Contemporary Enterprise-Wide Risk Management Frameworks: A Comparative Analysis in a Strategic Perspective

Per Henriksen and Thomas Uhlenfeldt

Summary:

Many risk management frameworks claim to be holistic and ‘enterprise-wide’.  Henriksen and Uhlenfeldt argue that for a risk management framework to be truly holistic and strategic, it must address the strategy creation process and not just the strategy implementation arena.  It is in the area of strategy process where many strategic risks are created. Hence, an enterprise-wide risk management system that does not lend itself to be used in the strategy creation process falls short of the mark. 

The authors investigate 4 ERM frameworks that claim to be holistic: DeLoach EWRM, COSO ERM, FERMA (a precursor to the current IRM Risk Management Standard), and AS/NZS 4360:2004.  Their study reveals that while these frameworks claim to be applicable at the strategic level, they fall short of providing actionable guidance on how risk management can be performed concurrently with the strategic processes.

A key weakness lies in the frameworks’ treatment of consolidating, prioritizing, and communicating key risks.  The very point of ERM is to consolidate the key risks faced by the organisation so that it can allocate scarce resources most effectively. The frameworks provide little, if any, guidance on how this consolidation, prioritisation, and organisational communication can be done.

The frameworks also acknowledge that risks can result in positive opportunities for the organisation but provide little guidance on how to take advantage of this.  Since the frameworks are not integrated with the strategy creation process - where the biggest opportunities to identify and seize opportunities exists - the frameworks’ take on positive risks are not that helpful.  The authors recognise that in the real world, preventing losses is the focus of management and identifying opportunities is generally the remit of strategy. 

Hence, while risk management in theory helps in identification and grabbing of opportunities, this is seldom done in practice.  The orientation of the frameworks in the process steps is still heavily slanted toward negative risks.

The frameworks add some value in that they pave the way for common risk language and processes across an organisation.

7 Deadly Sins – Illusory Correlation

Or ‘magical thinking’ as Massimo Piattelli-Palmarini calls it.  This is about making positive correlations even though the supporting data is weak.  Sometimes we notice only data that supports our hypothesis and ignore data that doesn’t.

An example of magical thinking goes like this. We come across a few people who exhibit a certain symptom and also a certain illness, and we associate that symptom with the illness, such that if we see that symptom, then we decide that the illness is also present.

You see someone with red spots, and you diagnose measles.

We forget that sometimes the same symptom appears for a different illnes.  Or the illness is present without that symptom.

7 Deadly Sins – Overconfidence

Massimo Piatelli-Palmarini writes in his deliciously written book “Inevitable Illusions” about the 7 deadly sins of our cognitive illusions.

His first sin is overconfidence. This is where we feel certain about our knowledge of something, but our knowledge does not really warrant such confidence.

He describes experiments where subjects are asked to answer questions and then rate how confident they are about each answer.  Experiments show that our confidence leads our knowledge.

We think we know something more than we really know.

The results of the experiments also bring about something sobering: we are most overconfident in areas we are more knowledgeable about.  That is, the difference between the level of our overconfidence and knowledge in these areas is bigger than the difference between our level of overconfidence and knowledge in other areas - hence we tend to make mistakes of overconfidence in our areas of expertise.