The Risk Pyramid
3 Jul 2017
SOLUXR™ believes that Enterprise Risk Management ("ERM") will remain locked in organisational silos until Boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a Risk Appetite Framework ("RAF"). Understanding of risk appetite is in our view, very much a work in progress for many organisations, but RAF development and approval can lead Boards to demand action from executives.
How are organisations using risk limits and risk tolerances around those limits?
Our experience in working with clients shows that organisations are continuing to struggle with basic risk concepts, definitions, language, responsibilities, reporting and delivery. Accordingly, while risk limits are set to contain risk-taking practices, lack of common language and loose interpretation of concepts is causing confusion within organisations and leading to limits being seen as negotiable within the context of risk tolerances. As a corporate discipline, Risk Management is in its infancy, and the quality of risk practitioners is generally poor. Risk limits are perceived negatively by business practitioners, who use their limited knowledge of risk tolerances to argue for greater flexibility in applying limits.
How do organisations facilitate early warning of potential breaches of risk appetite?
In practice, we find that there is limited facilitation. Rather, business people see the concept of risk as limiting practices that drive value and, thus, adopt the business school mantra of “seeking forgiveness rather than permission.” This is made easier in organisations where risk is seen as a nuisance and impediment to business, and where appreciation of quality Risk Management is not apparent at senior levels.
Business generators tend to view risk as friendly and flexible, designed to support business generation. Thus, risk limits are treated like speed limits on the public highway, more for observation than observance. Accordingly, we find few cases where early warnings are seen as anything other than flashing lights on the dashboard. In many cases, early warnings result in cases being presented to the risk committee for raising limits, rather than resulting in severe braking to ensure conformity in Risk Management.
Much of the foregoing represents the cultural challenge of embedding risk as a serious discipline rather than afauxscience treated as an add-on. This reflects the nascent nature of Risk Management and its failure to be seen at Board level as front and central to strategy and its effective and safe execution. Culture and “tone from the top” are critical here. So is strong support for risk executives at senior management level and an appreciation that Risk Management is akin to the medical profession, where hygiene is embedded in all procedures and provides a safe and secure means of conducting business, rather than being an impediment. The absence of good-quality risk officers and of universally accepted definitions of risk also undermine the discipline in organisations where there are few effective sanctions against limits being broken.
Ernst & Young Risk Pyramid
Peadar Duffy - Founder of SOLUXR™