Enterprise Risk Management (ERM): The Arbitrary, Ad-Hoc, Mixed Bag and Ensemble of Branded "Parts"​ Driving Organisational Risk Ideologies
Enterprise Risk Management (ERM): The Arbitrary, Ad-Hoc, Mixed Bag and Ensemble of Branded "Parts" Driving Organisational Risk Ideologies

Enterprise Risk Management (ERM): The Arbitrary, Ad-Hoc, Mixed Bag and Ensemble of Branded "Parts" Driving Organisational Risk Ideologies

If you unpack the 'enterprise risk management' discourse, resources, practices and beliefs, you discover ERM remains a disparate array of made-up, imagined and reimagined concepts created by non-state actors, representative bodies, and marketing campaigns - routinely validated by governments and industry entities, dearth of academic or scientific principles and standards.

As a result, enterprise risk management mixes and matches arbitrary portions and compositions of 'risk' resources, standards and concepts that are not only inconsistent from one entity to another but, like many scientific concepts, suffers from a reproducibility crisis. But few bother look too hard, and those that call out or question such anecdotal narratives are shunned or can reasonably expect a short shelf life in an ever-growing, lucrative industry of 'risk' production, standards and forced community of practice(s).

Great fame and fortunes are made peddling these made-up 'integrations', buzzwords (neologisms) and 'wisdoms'. This includes software and automations.

In other words, if you took your enterprise risk management means of transport to a mechanic... they would find an assortment of non-standard parts, adaptations, and numerous forced couplings between brands, cultures, contexts and measurements (metric vs. imperial).

This in part, explains why so many roles quote 'must have x years experience in said industry', because you have to memorise and recite that specific, made up, normative and repeatedly reinvented 'risk' concept to understand or apply the fabricated ideology preferred, by those in power, influence or at the top.

Visually, it looks something like the below, horrible, accident/smashed vehicle poorly assembled in this model.

Enterprise risk management. A mixed bag of ad-hoc parts origins and manufacturers
ERM is a "junk yard dog'' of disparate parts, cultures, ideology, nation/non-state actors and practices

"Corporations and the people who run them have their own views of risk and risk management."

Underwood, A. & Ingram, D. (2010) The full spectrum of risk attitude, The Actuary, 7(4), pp. 25-32

"Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the ultimate approach to risk management. Consultants are advertising their ability to perform enterprise risk management. Auditors are examining how to incorporate enterprise risk management approaches into company audits.1 Presentations are being made on this topic at many actuarial, risk management and other insurance meetings.2 Seminars devoted to this topic are being conducted to explain the process, provide examples of applications and discuss advances in the field. Papers on enterprise risk management are beginning to appear in journals and books on the topic are starting to be published.3 Some universities are even starting to offer courses titled enterprise risk management. It appears that a new field of risk management is opening up, one requiring new and specialized expertise, one that will make other forms of risk management incomplete and less attractive. This paper will explain what enterprise risk management is, why it has developed so quickly, how it differs from traditional risk management, what new skills are involved in this process and what advantages and opportunities this approach offers compared to prior techniques."

D'Arcy, S. (2001) Enterprise Risk Management, Journal of Risk Management, 12(1)

In short, 'enterprise risk management' just appeared, was endorsed and sold by those on control or making decisions... and it took off from there.

Similarities Among Selected ERM and Risk Management Documents
relationships among the models but to show risk management disciplines (such as cybersecurity risk management) that aggregate into the ERM process follow similar steps to manage risk.

Enterprise Security Risk Management (ESRM): Just how clear is the objective, intent and likely outcome?

Whereas Enterprise Risk Management (ERM) asserts the management of risk across an entire business, organisation or enterprise; Enterprise Security Risk Management (ESRM) posits the necessity to include security as a posterior inclusion on the premise that ERM omits adequate consideration for dynamic, agile, adaptive human threats seeking to circumvent or intentionally breach controls, preventions, policies and protective measures applied to assets across tangible and intangible realms.

"Enterprise security risk management (ESRM) is a strategic approach to security management that aligns an organisation's security practices to its overall strategy using globally established and accepted risk management principles" - ASIS International

Defined: "The ESRM and approach addresses the full scope of security risk mitigation practices, including physical security, cyber security, information security, loss prevention, organisational resilience, brand protection, travel risk, supply chain security, business continuity, crisis management, threat management, fraud risk mitigation, and workplace violence prevention." - ASIS International

"Security: The condition of being protected against hazards, threats, risks, or loss" - ASIS International

To the uninitiated or for those outside the group think, that seems to cover a considerable range of definitions, concepts, disciplines and constructs rarely deposited in any one person, department or organisation.

Read More...

No alt text provided for this image
If ERM wasn't broad enough... add 'security' to the recipe and gets even broader

ISO

No alt text provided for this image

'The International Standards Organization ISO 31000 provides generic risk management principles, a framework, and a process."

"The standard should be the default process for ALL risk management tasks within an organization, ADJUSTED to suit the simplicity or complexity of the project or task."

Smith, C. and Brooks, D. (2013) Security Science: The theory and practice of security. Oxford: Oxford University Press, p.78.

*Note: ISO 31000 is a non-auditable standard

Regardless, there are ISO worshipers, devotees, sales people, auditors and 'champions' the world over. Like high end car enthusiasts, they hold regular gatherings, admire each other's 'vehicle' and 'tweak' the base model with all the bells, whistles, software and tune-ups they can find or buy.
No alt text provided for this image
There is bound to be a local 'club' near you

Standards: There is nothing 'standard' within or across risk, safety, security or resilience management...including the 'standards'

Fear, auditing, politics, ideology, power, special interest groups, professional practice and academia all continue to try and 'standardise' risk management, security management, resilience management and safety management. 

This 'war of competing/alternate standards' has been raging for decades, but the speed and volume has accelerated in recent years. 

As has the underlying or prevailing threat(s), which is the paradox of standards...because nature, bad actors and free markets don't use or follow identical patterns or practices. 

As a result, standards can act as considerable inhibitors or restrictions in remaining agile, dynamic and resilient, despite the noble attempts to inform and guide communities, individuals or organisations.

Read More...

Standards: There is nothing 'standard'​  within or across risk, safety, security or resilience management...including the 'standards'​
Which one and why?

NIST

As of the 14 Jan 2023, there are 699 published resources related to Computer Information, Data and Security, in addition to 79 draft resources on the same subject matter.

NIST is a beast and it only gets bigger with each passing week!

As a result, it is highly unlikely that even the biggest company, government or resourced entity would ever come close to legitimately achieving, maintaining and sustaining MOST of the NIST recommendations, levels and defined criteria.

Even worse, governments and entities around the world have started to 'mix and match' key phrases, standards and levels that appeal to regulators, lay people or reflect the latest political or technical buzzword of the month. Some from NIST, some from ISO, some from COSO and other local or popular terms of reference

Just ask the cybersecurity professionals and long term practitioners what they REALLY think.

However, just try NOT getting on this public bus...and you'll be run over.

No alt text provided for this image
Perfectly functional....and they are EVERYWHERE1

COSO

Origins

"To try to develop such a consistent  #riskmanagement  definition,  #COSO contracted with the public #accounting firm PricewaterhouseCoopers (PwC) in 2001 to develop a common consistent definition for risk management. The result was the COSO #EnterpriseRiskManagement or COSO #ERM framework"

- Moeller, R. (2011). COSO enterprise risk management: establishing effective governance, risk, and compliance processes, 2nd ed. John Wiley & Sons.p. 15

Read More...


COSO. Enterprise Risk Management. Origins
Cash-for-Comment. That is paid consulting work... now treated as gospel

3 Lines of Defence

"...suggest that three lines of defence (TLD) is heavily driven by the idealised work of auditing (and risk management) professions, potentially attempting to define and give themselves a role. "
"The sudden emergence of the Three Lines of Defence framework could be seen as symptomatic of the increased emphasis of the regulatory focus on risks within firms"

Zhivitskaya, M. (2016). The practice of Risk Oversight since the Global Financial Crisis: Closing the stable door?, Thesis, Doctor of Philosophy, London School of Economics, p.151

Again, another random sighting that became legend, law and mandatory for some as a means of social control, but neither objectively verified or based on identifiable research, science or 'risk' informed practices.

Nonetheless, there are plenty of sales reps, trade shows, next year's models, refits, upgrades and spare parts for those invested in their version or brand of this old, reliable, widely accepted tractor.

No alt text provided for this image
Annual trade fairs with owners and sellers...but it's still just a tractor

GRC

Trailing behind all this, but trying to bind the parts and factions together, is the invented adhesive solution of Governance, Risk and Compliance (GRC)

No alt text provided for this image
The 'big thing' in risk managmeent buzzwords...until the next one comes along/invented

Governance, Risk & Compliance (GRC) & other disparate, forced and failed approaches to the management of risk, mitigation of harm or safety/security

There is an overwhelming, persistent pursuit with all matters related to 'risk' to invent the next 'big thing'. Not only is the rate of manufacture staggering, but the rigour and research that goes into these expressions, buzzwords or neologisms are all but non-existent.

That is, a new term, concept or 'model' associated with 'risk' becomes normative and demanded by organisations, industries and even professions, with little or no questioning of the validity, efficacy and origins of the concept or that of the originator.

Especially where an industry, organisation or practice is seeking to reinvent itself after recent, prolonged or public failure(s). Governance, Risk & Compliance (GRC) is just such an invented, disparate and often 'forced' confluence of considerably different functions, skills, expertise and focus.

"The acronym GRC was created by OCEG (originally called the "Open Compliance and Ethics Group") as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance"

Source: OCEG

Read More...

Governance, Risk & Compliance (GRC) & other disparate, forced and failed approaches to the management of risk, mitigation of harm or safety/security
Word salad, fruit salad, yummy, yummy (Sorry Wiggles)
Just as random and ad-hoc as other buzz words, like ESG. 

In sum, organisations, industries, cultures and their accepted practices vary greatly, even within the same jurisdiction or sector.

That is there are very few identical entities, meaning there are not identical ERM models, frameworks or even large enough, comparable practices to be adequately measured or categorised in the same broad classification.

ERM tries, or falsely asserts it solves this complex issue. Moreover, threats, vulnerabilities, competencies and experience vary wildly from person, organisation and context. Defying one, universal, infallible 'system' of management or governance. It didn't work during 'calm' times, and it will be the ruin and embarrassment of many in the coming years, with the return and universal realisation that the world is filled with uncertainty and factors that can't be quantified, shoved in a risk matrix or adequately represented in a risk register (accounting ledger).

Perhaps less tradeshows, software and universal solutions should be considered and individual, tailored and professional analysis and management applied. Which was the recommendation and scientific findings in the first instance.

In short, threat, exposure, vulnerability, control, management and capability vary... so to should your adaptive, specific risk practices and systems, based on your own specific circumstances. Don't act with or like crowd, no matter the pressure or guarantees of assurance.

I have been researching and analysing these 'enterprise' risk beliefs for a number of years now. It was a key component of my Master of Science (MSc) studies and remains a key chapter of concern throughout by Doctoral Degree. This observation isn't a proxy nor summary of the more academic and empirical view, but it does reflect the accumulated research and perspectives to date. Much of which is buried in the literature or authors, findings and research have been 'shunned' by the commercial risk machine and industrial risk profession complex that have created, contributed and endorsed these fallacies.

The more concerning discover is that so much of this inadequately research, flawed concepts and made up methods/models find their way into government practice and belief too, because public service entities have outsourced so much 'opinion and advice' to consultants and the usual suspects... reintroducing these follies and failures into public governance and policy.


All these examples aren't even constructed or represented by the same actors, created in like/same jurisdiction or similar social context/timeline. That alone presents both an ideological problem but a considerable risk modelling issue, metaphors, idioms, tropes and visual attempts to describe this real-world flaw in the practice and belief of many 'risk' systems of management.

Tony Ridley, MSc CSyP FSyI SRMCP

Risk, Security, Safety, Resilience & Management Sciences

Risk Management Security Management Crisis Management

Risk, Security, Safety, Resilience & Management Sciences


No alt text provided for this image
"Transformers, Robots in Disguise"
Ossama Ismail

#24'300# Followers │ In-house Business Consultant & Quality Instructor Greater Cairo Foundries (GCF)co. │Quality , Environment , OHS , Food safety , Lean Manufacturing : Instructor

1y

Many Thanks for sharing

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics