Do you think enterprise risk management (ERM) is on life support? Well, for many organizations, it is. But for those astute leaders who have come to learn that success is affected most often by risk and the way in which risks are managed, the risk-management discipline has a new life.
That new life has emerged as risk and performance management (RPM), which I think of as the properly focused, all-encompassing way we should consider risk as it relates to organizational success. RPM is the natural, next, and most significant step for integrating risk comprehensively into successful enterprises.
RPM should resonate more with management than ERM or even the most recently coined iteration, strategic risk management (SRM) ever did. RPM aligns more with management’s vested interests, immediate concerns, and needed support for decision-making. It leverages the financial language of the business. Acronyms aside, the end game is the same. It is what ERM was always intended to address: a more valued focus on results versus losses.
The key ways in which the approaches to RPM, versus ERM/SRM, can be distinguished are not insignificant. For one, current ERM standards are basically designed to help a company better identify, assess, and respond to risk. Although the approaches may differ, they are most often structured to determine, report, and document the data or information knowledge gained through their application. In effect, risk information and data could be viewed as the driving purpose of these programs.
As practitioners advance the use of risk standards, they naturally progress to the next logical step, which is better results. RPM begins where ERM leaves off; irrefutably linking risk to results. Therefore, RPM makes organizational performance and not risk data the heartbeat of program design.
A second distinction is in the aggregate versus enterprisewide view of risk. Consider the Committee of Sponsoring Organizations’ ERM framework, for example. The scope for ERM as expressed in this approach is found directly in its definition of ERM itself: to be applied in “strategy setting and across the enterprise”; essentially everywhere. As a result, the need for “risk lists” and comprehensive, labor-intensive documentation is supplanted by a clearer understanding of aggregate risk-taking.
ERM surveys risk within and across silos. RPM, on the other hand, measures from a top-down perspective: the point from which most planning emanates. RPM takes an aggregate view of key risks, not attempting to count every risk, but to highlight the most significant key risks and elements of the risk profile that can be leveraged to create value, and only secondarily, reduce loss.
A third area of distinction is in the focus on effectiveness versus comprehensiveness. Once the differences in purpose and focal point are understood, it is obvious that RPM can supplant ERM as the truest perspective on how the most effective management of risk is accomplished in the most successful organizations.
Where ERM is committed to a thorough documentation of risk and the responses (mitigations or controls) tied to those risks, RPM’s focus is to find where risk-management effectiveness may be failing and to determine how well risk processes are contributing — or not — to company results. RPM does not make the creation of a complete list of risks a priority, but leverages the most relevant risk data to drive performance as the priority.
Yet another distinction is in the assessment of risk. Is the approach to risk assessment one of quantitative or qualitative orientation? Since a truly comprehensive approach to ERM is defined by thoroughness, it is important to identify and assess risk in a uniform fashion across the enterprise. Thus, more subjective qualitative assessments are common, such as uniformly color-coded thresholds.
RPM doesn’t concern itself with uniformity as much as bottom-line effects, though consistency in measurement is important. As a result, quantification, particularly in dollar terms, becomes important and should be applied whenever feasible.
As many have learned the hard way, even if you find acceptance among leadership for soft, qualitative assessment and measurement, you can expect that it will almost certainly evolve to a demand for more precision. Ultimately, this will force the quantification of risk, in order to satisfy stakeholders who are increasingly under the gun to manage their risks effectively.
Finally, when RPM is practiced correctly, it includes all of the right steps to legitimately advance ERM or SRM into the strategic decision-making process of the organization. Notwithstanding this reality, it will still rely heavily on the same proven core process elements found in popular ERM standards and frameworks like ISO 31000, with a difference only in emphasis. This emphasis or perspective shifts the focus and application of these processes, not the processes themselves.
Even though a growing number of risk leaders have been focusing properly on the link between risk and results, the emerging RPM process represents the evolution of ERM to include SRM, most recently highlighted by the Risk and Insurance Management Society (RIMS). It puts new discipline into the practice of risk management, increasing the chances it will add value and have a measurable return on investment. That in itself should ensure its future as an increasingly important discipline with a significant potential for contributing to mission accomplishment as much, or in some cases more, as others.
Chris Mandel and Gary Bierc are principals at rPM3 Solutions LLC (www.rpm3solutions.com). Mandel is a former president of RIMS.