Tuesday, January 5, 2010

ERM Exam – Part 1 of 4

by Rick Nason, PhD, CFA
Partner RSD Solutions Inc.


Introduction

I teach a course in Enterprise Risk Management (ERM) in the MBA program at Dalhousie University in Halifax Canada. Although I am a big fan of ERM, I also believe that it is a bit of a weird course to teach at a Business School.

The reasons why I think that ERM is a bit of an out-of-place course in an MBA program are many. To begin, ERM as a subject area is really quite trivial and probably not worthy of a Masters Level degree (of course that same criticism could be leveled against 90% of a typical MBA curriculum). While there are many aspects and techniques to learn about ERM, each one of them is quite trivial, or based on obvious common sense (yes – I know that there is nothing common about common sense!) What is NOT trivial about ERM are the implementation issues. Implementing ERM is hard and requires great creativity, business insight and a PORTFOLIO of skills and techniques that few mangers or management teams possess. The difficulty of teaching ERM to MBA students is that while they may have a learned a diverse portfolio of techniques, that is a far cry from having a portfolio of SKILLS and also a far cry from having sufficient business insight.

A second issue that arises when teaching ERM in the context of an MBA program is the issue of whether or not ERM is a separate subject from strategy. In a way it is analogous to the humorous Shreddies commercial when they talk about the “new” diagonal shaped Shreddies as opposed to the “old” square shaped Shreddies. In a lot of ways ERM class looks like a business strategy class. Perhaps that is not a bad thing as it reflects my bias that ERM should be critically tied to and inseparable from the strategy function within a firm.

A third issue is that ERM is still a young field academically. That is, there is not a lot of academic research of note that has produced testable theories about good and bad practices of ERM. Perhaps that is just as well, as I am not sure that business academic research is all that valuable. (How much time do you think practitioners spend reading and digesting academic business journals?)

A final issue (there are many more, but I want to get to the real purpose of this blog) is that ERM studies do not have a natural home within the traditional silos of business schools. Is ERM a quantitative subject or a qualitative subject? Is ERM Finance, Statistics, Operations, Strategy, Organizational Behaviour, Accounting, or some other field? In my mind, ERM has components of all of the above. This bias of mine about ERM was the basis of my earlier comment that ERM requires a portfolio of skills and techniques. However, business schools, in their striving for academic respectability are taking specialization to the extremes. This of course implies that there simply is no time – nor is there any respect - for any subject matter that is not “pure” in an academic sense.

Despite all of these shortcomings, I – in my stupidity and naïveté – attempt to teach ERM to MBA students. To make up for the shortcomings I try to teach it as much as possible as a seminar class. That is, students are given a weekly set of readings, as well as an open ended set of questions or issues, and then we discuss the questions and issues in the following class. The class is taught by the Socratic method, and I attempt to get as much debate as possible generated. Students are challenged to be creative, and perhaps most importantly to peel back the “layers of the onion” to see the issues behind the issues and the issues behind implementation. As stated earlier, my belief is that ERM as a subject (taken at its face level) is trivial. It is only when you think about the consequences of techniques and the implementation issues that it becomes interesting and a challenge.

Thus we get to the purpose of this blog – namely, how should I structure an exam for this class? In this, and the following three blogs I am going to put forth my exam questions, and why I asked each exam question. I welcome reader’s comments and thoughts on my questions. Each of the questions has been designed with my biases (as stated above) in mind. In the very first meeting with the students I outline my biases and give them plenty of time to find a “real” class that they can take in place of ERM for the semester. For some strange reason most of the students do not drop the class. (I wish they would – it would mean less marking for me.)

In any case, I hope you enjoy this set of blogs – and I truly would like to hear not only your comments about my questions, but also what you might suggest as answers.


Question 1: ERM has created a lot of excitement, but very few successful examples. Explain why you believe ERM has so few successful implementations.

After reading the introduction, you will immediately understand why I might start off with this question. ERM is not about techniques, diagrams or frameworks. ERM is about implementation. The tools, techniques and frameworks are easy to understand. They are as intuitive to understand as that of a parent’s love for their child. However, how to best love and care for a child is anything but trivial – just wait until you get teenagers and you will understand my point!

I believe that books could be written about why ERM succeeds so rarely. One reason in particular sticks out with me. That reason is that most companies that embark on an ERM initiative have no idea what successful implementation looks like from the get go. In other words, very few companies that start an ERM program can finish this sentence – “This ERM initiative will be successful if …” If you do not know what success looks like, then how will you know when you get there?

A second reason is that ERM is usually not tied sufficiently into the strategy of the business. ERM should be a value-added enabler of the strategy. The setting of the strategy should also be done in conjunction with the ERM capabilities. If the strategy cannot be successfully risk managed, then I would argue it is not a good strategy. Thus strategy cannot be set independent of the ERM capabilities, and likewise ERM cannot be done independent of strategy.

A third reason is that ERM is advanced as either a qualitative area (heavy on the HR) or a quantitative area (heavy on the metrics). In my opinion, both elements are critically necessary for ERM. Implementing ERM without a qualitative element AND a quantitative element is like trying to play ice hockey with either a stick or skates but not both.

A fourth reason is that ERM is tough! Easy to state and understand, but tough to implement! It requires brains, knowledge, creativity, flexibility, quantitative skills, qualitative skills, intuition, business knowledge, business insight and tenacity to implement. It requires the modern day equivalent of a business renaissance-man to implement – and those renaissance men and women are hard to find. Business (and business schools are largely to blame for this) has become a field of specialists, not generalists. Generalists tend to be low level staff, and for ERM you need a mix of people who can at least think like high level staff.

A fifth reason is that the ERM function is often seen as the “Department of No!”, when it should be the “Department of We Will Figure Out How to Do This Prudently”. ERM as the “Department of No!” creates several problems. To begin with, competent managers do not want to be associated with a career killing “Department of No!” assignment, and thus the ERM team frequently winds up being the “Department of People No Other Department Wants”. Hard to recruit good people for that team! Furthermore the “Department of No!” does not exactly increase morale anywhere within the organization.

There are a variety of other reasons why there are so few successful examples of ERM implantation. Some of these reasons are:
  • insufficient resources being given to the department
  • insufficient commitment by senior management and the Board
  • ERM implementation is seen as “risk – washing “. (Think green-washing and its implications and reputation.)
  • insufficient training
  • inability of an organization to look upon itself from the outside to see the real issues
  • the pitiful frameworks implemented by the most junior associates at the major bulge bracket accounting firms that now call themselves consulting firms (was that too harsh of a statement on my part?)
  • inaccurate expectations as to the time necessary to successfully implement ERM (BTW – the time necessary for successful implementation is about 30% of the time stated by the bulge bracket accounting firms that now call themselves consulting firms)
  • inaccurate expectations about what an ERM implementation can and can not do for the organization
What are the reasons that you have seen? Let me know – I need some answers myself. Part 2 of this blog will contain the second question of the exam.

3 comments:

power of si said...

inability to recognize interplay of risks. The "big one" can and is often missed because interrelation of risk is ignored. Risks do not occur and cannot be measured in a vacuum. when the big one is missed, skepticism flows across organizations and industry.

Trevor Levine (Riskczar) said...

As noted in earlier comments to your previous post, too often the mandate for ERM is owned by the Finance department or a CFO. Anecdotally, I submit that an accounting professional in this role will presume that ERM can only be performed by another accounting professional. And while CAs or CPAs may have performed risk (self-) assessments, this does not qualify them to implement an ERM program from cradle to grave.

Second, an ERM implementation is fundamentally a project. Once the risks have been identified and assessed, the on going follow up of tasks and actions plans is where the real value is generated. To do this successfully, an individual must be schooled in managing projects. This involves contacting risk owners or action owners requesting status updates, conducting meetings, etc. This work is not for the meek or those intimidate by VPs or other senior leaders need not apply.

Third, ERM is actually a change management exercise with risk management thrown in. You cannot identify and assess risks and then think you have ERM. In fact, when this is all you have done, you have nothing at all and where most engagements end. The change part requires different skills than those commonly found in professional accountant and project managers; but the skills are more likely to be found in the latter than the former. To be successful here, one needs to know how to deliver presentations, facilitate workshops, deliver training, etc.

With respect to teaching ERM course, anyone can learn ERM theory by reading ISO 31000 but teaching the change management piece is the hard part. (When I think back on the strategy courses I took at Ivey, we discussed cases and had a strategy framework, but like ERM, we kind of stopped at the implementation part too.)

So why does ERM fail? Probably because people who don’t fully understand ERM are hiring the wrong people with the wrong skills to do it. Additionally, since ERM is any organization’s third priority, he never really gets the attention it really deserves and never gets completed.

Anonymous said...

There's a movement to radically change California government, by getting rid of career politicians and chopping their salaries in half. A group known as Citizens for California Reform wants to make the California legislature a part time time job, just like it was until 1966.


www.onlineuniversalwork.com