170 pitfalls for ERM in Europe

Inspired by the book “Enterprise Risk Management in Europe”, Edited by Marco Maffeic

What is it about? It is about the implementation of ERM in organizations in Europe. This is accompanied by a number of obstacles. So there are pitfalls in the implementation of ERM in Europe.

The practice-oriented definition of risk management that is used is as follows:

“Risk management consists of active and intrusive processes that:

  • Are capable of challenging existing assumptions about the world within and outside the organization;
  • Communicate risk information with the use of distinct tools (such as risk maps, stress tests, and scenarios);
  • Collectively address gaps in the control of risks that other control functions (such as internal audit and other boundary controls) leave unaddressed; and in doing so
  • Complement – but do not displace – existing management control practices.”

This book does a study on that. Each of the first 13 chapters are about the situation in a country. This is followed by two reflective chapters about the countries. The countries concerned are: France, Germany, Greece, Italy, Lithuania, Netherlands, Norway, Poland, Portugal, Spain, Sweden, Switzerland and the United Kingdom.

Finally, in a number of hierarchies, a summary is given in an academic way.

But what seems really important to me are the identified lessons from which insight comes into what can be the cause of ERM going wrong.

The identified lessons that tell why ERM can go wrong are listed in the accompanying excel sheet. This can be used as a kind of attention list for the (further) expansion of ERM.

Implementing Enterprise Risk Management

Editors: Fraser; Simkins and Narvaez

This 650-page book is intended to be a textbook / exercise book, which I believe can be used in a Bachelor’s program for Enterprise Risk Management. It consists of 35 chapters, actually 35 stories, each of which is completed with a questionnaire as a guide for a discussion by a team of students. It is accompanied by another book, namely “Enterprise Risk Management – today’s leading research and best practices for tomorrow’s executives”. The latter is the associated theory book.

Does this mean that you must have to read the theory book first? Not if you already have a good basic knowledge of ERM.

The following items from this book are most memorable to me:

  • The PAPA model of LEGO: Park, Adapt, Prepare and Act. The aim is to determine the overarching strategic response based on how quickly things change in a scenario with respect to the probability that a scenario occurs.
  • The determination of the Risk Appetite based on 7 questions:
  1. How much risk do we think we take now? (Risk perception)
  2. How much risk do we actually take? What evidence do we have? (Risk exposure)
  3. How much risk do we usually like to take? If this is less than under point 1. then we do not feel comfortable. (Risk propensity / culture)
  4. How much risk can we take on / safely? (Risk capacity) This must be greater than under points 1., 2. and 3.
  5. How much risk do we think we should take? (Risk attitude)
  6. How much risk do we actually want to take? (Risk appetite)
  7. How can we implement measures and limits within the processes, products and business units to ensure that our total risk appetite is not exceeded? (Risk limits)
  • What UW (University of Washington) decided about their ERM Model:

    • Assess the risks in the context of the strategic objectives, and identify the interrelation of risk factors throughout the institute, not just for each function exercised.
    • Handle all types of risks: compliance, financial, operational, and strategic.
    • Grow a general awareness that allows individuals to focus their attention on risks with a strategic impact.
    • Improve and reinforce UW’s culture of compliance, while protecting the decentralized, collaborative entrepreneurial orientation of the institute.

  • Three lines of defense of the TD Bank: 1) the business and the accountants, 2) setting standards and challenging business to improve their governance, as well as their risks and control groups their responsibilities and liabilities, and 3) a independent internal audit.
  • The ERM objectives of Zurich Insurance Group:

    •     Protect the basic capital so that the risks that are taken do not exceed the risk tolerance.
    •     Improve the value creation and contribute to an optimal risk / return profile.
    •     Support decision-makers with consistent, timely and correct information about the risks.
    •     Protecting the reputation and brand through a healthy culture of risk awareness and a disciplined and informed risk-taking.

This is just a small sample of the valuable examples that the book displays.

Practical Enterprise Risk Management

Author: Gregory H. Duckert

The book builds logically from corporate governance, and indicates a number of shortcomings herein, mainly system implementation. Then the actual story of risk and ERM begins. In this the author curses against everything that is for a subjective assessment of chance and impact and the related conclusions. He swears by cold facts and data. In this way he comes to the idea that risk assessment is about management. Risk management is an unmissable tool in this. After an overview of types of risks, he shows us how we should perceive risks objectively. He speaks about a data-centered model where it is possible to keep track based on all data in the company, and to do bench-marks on your own company. By introducing the concept of KRI (key risk indicators) instead of KPI (key performance indicators) linked to outcome of the processes instead of the output and with a number of analysis techniques such as trends, ratios, thresholds etc it is possible to build historical data and to find triggers of things that go wrong, with root-cause analysis. Then measures can be defined and implemented.

In addition, it is possible to pour this data into useful tools, so that the data neatly presents at meetings throughout the organization, the right KRIs at the right level. In doing so, he provides a handle on how to bring risk management to the board of directors, or to the board of directors.

As a penultimate chapter, the author discusses the phenomenon of outsourcing and a select number of risks at the various stages. It is therefore not surprising that he, for example, thinks of the outsourcing of IT as a bad thing; IT is according to him a core business of the company because everything depends on it.

The author concludes the book with the ownership of ERM. It is essential to know that everyone contributes. Everyone has a role to play in one way or another.