Until the 1990s, few business leaders thought of risk management as something broader than the procurement and administration of corporate insurance. In this article, we discuss the challenges confronting the new field known as Enterprise Risk Management (“ERM”) since it has started to emerge over the last 30 years.
- Jeff Matsen, Vice President of ERM, Edwards Lifesciences, Interview conducted by Russ Banham for RIMS (Risk and Insurance Management Society), April 2019
The period in corporate risk management from 1990 to 2020 might be best described as the dawn of new era – the era of Enterprise Risk Management (“ERM”). As with any new era, change is not easy or straightforward. It’s messy and controversial. Why? It’s because we are comfortable working within established and well understood intellectual frameworks and we don’t like change. In fact, the last thing normal experts seek to do is to refute the theories and assumptions embedded in their own paradigm.
Since the 1940s, corporate risk management has been oriented toward prevention of accidental loss, insurance purchasing and management, and solving specific insurance-related problems through some combination of avoidance, control and financing. The predominant conceptual world view equated risk management with insurance management. Consequently, before we spend time trying to understand the current state of ERM, it’s important to step back and learn how change occurs when we shift from one conceptual world view (risk management is the prevention of insurable loss) to another conceptual world view (risk management is an interdisciplinary and enterprise-wide effort for learning to thrive in a state of uncertainty).
The best guide to understanding paradigm shifts is Thomas Kuhn and the book he published in 1962 which is entitled The Structure of Scientific Revolutions. Kuhn was trained as a physicist, but his intellectual breakthrough came as a result of being tasked to teach a course on science for humanities students at Harvard. Kuhn built the course around historical case studies and in so doing, he had an epiphany. Before Kuhn, scientific progress was thought to be the evolutionary outcome of researchers, theorists and experimenters peacefully collaborating to obtain an improved understanding of the natural world. New truths were added to the stock of old truths, theories were better approximated to the truth, and past errors were corrected. In sum, science was thought to be a continuous and relatively harmonious increase in a set of accepted facts and theories.
Kuhn’s compilation of historical case studies, particularly his review of Aristotle’s work, led him to a different conclusion. Instead of viewing science as steady, cumulative progress, Kuhn realized that experts work within intellectual traditions and that we should see the development of any field, such as risk management, as occurring in phases. The first phase is “normal science” in which a particular community shares a common intellectual framework in which anomalies are resolved either through incremental changes to the framework or by discovering an error in the practitioner’s methodology. Imagine a piece of equipment fails to perform in the anticipated manner. Normal science resolves the anomaly through newer and refined methods and instruments which, in turn, produces better equipment.
What happens when an anomaly can’t be resolved, or worse, anomalies begin to accumulate? We move to the crisis phase where some members of the community begin to question the paradigm itself. At this point, scientists lose faith in the existing paradigm and start to consider alternatives. Debate ensues and gives rise to competing articulations of new paradigms. Eventually, the crisis is resolved by replacing the now-deficient paradigm by a newer one and the community returns to normal science based on the new framework. Interestingly, Kuhn observed that those who invent a new paradigm are often young or new to a field whose paradigm they changed.
Risk management as we presently know it is in Kuhnian state of crisis. In September 2019, RIMS, the industry association for insurance and risk professionals released its first ever survey on present and future challenges facing those working in the field. Less than one-third of senior executives responded that risk management professionals of today are prepared to meet future challenges. Further, respondents complained that a significant challenge was obtaining “senior leadership buy-in, and resistance to ERM.” This survey comes 15 years after the Harvard Business Review listed ERM as a “Breakthrough Idea for 2004.” (L. Buchanan, Breakthrough Ideas for 2004, Harvard Business Review, 2, 13-16 (2004)).
Why the confusion? If risk management is to be something more than the procurement and administration of corporate insurance, there must be clarity about the core purpose, objectives and methods of the new intellectual framework. At present, there is no consensus about how to build institutional capacity within organizations to manage uncertainty, whether such uncertainty is simple, complicated or complex. If consensus existed about how to construct an interdisciplinary and evidenced-based framework to manage uncertainty, each episode of uncertainty would simply provide another body of knowledge that would be disbursed throughout the organization, thereby increasing the overall group capacity to manage uncertainty. Think back to our discussion of Stanley McChrystal and Paul O’Neill. Unfortunately, their examples have not yet produced consensus on what ERM should look like in an organization.
Throughout the remainder of this section, we will take a careful look at some existing models for practicing ERM that have been developed over the last 20 years. As we do so, it’s important to remember that these frameworks represent different world views about how organizations can manage uncertainty in holistic way. Think of them as high level guidance that define a set of outcomes that an organization might want to achieve when building institutional capacity to manage uncertainty. Recognize also that some/many parts of these frameworks will not apply to your organization.
Moreover, as noted above in the observations of Jeff Matsen who serves as Vice President of ERM for Edwards Lifesciences, many components of an organization are accustomed to managing risk in their own way. They have their own language, belief systems and skill sets for managing risk. Yet we know increasingly that risks are seldom isolated in their effect and that they impact other areas of the organization in unintended and unforeseen ways. If everyone is narrowly focused on what will make their particular silo successful, who will ensure that the organization remains a moral enterprise – a living community which thrives through continuous learning? ERM is a way of helping organizations realize that there are better and worse ways of operating and that there are grades of excellence even if there is no single way that is the best of all.
If your organization is moving away from an insurance-based view of risk management toward an ERM approach, it’s useful to begin by knowing something about the existing ERM frameworks in order to determine what might work for your circumstances. Accordingly, we will look at the key elements of three frameworks sponsored by three different groups: (i) the Standards Australia/Standards New Zealand 4360 Risk Management Standard which became the International Organization for Standardization Standard 31000 (“ISO 31000); (ii) the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”), and (iii) the National Institute of Standards and Technology (“NIST”). As we explore each model, we will focus on the common elements that are needed for successful implementation, all the while retaining a Kuhnian perspective. That is, it’s important to remember we live at a time where there is no single framework for practicing ERM that is persuasive for all to adopt. At best, there is an increasing shift to a more holistic approach to managing uncertainty that has produced a variety of allegiances to a variety of approaches. Experiment; pick and choose the elements of an interdisciplinary approach that is right for you and your organization.