This article was conceived in the first months of 2023 when large stock price declines in well-known corporations began to occur.   These declines signaled something possibly amiss with decisions concerning corporate strategy, reputation, financial well-being, marketing, or external market conditions.  Rather than react to these early events, publication was postponed to gather additional and more varied information regarding executive-level decision outcomes affecting business strategy and ultimately business success. Consequently, publication of this article was delayed until July 2024.

Introduction

Events beginning in 2020 and continuing into 2024, suggest the practice and value of Enterprise Risk Management or “ERM” has been discounted as a business function, or perhaps simply discarded.  Significant declines in stock prices of large publicly traded companies are the tell.

ERM rose to prominence within the last 10 – 15 years as the means to protect the long-term interests, including reputation and profitability of businesses to ensure sales, revenue, and equity growth.  Investors looked to CEOs, C-level suite executives, and Chief Risk Officers, to guide corporations through emerging and future uncertainties.

ERM seemed to have much promise, but was it a bust or in remission and there is a long-game being played that is not obvious?

Before delving into further into contemporary ERM practice, a limited review of recent risk management history is informative.

We can go back to 2004 for the COSO Enterprise Risk Management – Integrated Framework ⁽¹⁾ and five years later to ISO 31000:2009 Risk management – Principles and guidelines ⁽²⁾, and another eight years later to the 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance Framework revision. ⁽³⁾  Followed in 2018 by the revised ISO 31000:2018 Risk management guidelines ⁽⁴⁾.

According to the COSO 2017 framework’s FAQ, “Enterprise risk management is no longer focused principally on preventing the erosion of value and minimizing risk to an acceptable level.  Rather, it is viewed as integral to strategy setting and the identification of opportunities to create and maintain value.”  The 2017 COSO Framework explicitly linked ERM to strategic objectives.

The ISO risk management body of knowledge migrated from a (2009) focus – on what to do process guidance at operational levels – to an emphasis on leadership (2018) by top management to integrate risk management throughout the organization and most importantly with organizational governance.

It is important to note that risk management is concerned not only in negative events and their effects on businesses, programs, and projects, but also in positive conditions that suggest a future, but uncertain opportunity.

One explanation which might stretch the imagination in the current environment, is that some businesses are pursuing opportunities, i.e., intelligent risks, for the long-term.  Meaning that potential future opportunities were recognized, but with some uncertainty of success.  But businesses were willing to tolerate short-term financial risk for larger long-term gains.

          I define an intelligent risk as an opportunity in which the potential gain outweighs the harm or       loss that could impact the organization’s sustainability if the opportunity is not explored. –

Dr. Harry Hertz ^{(5, 6)}

As Dr Hertz noted, quoting the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, the main purpose of ERM is in setting an organization’s strategy and objectives to achieve the appropriate balance between growth and return goals and related risks. ⁽⁷⁾

Robert Kaplan and Annette Mikes wrote in 2012 of different categories of risk to help enable understanding distinctions among them. ⁽⁸⁾  These were described as (1) Preventable risks internal to the company and could be unethical practices, or process failures (2) Strategy Risks are those that a company engages in with the promise of superior financial returns., and (3) External Risks are those beyond company control.  The authors note that risk any category can be fatal to the company.

Kaplan and Mikes discussion of Rules-based Risk Management was especially informative in that this approach may be best applied to Preventable risks associated with internal to a company’s operations, e.g., compliance, rather than to Strategy or External Risks.

One might think the following are timeless, doomed to be repeated by generations of executives, managers, and employees, as they seem to be.

Human behaviors include a range of factors that affect decision making concerning strategy, internal operations, and external events.

These factors include (a) overestimating ability to influence events, (b) overconfidence about accuracy of forecasting and risk assessments; (c) restricted view of potential outcomes; (d) using available information to predict uncertainty; (e) having a confirmation bias to support a particular position; (f) suppressing information that contradicts a particular position; (g) group think; (h) accepting failures and defects; (i) misjudging signals as false alarms; and (j) decentralizing risk management and responsibility across business functions. ⁽⁸⁾

Mckinsey & Company, the global consultancy, describes two sources of risk.  First, external factors that can include supply chain disruptions, pandemics, competitors and cyberattacks, among others.  The second source may include poor executives’ decisions, reputation affecting information exposure, and the risk of missed opportunities. ⁽⁹⁾

Perhaps most relevant today, McKinsey & Company clearly stated that organizations incur business risk when realized that may tank profits or bankrupt the business. ⁽⁹⁾

Was the ERM design as embodied in the COSO and ISO publications deficient or remiss in addressing the need for continuous surveillance of the business environment even though strategy was the focus?

Or was it that the human capital required to make it work a rare and difficult to acquire skill akin to that of a prophet?

Or did a rule-based approach, effective for managing preventable risks, that limited the scope of ERM practice to one of known conditions to the exclusion of inconvenient or unthinkable future events?

Or, did external business conditions change suddenly and unexpectantly such that conventional ERM thinking was unprepared?

Let us turn back the calendar 39 years to 1985.

The ISO 9001 Quality Management system standard did not exist, at least in the form generally recognized and was not published until 1987, as ISO 9001:1987. ⁽¹⁰⁾  The Malcolm Baldrige National Quality Award also did not yet exist and was established by Congress as the Malcolm Baldrige National Quality Improvement Act of 1987 (Public Law 100-107).

The first Malcolm Baldrige National Quality Award recipients were recognized at a White House Ceremony on November 14, 1988. ⁽¹¹⁾

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework (fraud deterrence) did not exist, it was not published until 1992 and released in again in 2013. (12) In 2017 COSO updated the framework to emphasize “Importance of considering risk in both the strategy-setting process and in driving performance”. ⁽¹³⁾

This lack of what we recognize today as ERM might be considered an explanation for poor decisions in the 1980s, which we’ll explore in our next article.

Bio:

His career has been enriched through education, training and experience beginning in the early 1970’s as an investigator, and later as economist, statistician, operations researcher, adjunct professor, business owner, newsletter publisher, consultant, quality award examiner, risk and QA manager, and contractor.

The common thread throughout this time has been gathering, reducing, assessing, summarizing, and presenting findings to enable decision making.  With the arrival of COVID-19, it was recognized that methods and tools used for decision making in a business setting, particularly involving risk, can be adopted to individuals.

Toney is also an aspiring business fiction writer where his future works will be published on vucanites.com.

REFERENCES:

1. The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise Risk Management – Integrated Framework. https://www.coso.org/guidance-erm
2. International Organization for Standardization (ISO). The first international standard on the practice of risk management was published in 2009 as ISO 31000 Risk management — Principles and guidelines. https://riskandinsurance.com/a-brief-history-of-iso-31000-and-why-it-matters/ Accessed 22 September 2023.
3. COSO. Enterprise Risk Management-Integrating with Strategy and Performance – 2017. The emphasis on the linkages among risks, strategy and performance was a key change in the 2017 update to the COSO ERM framework. https://www.coso.org/_files/ugd/3059fc_61ea5985b03c4293960642fdce408eaa.pdf
4. ISO. ISO 31000:2018 Risk management guidelines. Note: This update. provides more strategic guidance  https://www.iso.org/standard/65694.html
5. Hertz, Harry, PhD. Director Emeritus, Baldrige Performance Excellence Program. Innovation Results from Intelligent Risk Taking and a Supportive Environment. Insights on the road to performance excellence. May 2012.  https://www.nist.gov/baldrige/innovation-results-intelligent-risk-taking-and-supportive-environment
6. Hertz, Harry, PhD. Director Emeritus, Baldrige Performance Excellence Program. Enterprise Risk Management Requires a Systems Perspective. Insights on the road to performance excellence.  Summer 2016.  https://www.nist.gov/baldrige/enterprise-risk-management-requires-systems-perspective
7. Ibid. According to the Committee of Sponsoring Organizations of the Treadway Commission, the main purpose of ERM is in setting an organization’s strategy and objectives to achieve the appropriate balance between growth and return goals and related risks.
8. Kaplan, Robert S. and Mikes, Annette. Managing Risks: A New Framework, The Magazine, June 2012.
9. What is business risk? An organization faces business risk when it is exposed to a situation that can lead to decreased profits or even bankruptcy. Featured Insights.  August 23, 2023 https://www.mckinsey.com/featured-insights/mckinsey-explainers/what-is-business-risk#/
10. https://www.latestquality.com/iso-9001-history/)
11. https://baldrigefoundation.org/who-we-are/history.html
12. (https://en.wikipedia.org/wiki/Committee of Sponsoring Organizations of the Treadway_Commission)