppliers whose behaviors affect our reputation.
  7. Crisis Management: Bouncing back (resilience) and forward (organizational agility) when abnormal and adverse events occur across modern-day complex organizations.

The list is endless …

Conclusion

For ERM to be all that it can be, we need to pivot from traditional, complex, second-line methodologies to easy-to-complete, manageable, high-impact automations absent technical risk jargon.

The design, rooted in the now classical definition of risk (the effect of uncertainty on the achievement of objectives), must precipitate “enterprise-wide optionality in all day-to-day decision-making.”

Optionality, in this context, simply means always designing in more upside than down, and always holding adequate reserves, which can be deployed as and when required to bounce back (resilience) from a shock, or bounce forward (agility), ahead of your less adaptive competitors!

The approach here mirrors a basic military approach to iteratively planning, probing, learning, attacking and re-grouping. It is similar to enterprise agility and consistent with what Nassim Nicholas Taleb advocates in his book, “Antifragile: Things that Gain from Disorder.”

The business case is straightforward: Faster, easier-to-implement ERM at a fraction of the cost of traditional methods!

What do you think?

This piece was originally shared on the SOLUXR site and is republished here with permission.


Tags: COSOEnterprise Risk Management (ERM)International Organization for Standardization (ISO)Machine Learning
Previous Post

How Legacy MSSPs Increase Cybersecurity Risks

Next Post

“Gone are the Days of Rigid Lines of Defense”

Peadar Duffy

Peadar Duffy

Peadar Duffy is Founder and Director of SOLUXR (An Irish and Latin blended name meaning "to illuminate"), which provides expert automation and augmentation solutions for burning strategic issues facing complex networked/distributed organizations.

Related Posts

containerization concept

Are Your AI Containers Leaking Data? The CISO’s Guide to ML Endpoint Security

by Rahul Bagai
May 2, 2025

How to meet your obligations in the cloud's shared-responsibility model while preventing AI-specific attack vectors

business relationship concept hands

Relationship (Owner) Goals: Why Half Your TPRM Red Flags Stay Hidden

by Chris Audet
April 9, 2025

The front-line staff who manage vendor relationships are uniquely positioned to spot problems before they escalate, yet many organizations fail...

news roundup

1 in 3 US Workers Report Feeling Excluded or Marginalized

by Staff and Wire Reports
March 13, 2025

AI adoption surges in internal audit; few companies see themselves as disruptors

chess pieces

10 Questions That Separate Strategic Leaders From Spectators

by Jim DeLoach
February 19, 2025

From pattern recognition to emotional intelligence, key indicators reveal true boardroom influence

Next Post
blur of audience in crowded auditorium

“Gone are the Days of Rigid Lines of Defense”

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights