Given the continuing discussion on the new ISO and COSO framework updates, and the lively “Great Debate,” we recently sat down with Michael Yip, Vice President, Risk Management with DFW International Airport to get his thoughts about the new Enterprise Risk Management (ERM) framework updates. With over 20 years of strategic management consulting experience, his frequent speaking engagements and thought leadership on ERM, and his extensive history of domestic and international assignments implementing corporate governance and compliance initiatives dating back to the introduction of first generation COSO and ISO frameworks, he is an ideal choice for this topic.
It quickly became apparent, however, that merely adding to an ever-growing collection of “Which ERM framework is right for you?” articles was not something that he was entirely interested in pursuing. In fact, he found the situation that the industry is still wrestling with frameworks, after all this time, “problematic” as it entirely circumvents the strategic conversation about ERM. So, we had that discussion instead.
Beyond Frameworks: Looking at ERM Strategically
Yip has been a long-time champion of elevating the role of risk management within organizations. He contends that risk management should be held in the same regard as other key business functions such as legal, finance, and the like. As he sees it, ERM involves the true application of enterprise risk, “not just the mechanics” of doing risk assessments.
ERM involves the true application of enterprise risk, not just the mechanics of doing risk assessments… this means treating risk management as a key business function like legal, finance, etc.
To look at ERM strategically, it is necessary to take a wider view and see how it relates to the organization as a whole. ERM can only succeed when it is fully aligned with the organization’s objectives and designed to fit in a specific operational environment. However, according to Yip, this aspect of “fit” within the organizational culture is all too often missing in ERM efforts. This is hardly surprising given that neither framework offers any real direction in how to examine that.
His advice? Look carefully at what your actual organizational drivers are and how ERM directly affects those. “That is the first connection that needs to be made,” Yip says.
The Transactional Trap
The development of an ERM program typically begins with enterprise risk identification and risk assessment activities. That makes sense given the central tenet of ERM is the management of risk. It is far too easy for risk professionals to get stuck here, however, because those easily identifiable tools are, as Yip puts it, “the most tactical, tangible step in the entire ERM philosophy and system.”
Essentially, both frameworks hand the risk manager a hammer and, suddenly, everything looks like a nail. Delivering the risk map or risk assessment becomes the goal and the comfort zone. Yet the executive level remains focused on the strategic plan and direction of the organization. So, there is already a major disconnect. Risk managers are steered towards the low-hanging fruit of documenting low severity, high-frequency events. Meanwhile, according to Yip, “Nobody cares about that at the corporate level.”
Frameworks are pushing towards a comfortable set of tangible deliverables that hold no real value for the executive team. But, neither framework helps a manager go out and assess a strategic plan. Without that perspective of what the drivers are that the organization cares about, the effort gets mired in transactional and never moves past assessments.
The focus on risk assessments is understandable. Given that many risk management professionals come from insurance backgrounds, they take a transactional view and focus on insurable risks and risk transfer. It is an approach that adds little value to the process and fails to rise above the baseline expectations for the role. As he puts it, “That’s what a risk manager is supposed to do.” Necessary, but not sufficient.
Essentially frameworks push towards a familiar set of tangible deliverables that, without careful application of context and goal alignment, hold no real value for the executive team. Even so, neither framework helps a manager go out and, say, assess a strategic plan. Without the perspective of what the drivers are that an organization cares about, the ERM effort typically gets mired in the transactional and never moves past risk assessments.
Escaping the Trap by Focusing on “Now”
Instead of rushing straight into risk assessments, Yip recommends making the first step something more fundamental. “Everything begins with the current state assessment,” he says. In other words, start with what your organization is doing right now.
It is very easy to blindly follow a framework without once considering the current state of your organization. This leads to focusing on completing the individual steps instead of looking at each component and asking, “What part is material to my organization?”
If you rely too heavily on being guided by the framework—not knowing your organization, your organization’s culture and how they embrace risk and opportunity—you’ll come to a fork in the road and some bad decision will be made.
Creating a “risk assessments first” scenario was so commonplace in his ERM consulting engagements, that his initial recommendations typically focused on establishing stakeholder engagement. Before conducting the risk assessments, identify the people that will champion this program and understand their motivations. Ultimately, the sustainability and success of this program will depend on their direct engagement and influence.
Next, expand that to an examination of the state of risk management within the organization. It may be difficult to build a solid assessment of this, but it boils down to two fundamental questions: “What are the many ways we capture risk across the organization?” and “How effective are we at it?” The answers to those questions help you gauge the maturity of your risk management organization, which is something else that neither framework helps to do.
“If you rely too heavily on being guided by the framework—not knowing your organization, your organization’s culture and how they embrace risk and opportunity—you’ll come to a fork in the road and some bad decision will be made,” says Yip. That means being forced to pick a path without knowing if it will ever be fully embraced.
Another pitfall Yip often sees is risk managers making ERM overly complicated. To avoid this, he suggests changing the perspective. ERM does not need to be a complex mystery. “No matter what organization you are a part of,” Yip says, “you are already doing some form of it today.”
He offered these typical responses to anyone asking the question, “How are we making business decisions currently?” as proof:
- We identify what the options are
- We analyze choices and decide if one option is beneficial
- We reap benefits (or suffer consequences) from the decision
This simple, familiar process is at the heart of ERM. Conveying that, instead of some X-step process, allows for a much more straightforward conversation: “We are already doing this. I am going to augment it.”
ERM is less a function of risk management and more a function of the organization.
Carried a little further, this allows for a much-simplified presentation of ERM goals that will resonate with the executive team. Our program is “going to provide a system that will holistically gather the data for us, and then we are going to all speak the same the same terminology, all work towards the same material thresholds, and all go after the organization’s objectives.” Looked at this way, ERM becomes “less a function of risk management and more a function of the organization.”
Translating this into Concrete Steps
Armed with a current state assessment and a simplified definition of ERM, it can still be overwhelming to try and figure out how to get started. It helps to recognize that the objective of this effort is not to simply check off the steps within a framework. Instead, the need is to look at the framework in its entirety and ask, “How can I adopt pieces of that to drive my agenda?”
Risk managers are caught trying to stick too hard and too heavy with a 10-step process instead of customizing it to meet their needs. They need to make it flexible and scalable to their organization based on what their organizational drivers are.
The key is to look at each proposed step and relate it directly back to objectives the executive team is already focused on. Identifying those which most strongly align with organizational targets and goals helps to shortlist the framework elements to those which matter most. Applying the filter of the current state assessment and your organizational culture and ask, “Which one of those elements do you need to do right away?” That converts a potentially complex and sprawling endeavor into a manageable, relevant project. One with results that actually matter.
Following up with the question, “How do I demonstrate that… immediately?” further narrows the focus and ensures that this is a results-focused activity. It also places a priority of generating wins quickly.
This speed creates buy-in, visibility, and sustainability. The executive team couldn’t care less if you completed all ISO or COSO framework steps or not. According to Yip, they only want to know “What impact are you making on the organization?” For instance, aligning initial steps with driving a culture of safety and security, or supporting a six sigma operational excellence initiative, makes it easy for the executive team to absorb ERM goals.
These linkages with objectives are what should drive the entire ERM approach, and that is necessary to avoid the transactional trap. Ask yourself, ultimately, did you drive the bottom line? If instead you remain caught up in moving from step one to step two, “you will never sustain that value proposition.”
Understanding the Limitations of Any Enterprise Risk Framework
He underscored that the use of frameworks can be beneficial. “Frameworks are advantageous for structure.” The structural nature means transactional items are clear and organized. However, they face the same challenge any standardized framework faces, which is that they are an attempt to place a one-size-fits-all model on the real world.
“If every organization was the same, then a standard framework would be perfect,” he says. Different organizations have fundamentally different needs based on market cap, specifics of industry, organizational structure, and a host of other unique factors. Unfortunately, the frameworks are “not calibrated” for any of those differences. That means some components will fit better in one organization than they will another.
“It’s aspirational,” Yip says. This is the limitation of a standardized approach in an infinitely varied environment. It does a particular disservice to those who cannot afford the consulting fees to develop a holistic platform for them. He put the onus on the risk professional to understand that “these are just guidelines.” They are not a “Thou shalt do” declaration.
An Unexpected Conversation
After articulating why a rush to risk assessments without understanding the organization’s strategic objectives is a surefire way to end up mired in the transactional, it becomes clear why Yip saw the question, “which framework should I choose?” as missing the point.
For those starting down (or reviving) an ERM path, his advice to avoid the transactional trap, simplify the conversation, and create a focused deliverable—designed to create sustainable viability for the program—seems enormously valuable. While this meant completely changing the perspective of the article we originally intended to write, the practical discussion that emerged from a career spent examining all types of ERM developments (successful and otherwise) was certainly worth the effort.
Interested to see how Origami Risk can help with your ERM efforts? Get in touch with one of our experts today to find out more.
About Michael Yip
Michael Yip brings over 25 years of experience as a Senior Executive and Global Thought Leader in Enterprise Risk Management (ERM). Yip specializes in development and implementation of strategic risk management processes and advancing effective risk-based mitigation solutions. He has held senior leadership positions with several major global firms and is currently Vice President of Risk Management at the DFW International Airport. In his role at DFW, he has transformed the Risk Management department by creating an innovative professional services delivery model centered around delivering practical ERM value in real-time.