- Inadequate board skills and inability of board members to exercise control
- Blindness to inherent risks, such as risks to the business model or reputation
- Inadequate leadership on ethics and culture
- Defective internal communication and information flow
- Organizational complexity and change
- Inappropriate incentives, both implicit and explicit
- ‘Glass Ceiling’ effects that prevent risk managers from addressing risks emanating from top echelons
- The top cause – inadequacy in the boardroom – is beyond the scope of any risk manager.
- The issue the traditional risk manager addresses – insurable risks – played a small role.
On the latter, he writes:
This is a problem for their ideas of expanding from their current roles managing insurance programs to managing ERM programs.
ERM in most firms has not embraced the idea of managing Strategic Business Risk. That is natural because CEO’s usually see that as their personal jobs. Not likely to be delegated to a risk manager.
So ERM will usually be defined as managing ALL of the risks of the firm except the Strategic Risks.
- This survey also indicates that risk managers have done a good job at their traditional task. And that’s no small achievement. Go back a century, and I suspect companies were far more susceptible to fire and theft losses than they are today.
- CROs and other risk managers need to assure CEOs that their role does not usurp that of their boss. Their job is not to make decisions. They are collecting information and providing tools that help the CEO make decisions.
It’s analagous to how property/casualty companies decide how much to book for losses. Actuaries estimate how much needs to be booked. They explain their results to the CEO. But it is the best estimate of management that gets booked, not the actuarial estimate.
Certainly the CEO needs to know what his/her trained expert on reserving thinks. That’s why the expert got hired. Ultimately, though, the decision rests with the boss, as it should.
Bringing it back to ERM, the CRO presents a situation on some risk. He or she has collected disparate information and synthesized it, to let the boss focus on the decision, not the process of collecting the information. This makes the CEO more efficient.
The challenge is assuring the CEO and the board that the risk management role doesn’t usurp their roles. It enhances them, the way a whetstone sharpens a knife.