ERM is nothing but Noise
Enterprise Risk Management (ERM) has become a popular new management fad as more companies and oversight professionals seek ways to manage a growing portfolio of risks. As the market for ERM has grown a new cottage industry has emerged with pundits, consultants and even professional accounting putting out shingles to promote an array of solutions.
Governance, Risk and Compliance, (GRC) a modularized software platform has also emerged alongside ERM as a solution to help manage the administration of risks captured in virtual organizational inventories. However, as ERM and GRC have grown in tandem, a new risk has emerged undetected in all organizations that profess to have adopted these solutions — that risk is Noise!
The problem with noise is that it is a risk that goes unnoticed and under evaluated, if at all, by members of the board of directors. Noise is the biggest contributor to bureaucracy, risk, inefficiency, and cost that grows at and exceeds the rate of inflation.[1][2][3][4][5][6][7]
The attached reference reports demonstrate one facet of the problem: The growth rate of GRC solution providers and a myriad of ERM consulting firms all exceed today’s elevated inflation rate by almost double the rate of inflation depending on which research report you read. These costs are not benefits to organizational performance. Noise adds complexity and obscures serious risk from oversight.
What are companies getting for ERM and GRC that is a reasonable return on these investments?
This is one of the questions that has gone unanswered and undiscussed in risk management and members of the board of directors. It is remarkable that corporate oversight groups are making huge investments in “solutions” but can’t answer the question of what they get as a reasonable return? The answer is simple. They get noise. So, what is noise and why is this such a problem?
Everyone understands that noise in data is bad, right? But there is more to the story. Researchers Dan Kahneman, Olivier Sibony, and Cass R. Sunstein dedicated an entire book to the problem of “Noise” broadly in organizational decision-making.
The authors evaluated the impact of noise in judicial sentencing guidelines, the insurance underwriting process and other industries and concluded that noise is prevalent across many industries where subjective decision-making is a primary method of judgment.
This finding may not seem significant on the surface, but trillions of dollars and countless lives depend on individuals making the right judgments on a daily basis. Yet, few if any organizations have chosen to conduct an analysis of the noise that is exists in these decisions.
The authors describe noise and bias as a flaw in human judgment. Bias contributes to noise by organizational blindly following what others are doing without an understanding of the error of judgment. Unfortunately, these errors in judgment are costly and accumulate instead of cancelling out one bad decision with better ones. Think of the cost of legacy systems, or failed business projects and the disruption of constant change due to poor planning.
Imagine seeking a cure for a deadly virus based solely on the advice of a consultant?
ERM as we know it today is based on the gathering of lots of noise. What is the noise in ERM? 70% — 85% of the risk resource allocation (audit, risk, compliance, cybersecurity) is spent evaluating known risks. Let’s call these risks, the standard deviation. Most of these “risks” are in actuality poor workflow design, poor communication, and operational inefficiencies.
These risks represent the small, recurring events that have been accepted as the cost of business. Organizations dutifully fill their risk inventories up with these risks and massage them through audits, risk assessments and report them to the board with minor changes that reflect new risks that pop up occasionally.
Over time a false sense of security evolves that controls are operating effectively, and the noise is managed. Most organizations have chosen to not mitigate these risks because they have accepted them as business as usual and assume that nothing can be done, or these risks are too costly to fix.
As the business grows, these risks grow along with the cost of administration, in excess of the rate of inflation, over time. Each year, new risks are added to the risk inventory (but seldom removed) increasing bureaucracy and administrative costs but contribute little to no return on the solutions to manage these risks. The risking cost of administration includes raises, bonuses, consulting fees and software license fees that are embedded in oversight functions.
If that was not bad enough, the real threats to organizational performance go unaddressed primarily because everyone is distracted by the noise and busily “managing” risk. The 15% — 30% of unaddressed impactful risks are typically on the tail ends of a standard deviation, but few, if any risk professionals have the time or the tools to effectively mitigate these risks because they are too busy with non-material risks.
This process creates an endless cycle that repeats itself until a massive surprise, loss, or error jolts the organization into the realization that these hidden risks have been ignored but have grown in lockstep with the less important ones.
The lesson is don’t take comfort in the “maturity” of your risk program or the “adoption” of a best practice in risk management. Business changes at the speed of technology and data in ways that do not account for Noise. If you are a member of the board of directors, the noise in your business is present but you don’t know it because everyone tells you they have evaluated the risk and the controls are working effectively. Until they aren’t!
James Bone is a cognitive risk consultant and risk researcher for the Cognitive Risk Institute (GRCIndex), founder of the first cognitive risk framework for ERM and cybersecurity and author of Cognitive Risk and Cognitive Hack: The New Battleground In Cybersecurity and ERM. jbone@grc-index.org. www.grc-index.org.
[1] https://www.mordorintelligence.com/industry-reports/cyber-security-market
[2] https://cybersecurityventures.com/cybersecurity-spending-2021-2025/
[3] https://www.fortunebusinessinsights.com/industry-reports/cyber-security-market-101165
[4] https://www.marketwatch.com/press-release/grc-software-market-growth-2022-top-key-players-analysis-regional-segments-business-strategy-cagr-value-industry-size-and-revenue-trends-forecast-to-2029-2022-05-24
[5] https://www.idc.com/getdoc.jsp?containerId=prUS48171921
[6] https://www.statista.com/statistics/250479/big-four-accounting-firms-global-revenue/
[7] https://www.wsj.com/articles/big-four-firms-ey-deloitte-report-higher-revenue-11631222772
