My posts for this month (May 2019) have focused on results from the 2019 State of Risk Oversight report from NC State.
Each of these posts (see here and here) not only reported survey results but also included additional commentary based on my experience. Up to this point, I had no reason to challenge anything in the report.
However, the last section entitled “Addressing Barriers to Enhanced Risk Oversight” caught my attention.
Despite progress on the identification, assessment, and management of risks on a macro level, very few organizations consider their ERM processes to be “mature” or “robust.” Participants were asked what was preventing them from implementing ERM in a more formal, systematic way.
The following table from the report is a summary what respondents described as a “barrier” or “significant barrier.”
As you can see, organizations claim competing priorities, insufficient resources, and lack of perceived value as the top three barriers to implementing ERM. According to the report, the order of these barriers is consistent with years past and the proportion of organizations claiming these as barriers are pretty uniform across all respondent categories (…except for nonprofits).
Each of these top three barriers are really circular in nature…
Although the report lists these barriers as distinct reasons preventing the implementation of ERM, they are in fact closely related and “circular.”
If there is a lack of perceived value, other priorities in the organization will take precedent over ERM, and executives will not provide sufficient resources for developing processes for identifying risks and opportunities to strategic objectives.
If there are insufficient resources to implement ERM, executives will not see the value and therefore prioritize other initiatives over ERM.
I agree that competing priorities, which is the #1 barrier, is the logical starting place of this cycle and leads to insufficient resources and lack of perceived value respectively.
I will also argue that the lack of resources barrier can be overcome. Most sources you come across about implementing ERM talk about the “full-blown” version with a formal governance structure, a dedicated team, a formalized process, and more. But it is possible to have ERM on a budget because these things are not a requirement for many organizations. It is quite possible to realize the value of ERM without spending a ton of money.
In the end, the biggest barrier to implementing ERM is the will to get started…
While I do appreciate the observations of the State of Risk Oversight report and find it valuable in understanding the current state of ERM, I must respectfully disagree with what organizations are saying are their barriers to implementing ERM.
For starters, these results don’t match results from a survey sent to my readers a few months ago where a majority of respondents explained that leadership tone at the top and executive buy-in (or lack thereof) were their biggest challenge and frustration to implementing ERM.
Let’s consider an analogy that many of us struggle with personally ─ eating healthy and working out ─ to dig deeper into this issue.
We all want the benefits of a good diet and regular exercise, but when the rubber meets the road, many of us cast it aside, saying we can’t make time for it or don’t have enough money. There’s no magic to it – you just have to commit to taking the time to prepare healthy meals and doing physical activity, be it at a gym or wherever.
Sound familiar? The excuses always come down to resources and priorities.
The same is true for ERM in my opinion, which is one tool for enhancing the management of an organization.
It can be a hard sell to management for a variety of reasons, with the top three being:
1. It can be difficult to have hard numbers to show management how ERM will help the organization achieve its goals.
The fact is executives’ number one focus is achieving the goals they and the Board have established for the organization. Therefore, justifications for ERM must be made specific to them, and not a blanket statements such as “…ERM is a tool for identifying risks and opportunities to achieving strategic objectives.”
2. ERM is not like project management where organizations have a standard guide in the form of the Project Management Book of Knowledge (PMBOK) to refer to.
While there are standards like ISO 31000 and COSO that provide general guidance on the elements of ERM, having a standard guide for ERM just isn’t possible for a variety of reasons, including organization culture, needs, executive personalities and more.
3. ERM has an incremental ramp up, making it difficult to point to a big value-add event and say, “this would or wouldn’t have happened without ERM.”
Unlike project management or other standardized management tools where things can be put in place pretty quickly, it is impossible to have all of the elements of an effective ERM program in place within 3 months, 6 months, or even a year.
Like exercise and eating healthy, you don’t see results by doing it for a week then quitting. But if you stick with it over time, you will start noticing a change in your appearance, how you feel, and more.
Are you struggling to prove the value of ERM to your leadership?
Do your executives want the benefits of ERM without taking the steps they need to?
I’m interested to hear your thoughts on what you think are barriers to implementing ERM. Feel free to leave a comment below or join the conversation on LinkedIn.
And if you are struggling to develop a case for why your organization should develop an ERM process to identify risks and opportunities to strategic objectives, contact me to discuss your specific situation today!