David Letterman is not likely any time soon to titillate broadcast viewers with a top 10 list detailing the most common misunderstandings about enterprise risk management (ERM). But that doesn’t mean there’s no audience for a rundown on the Top 10 Myths about ERM.

Few companies can grow without taking risks. But poor risk management leads to surprises in business operations that can impact shareholder confidence, regulatory oversight and the bottom line. An unprecedented wave of regulatory oversight in recent years has convinced many organizations how inadequate their risk management policies and procedures really are.

Many of the world’s largest companies have responded to external and internal pressures by embarking on a journey to unify governance, risk and compliance (GRC) management across the enterprise. Yet, many organizations that don’t have a historical foundation in risk management are still struggling to come to grips with this new discipline and how to embed risk management into the business. So with that in mind, let’s take a Letterman-like look at the top 10 myths regarding ERM and how that can impact your business.

Myth Number 10: IT Risk Management = Information Security

Most information security programs place far too much emphasis on the how and what, and far too little on the why. Information risk management, on the other hand, is inherently focused on the why.

Unfortunately, there’s always far too much for IT staffs to do. There are too many vulnerabilities to remediate and too many controls to implement, so some critical deficiencies will go unmanaged. True risk management requires a business perspective on these deficiencies to better manage and prioritize the issues that threaten the organization. A check list approach to information security ignores business impact and criticality.

Myth Number Nine: CIOs Embraced Enterprise GRC

To address Sarbanes-Oxley (SOX) compliance, many companies put in place technology platforms that now support a variety of risk and compliance initiatives. SOX solutions were generally purchased with the tacit approval of IT, but few IT organizations standardized on a strategy for managing risk and compliance data; as a result, different parts of the problem are addressed by a wide and disparate range of solutions including spreadsheets, custom and commercial applications.

In numerous buying decisions, IT is too often at the table in a support role, rather than as a strategic thinker focused on the long term strategic benefits of a common GRC platform. Scattered risk and compliance data marts will cause an immense amount of pain for risk managers trying to get a clear picture of risk throughout the business.

Myth Number Eight: A Rigid, Standardized Approach is Best

ERM, similar to most business processes, is not a “one-size-fits-all” solution. It has to be customized and tailored for each firm. As Mark Olson of the Federal Reserve notes, “An effective enterprise-wide compliance-risk management program is flexible to respond to change and it is tailored to an organization's corporate strategies, business activities and external environment.” (April 10, 2006)
Companies that try to implement an out of the box methodology will likely fail. ERM methodologies and taxonomies must be adapted to a company’s legal, regulatory, economic and competitive environment, all of which can vary dramatically by industry. Further, the risk framework must be able to adapt to change over time to avoid losing competitive advantage.

Myth Number Seven: You Can Only Manage Risk from the Center

No one is likely to argue that strong, central risk management is a bad thing. Unfortunately, many organizations make the mistake of investing only in a centralized function because it’s too difficult to federate, and they don’t know how to push risk management to

lower levels of responsibility in the organization. It’s a classic issue of consistency vs. quality of information.

But accurate information lies at the business line level. Organizations must augment their centralized risk management efforts with localized, distributed data, and the only way to reliably and cost-effectively do that is to invest in automated technology solutions.

Myth Number Six: You Can Manage Risk and Compliance with Spreadsheets

Spreadsheet wizards have carved out a significant role in managing financial and operational data in many companies. The problem is that this approach is a) manually intensive and b) highly reliant on the individuals that manage and operate these spreadsheets. Further, the processes for linking, updating and archiving data in spreadsheets is mostly ad hoc, leading to significant risks associated with this data.

Freddie Mac, for example, in its 2005 annual report noted that reliance on “end user computing systems” (read: spreadsheets) posed a significant risk to its ability to report accurately on financial data. Using spreadsheets and file shares for risk and compliance data is a dead end; risk managers have trouble getting visibility into the data because of poor reporting capabilities, and will rightly question the accuracy of the data itself.

Myth Number Five: Traditional Audit Planning is Good Enough

A traditional model to planning the audit process typically examines 10-20 risk factors for each element of the audit universe, and funnels each auditable entity into a risk category which will drive its audit frequency. But the known risk universe gets bigger by the day, and investing in a massive risk evaluation for each entity may not be the best use of resources: Is it worth tying up valuable stakeholders in management and on the audit committee to assess the risk inherent in the coffee procurement process for a remote sales office? Progressive organizations are turning towards a more agile, top down approach to risk assessment to drive audit scheduling. This will lead to more efficient resource allocations, ensuring that auditors are focused on the truly risk areas.

Myth Number Four: Enterprise Risk Management is Dead!

David Martin and Michael Power assert in “The End of Enterprise Risk Management” that EMR frameworks are outmoded because they embody an unrealistic and outdated theory of organizations – hierarchical, “bird’s eye views” from the top that are progressively detached from the reality of modern financial organizations.
Truth be told, the current regulatory climate has resulted in control-based ERM frameworks that have a bias for analysis versus action and the production of evidence for regulators and auditors in some instances has become more important than managing real risks. But that doesn’t mean we should abandon ERM.

ERM needs to be deployed bottom up so that business managers are the first-line managers of risk, embedding enterprise risk management within the day-to-day business processes of the firm. They must understand the risk/reward trade-offs involved in their own decision-making. Risk management should create a bias for action, surfacing problems as they arise and empowering the entire organization to be risk managers.

Myth Number Three: It Just Takes Common Sense

“There are really no cook-book solutions. One has to use creativity and a lot of common sense.” – May 16, 2000, email response from ENRON risk expert Vince Kaminski when asked by a colleague to recommend a good book on operational risk.

As ENRON proved, creativity is a No-No and common sense just doesn’t hack it when it comes to risk management. As business activities have become more complex, so too has risk management. The sheer magnitude of the regulations to comply with leaves

many firms struggling to put in place processes and infrastructure that are able to identify and control the compliance risks they face.

Risk management covers a wide variety of risk disciplines including operational, compliance, financial controls, legal, liquidity, business strategy and technology, each of which has its own nuances and specialized models for assessing risk. It may not be rocket science, but it does require application of sophisticated models and analytics, aided with accompanying software tools.

Myth Number Two: TJX – It Can’t Happen Here

The TJX data breach, perhaps one of the biggest business stories of 2007, is only one of many that were publicly reported. Attrition.org maintains a list of public, high profile data breaches that is staggeringly long, going back to the year 2000. When you consider companies have a vested interest in not making such events public and the many more breaches that undoubtedly go undiscovered, only the tip of the iceberg is visible to us.

But shouldn’t we be getting safer? Preventative technology and knowledge gets better and better every day. Unfortunately, the villains also get better and better every day, so the gap persists. Your organization is susceptible and it’s critical you do everything you can to keep the gap as narrow as possible to minimize your risk.

And (drumroll…) the Number One Myth about ERM: You Can’t Plan For the Unknown

You may not be able to predict events that lie outside the realm of regular expectations, but risk managers have to plan for their occurrence. No one could predict or even imagine the series of events that occurred on 9/11, but some firms did plan for the possibility of a long term disruption of their business operations due to a catastrophic event taking place in Manhattan and were up and running from alternate operational centers within hours of the fatal events of 9/11.

Key risk exposures, whether they are operational, market or credit risks, do not always follow a normal distribution or bell curve. Some risks have fat tails and it is the events that lie at the lower and upper ends of the distribution curve that are most important to consider and plan for. You have to fight the natural tendency to focus on the known, the tangible and the repeated and devise strategies to cope with the unknown – your company’s viability may depend on it.