Per Henriksen and Thomas Uhlenfeldt
Summary:
Many risk management frameworks claim to be holistic and ‘enterprise-wide’. Henriksen and Uhlenfeldt argue that for a risk management framework to be truly holistic and strategic, it must address the strategy creation process and not just the strategy implementation arena. It is in the area of strategy process where many strategic risks are created. Hence, an enterprise-wide risk management system that does not lend itself to be used in the strategy creation process falls short of the mark.
The authors investigate 4 ERM frameworks that claim to be holistic: DeLoach EWRM, COSO ERM, FERMA (a precursor to the current IRM Risk Management Standard), and AS/NZS 4360:2004. Their study reveals that while these frameworks claim to be applicable at the strategic level, they fall short of providing actionable guidance on how risk management can be performed concurrently with the strategic processes.
A key weakness lies in the frameworks’ treatment of consolidating, prioritizing, and communicating key risks. The very point of ERM is to consolidate the key risks faced by the organisation so that it can allocate scarce resources most effectively. The frameworks provide little, if any, guidance on how this consolidation, prioritisation, and organisational communication can be done.
The frameworks also acknowledge that risks can result in positive opportunities for the organisation but provide little guidance on how to take advantage of this. Since the frameworks are not integrated with the strategy creation process - where the biggest opportunities to identify and seize opportunities exists - the frameworks’ take on positive risks are not that helpful. The authors recognise that in the real world, preventing losses is the focus of management and identifying opportunities is generally the remit of strategy.
Hence, while risk management in theory helps in identification and grabbing of opportunities, this is seldom done in practice. The orientation of the frameworks in the process steps is still heavily slanted toward negative risks.
The frameworks add some value in that they pave the way for common risk language and processes across an organisation.
No comments:
Post a Comment