Here’s one of those articles that would get my goat if I owned a goat.

It’s the typical rah-rah article about how wonderful ERM is and everyone should be doing it. (I am always  a proponent of those.) But the fact that it was published at a site called WebCPA should have tipped me off that I was going to be short one goat by the time I was finished.

After the author quotes the requisite parts from the COSO ERM framework – thus illustrating that she can copy and paste from the COSO ERM framework –  she recites a lot of the usual fluff about why ERM is so great. But what really sends my goat running, is how she tries to make the point that somehow internal auditors are the “meek who shall inherent the ERM” so to speak.

Accountants, including internal auditors, have been getting by for years with their control self-assessments and opinions. Thanks to a few financial frauds like Enron and WorldCom, the government passed the Sarbanes-Oxley Act and many internal auditors were kept busy for a while; recently they have IFRS conversions. I am tired of internal auditors trying to make ERM something for internal auditors to do. What’s more, it muddies the water, making it increasingly difficult for ERM practitioners to communicate that risk management is not the same thing as audit.

In the article, the author suggests ERM is the next great thing for internal auditors.  She writes: Organizations will also look to internal auditors to provide some non-traditional roles, including trainer, educator, and coordinator, or facilitator. As trainers or educators, auditors must understand that ERM is a process or methodology in the identification, assessment and management of risks enterprise-wide. This process provides for a structured and disciplined approach to implementing risk management.

To that I have to stay stick to your knitting (and auditing).

Perhaps try making internal auditors in charge of human resources or IT? Just please, stay away from risk management and leave ERM implementations to the professionals.

I was just reading the March 2009 Report on the Current State of Enterprise Risk Oversight conducted by by the Faculty in the ERM Initiative at North Carolina State University. The complete report can be found here:

It’s filled with lots of stats and can be summed up by this line from the report: “Despite the growing trends towards adopting a more holistic approach to risk oversight, not all organizations are modifying their procedures for identifying, assessing, managing, and communicating risk information to key stakeholders.”

(What are you waiting for!?)

Most people would submit that the Enron and WorldCom frauds led to Sarbanes-Oxley, but sadly, I don’t think people are aware that the 2008-2009 economic crisis was caused by poor risk management oversight. Alas, risk practitioners, soon we will have our day.

One of my favourite books about risk management is Predictable Surprises – The Disasters You Should Have Seen Coming by Max. H. Bazerman and Michael D. Watkins. This is not an explicit risk management book but is about identifying, assessing and managing your risks and a must read for risk managers.

The authors describe the six shared traits of predictable surprises, which can be found in the events of September 11, 2001 and scandals like Enron.

  1. The leaders knew the problem existed – Three Presidential administrations were aware of the growing threats of terrorism (i.e., they identified the risk) but their likelihood was inaccurately assessed.
  2. There is a failure of response and not a failure of recognition – Even though people know that a problem will not solve itself, and is getting worse with every day, people still don’t try to solve it and so there is inaction.
  3. The future is discounted – If we fix the problem today, we incur significant costs today, while “preventing an ambiguous and merely potential harm” in the future. (An ounce of prevention is worth a pound of cure.)
  4. There is no measurable benefit avoiding a predictable surprise – Imagine the politician who has to convince the public that spending money now could prevent a disaster later. Maybe.
  5. We like the status quo – It is a natural human tendency to keep things the way they are rather than change; because there is no crisis so let’s keep doing what we always do.
  6. The lobbyists – There is always a small vocal minority which benefits from inaction and is motivated to “subvert the actions of leaders for their own benefit.” Think about an airline industry trying to meet the Street’s quarterly exceptions instead of investing in the safely of passengers.

I think reading a book like this makes us better enterprise risk managers so check it out.

For a list of other books Riskczar Recommends, please follow this link to