"So the question remains on the table: is ERM unfixable, or can something be done to make it live up to its promise as an effective and relevant business practice?"

Opening Statement

Three years ago, we published an issue of Cutter IT Journal titled, "Managing Enterprise Risk in a Failing Economy: Is It Time to Rethink Risk Management?" The core question addressed in that issue was whether it was time for a major reformulation of what enterprise risk management (ERM) meant and how it was practiced. At the time, corporate approaches to ERM were obviously wanting, if not thoroughly discredited. What was not obvious, however, was what -- if anything -- could be done about it. For example, were there fundamental flaws with the risk models and methods that underpinned ERM? Or were the models perfectly fine within their limits, but it was their implementation -- especially in terms of creating a supportive, risk-aware organizational culture -- that caused ERM's problems?

The consensus of the articles in that February 2009 issue was that ERM as then practiced was flawed in models and methods as well as implementation. The only argument was whether ERM was fatally flawed or could be reformed. At the time, our contributors expressed optimism that with the flaws of ERM practice so obviously exposed by the global financial meltdown, and with the need for an enterprise-wide approach to effectively managing risk still an imperative, both government and commercial organizations would begin broad efforts to assess and then improve their risk management practices across the board, from individual projects to their organizations as a whole.

Unfortunately, that hope has not turned into reality. In the intervening few years, ERM's record has continued to disappoint in both government and commercial organizations. To wit, massive enterprise risk mismanagement has been exposed by events such as:

• The "IT glitch" in June that affected the Royal Bank of Scotland Group banks, preventing over 16 million customers from accessing their accounts for more than a week (and some customers for nearly a month)¹

• JPMorgan Chase's recent trading loss of some US $5.8 billion (or more),² which the bank admitted was a result of "bad judgment" and a "Risk 101 mistake"³

• The MF Global bankruptcy of late last year, the eighth-largest US bankruptcy, with over $41 billion in assets⁴

• The Sony PlayStation data breach in April 2011, which affected over 100 million customers⁵

• The Fukushima nuclear disaster in March 2011, which an independent commission report recently labeled "man-made"⁶

• The fatal 2010 BP Deepwater Horizon oil well explosion, which caused the largest oil spill in history⁷

• The ongoing drama in the EU to bail out Greece and other troubled EU countries⁸

Clearly these incidents are not isolated aberrations, and we could easily list several dozen additional examples in which inexcusable "Risk 101" mistakes dominated corporate and governmental decision making.

More worrying is that there is a sickening déjà vu feeling when each case of enterprise risk mismanagement is examined in detail: risks are identified but ignored; risk managers are fired for highlighting risks; shortcuts to enterprise risk practice are taken, allowing risks to turn into problems; risks are treated in isolation; risks aren't communicated; risk models are so complicated that no one knows what they are supposed to represent; and so on. It is apparent that the Great Recession's painful lessons about how not to do ERM have not been learned -- if they were even heard.

The practice of ERM was not supposed to turn out this way. As ERM pioneer H. Felix Kloman wrote in 1992, "the real objective of [enterprise-wide] risk management is to reduce fear of the unknown and the unexpected, and to create confidence in the future" [emphasis original].⁹ The way to accomplish that objective, Kloman argued, was to develop a holistic framework in which the full range of risks confronting an enterprise could be addressed in a proactive fashion, instead of in a siloed, reactive manner through the purchase of insurance or by making financial provisions to cover for potential losses if risks turned into problems, as was then generally the case.

A major driver behind Kloman's as well as others' desire for a holistic approach to risk management was the strong feeling that enterprise-wide risk mismanagement was at the heart of the major catastrophes of that time, such as the Bhopal gas tragedy, the Chernobyl nuclear accident, the NASA Challenger shuttle disaster, the Exxon Valdez oil spill, and the US savings and loan crisis, to name a few. Also appearing were major IT-related problems, such as the "Morris Worm," which showed the vulnerability of computer networks to hacking, and the software bug that crashed part of AT&T's telephone network, which highlighted the fragility of even supposedly "crash-proof" IT systems.

Over the past 20 years, as Kloman wished, the discipline of risk management has taken a more organizationally holistic approach. But the disasters, many avoidable, keep piling up; there is little belief that ERM practice is close to the point of creating confidence in the future. So the question remains on the table: is ERM unfixable, or can something be done to make it live up to its promise as an effective and relevant business practice?

The authors in this month's Cutter IT Journal think that many of the practices, processes, and techniques underpinning ERM continue to exhibit major flaws, which they too believe can be fixed to improve ERM's effectiveness. However, that belief is also balanced in each article by warnings that the fixes recommended will require major, sustained effort and so should not be viewed as easy tasks.

In addition, our contributors focus their recommendations into two separate but related areas. The first set of recommendations is aimed at improving the technical -- largely IT security-oriented -- issues with enterprise risk management, while the second set of recommendations focuses on improving the often overlooked people-oriented aspects of ERM, such addressing the behavioral factors that serve as incentives to avoid performing risk management.

We start off with a security-focused article by John Markott, Ken Farmer, Mike Rowling, and Michael Hughes of IBM. Traditionally, ERM, and especially IT security risk management, has been implemented using a top-down, management-directed approach. The authors argue that a bottom-up risk management approach, grounded in data analytics, can not only provide a faster, more effective, and more efficient approach to enterprise-wide security risk management, but also show how ERM in general can be significantly improved.

Next, Jongwoo Kim, Carl Stucke, and Richard L. Baskerville ask how you can make an estimate of risk when the frequency data to support it is limited or nonexistent, which is often the case when considering new or transitory risks. The authors discuss the limitations of current ERM practice based on probability theory and suggest that, in many cases, using possibility theory instead is a better approach. Possibility theory -- an extension of fuzzy sets and fuzzy logic -- relies on expert opinion about the likelihood of certain events. This is often better expressed as a range of values rather than a single-point estimate.

In our third article, Jason L. Stradley argues that current risk management models in IT security are flawed due to an overemphasis on protecting physical assets rather than the data resident on those assets; its failure to incorporate threat analysis on a consistent basis in IT risk management programs; and its inconsistent identification and valuation of assets. He contends that what's needed to overcome these deficiencies is an effectively developed and maintained risk model, which "is tailored to the organization ... and provides a very explicit set of indicators for the investment and application of security resources." The risk model then acts as a "barometer" against which the investment of security resources in an organization can be measured.

Our next article marks the issue's shift to more people-oriented recommendations on fixing ERM. Paul Clermont agrees that the practice of ERM has indeed failed to stem large-scale fiascos, a result he attributes to its failure to take human irrationality into account. Clermont calls for a return to common sense in ERM practice, offering a broadly defined approach to risk management based on the three components of imagination, analysis, and will. He notes, however, that "just assuming effective risk management at the enterprise level without mandating it and following up is unlikely to be sufficient." To avoid the systemic spillover of risk, Clermont argues that reasonable regulatory curbs must be placed on organizations whose actions may endanger the economy as a whole.

Penny Pullan and Ruth Murray-Webster agree that all is not well in the ERM sphere, seeing the poor communication of risk as a major contributor to ERM's failings. The problem, they say, is that risk management processes just don't work well with groups of human beings who are trying to agree on how to manage potential future events. They introduce the concept of facilitation of risk, in which a risk facilitator enables the risk management processes to work as intended. This approach, they claim, makes it easy for everyone involved to identify, engage with, and manage risk.

Our final contribution comes from Elmar Kutsch and John Ward. In their article, they ask why -- if the active management of risk is a recommended practice to help projects succeed -- do projects keep failing because of known risks that are allowed to turn into uncontrollable problems? They suggest that there are a number of intrinsic flaws in risk management process and practice that don't take into account the behavioral motivations that may influence project managers to ignore or minimize risk in their decision making. They then offer a number of remedies to address these evident omissions.

Enterprise risk management has not lived up to its potential, and our authors have demonstrated numerous reasons why. They have also outlined numerous recommendations on how the practice, processes, and techniques underpinning ERM can be improved, as well as possibly a better way to set expectations about what ERM can and cannot do.

As we look to at least a near-term future that remains fraught with economic difficulties, it would seem that taking these recommendations to heart would be a high priority of commercial and governmental enterprises. History, however, has not shown that organizations have a good track record in implementing ERM lessons learned. Let's hope that this time it will be different.

ENDNOTES

¹ Charette, Robert N. "RBS: Royal Bank of Scotland or Real Bad Service?" Cutter Consortium Business Technology Strategies Advisor, 5 July 2012.

² Silver-Greenberg, Jessica. "JPMorgan Says Trading Loss Tops $5.8 Billion; Profit for Quarter Falls 9%." Dealbook (New York Times blog), 13 July 2012.

³ Charette, Robert N. "It's Not Nice to Fool Mother Nature About Risk." Cutter Consortium Business Technology Strategies Advisor, 7 June 2012.

⁴ Charette, Robert N. "Chief Risk Officer: Watchdog or ...?" Cutter Consortium Business Technology Strategies Advisor, 9 February 2012.

⁵ Charette, Robert N. "Sorry for Whose 'Inconvenience'?" Cutter Consortium Enterprise Risk Management & Governance Advisor, 19 May 2011.

⁶ Charette, Robert N. "Jumping the Radioactive Walrus: Nuclear Risk Mismanagement in Japan." Cutter Consortium Enterprise Risk Management & Governance Advisor, 7 April 2011.

⁷ Charette, Robert N. "Faux (Pas) Risk Management Puts Company in Deep Water." Cutter Consortium Enterprise Risk Management & Governance Advisor, 20 May 2010.

⁸ Charette, Robert N. "Is It Time to Move to Plan G, or Is It Plan H?" Cutter Consortium Business Technology Strategies Advisor, 23 November 2011.

⁹ Kloman, H. Felix. "Rethinking Risk Management." The Geneva Papers on Risk and Insurance, Vol. 17, No. 64, July 1992.

ABOUT THE AUTHORS

About Robert N. Charette

Brian Hagen is a founder and Managing Director of Decision Empowerment Institute. Dr. Hagen is an internationally acknowledged authority and advisor in the field of decision and risk analysis. He has been a practicing decision and risk consultant for over 25 years, providing consulting, coaching, and training to more than 30 corporations in the Fortune 200 across a wide variety of industries. He is a winner of the 2011 Risk Innovator Award by Risk & Insurance magazine for PRO Enterprise Management^TM, a methodology with supporting Web-based software used by corporations and governmental agencies for the evaluation and management of problems, risks, and opportunities. Dr. Hagen received a PhD and a master's degree in engineering-economic systems from Stanford University and master's and bachelor's degrees in mathematics from California State University at Fullerton. He can be reached at hagen@DecisionEmpowermentInstitute.com.