The Seven Deadly Sins of

Enterprise Risk Management

and How to Avoid Them
by frank edelblut

Contents

Preface

Background

Vision

Organization

Support

10

Bottom-Up

12

Confusion

14

Complexity

16

Endgame

18

Conclusion

Preface

Enterprise risk management youve

heard the phrase, possibly sat through
a presentation or two on the subject.
Perhaps youve even tried to implement
it. Many organizations have been down
this road already, some successfully and
some not as successfully. However, you
do not need to make the same mistakes
as those who have gone before. In this
paper we will highlight some of the
more egregious errors others have made
and the traps they have fallen into.
The Seven Deadly Sins of ERM

Background

Many point to the September 2004 work by

Whether you view ERM

as a recent develop-

the Committee of Sponsoring Organizations

ment or not, it is clear that organizations have

(COSO), Enterprise Risk Management Inte-

been managing risk (some better than others)

grated Framework, as the starting point for

forever! Anyone involved in line management

enterprise risk management (ERM). Certainly

has been making risk-based decisions on a dai-

this was and remains an important work, one

ly basis. Recent developments in business have

that has contributed significantly toward the

certainly brought the discussion of ERM to the

advancement of the ERM agenda. Others mark

forefront, but at its most basic level, risk man-

the origin of enterprise risk management back

agement has always been part of the fabric of

in the 1970s along with the development of

an organization.

various management theories. Yet another perspective is that risk management is one of those

We have all observed the pop-culture phenom-

nothing new under the sun topics; organiza-

enon that takes place when something or some-

tions were managing risk even before the early

one suddenly makes it big. In the new place of

barter transactions when Rome traded olive oil

prominence, some handle the pressure of the

and wine for lead, marble and leather from the

limelight well. Others buy expensive toys and

Carthaginians.

trade significant others as though they were

baseball cards. Like these people and ideas that
suddenly make it big time, ERM is at risk of
becoming just another fad.

The Seven Deadly Sins of ERM

Consultants and academics alike have jumped

However, it doesnt need to be this way. Many

into the ERM pool with both feet, increasing the

companies have successfully captured the ben-

possibility that ERM will lose its way. How does

efits of ERM without empty activity that fails to

this happen? In an effort to productize ERM,

deliver value. Whether you have already been

consultants overengineer and complicate it to

disappointed or you are just now investigat-

the point where it loses its true value proposi-

ing ERM, you should look at the seven deadly

tion. Many leaders already recognize this and

sins of ERM. Well attempt to help you sort

cringe at the thought of trying to tackle the sub-

through the mistakes others have made so that

ject. While business leaders perceive the inher-

your ERM effort will remain on track.

ent value of a structured approach to managing

risk, they fear the consultant-speak that offers
incredible promises but is likely to disappoint,
based on experience.

The Seven Deadly Sins of ERM

Lack of a Clear Vision

One of the earliest mistakes that organizations make in their ERM

initiatives is also one of the most common. And the frustrating aspect
is that it is not unique to an ERM program but is a key component of
any significant project: a clear vision for the effort.

This mistake manifests itself in subtle ways.

Their activities were not designed to improve

the business, but to respond to external pres-

One Fortune 500 organization kicked off its ERM

sure to act. Stakeholders are not the only source

work because of increasing shareholder and

of pressure; it is clear that regulators are playing

stakeholder expectations. Another company, a

an increasing role in driving ERM. Companies

large utility that had suffered a significant and

listed on the New York Stock Exchange know

highly public loss, needed to respond and dem-

well the current listing standards that require

onstrate that they were doing something. The

audit committees to discuss policies with re-

result was the initiation of an ERM effort.

spect to risk assessment and risk management.

These same requirements further state that
it is the job of the CEO and senior management
to assess and manage the companys exposure
to risk .1
NYSE Listed Company Manual; Modified 11/03/04; Section 303A.00 Corporate Governance Standards; 303A.07 Audit Committee Additional Requirements.
1

The Seven Deadly Sins of ERM

External pressure will not subside anytime

the ERM effort evolves into a rote exercise fail-

soon, as rating agencies and regulators alike

ing to deliver on the promises and expectations

are eyeing ERM to help them assess the organi-

of the initial work.

zations they oversee. Standard & Poors (S&P)

has already introduced ERM analysis into the

Management must have its own vision for ERM,

corporate credit rating process, though as yet it

one that is unique to the organization.The vision

is unclear how the information will be used.

must be sustainable and focused on long-term

value creation.

While it is important to understand and meet

external expectations and to address crises
when they occur, these knee-jerk responses do
not bode well for long-term, value-adding and
sustained ERM. We have seen the effect on ERM
initiatives that were started to meet external expectations. Even companies that begin these
projects with enthusiasm (which is not always
the case) often find that a competing expectation or another crisis develops. The result is that
The Seven Deadly Sins of ERM

Building Unnecessary
Organization, Function and
Process
While lack of a vision for the ERM effort is the number-one reason why
it fails to deliver on its promises, building unnecessary organization,
function and process is a close second. As we discussed in the
introduction to this paper, organizations have been managing risk all
along.

While it is true that some have been doing this

By not recognizing this, however, many compa-

better than others, each one has been manag-

nies launch into ERM by building new organiza-

ing risk at some level. Everything you need for

tion, function and process. At a large pharma-

an effective ERM initiative already exists in your

ceutical company this resulted in the creation of

organization. Theres no need to overcomplicate

a new risk management function. One Fortune

matters by rebuilding what you already have.

500 company described its reliance on a team

of dedicated staff responsible for ERM and the
development of new monthly, quarterly and annual reporting mechanisms. At this same organization, they described the continual challenge
of making sure that the effort did not simply
result in additional work for the field, a danger
they readily recognized. Another organization
described its goal of adding ERM to existing
processes within the company.

The Seven Deadly Sins of ERM

In each of these examples, the underlying as-

While in many cases it may be appropriate to

sumption was that risk management was a new

create ERM functions and new process, if you

activity to be added to the cost structure or

start from that premise, you will undoubtedly

something to be added to existing workloads. If

add redundant function and process and cost

one starts instead with the assumption that risk

to the organization. To avoid this you need

management already exists in the organization,

to start with the assumption you already have

then you will approach the project from a differ-

many risk management activities embedded in

ent perspective.

your organization.

Rather than trying to determine what new function or process to create, you can start with identifying the risk management activities already
in place within your organization. Once there is
a good understanding of the current activities,
then good decisions can be made as to the effectiveness of those activities and the need for
any further infrastructure to connect them into
an enterprise-wide and coordinated effort.
The Seven Deadly Sins of ERM

Lack of Support from Leaders

It almost seems silly to mention this because all of us recognize its

importance in anything significant we undertake, but another common
mistake is lack of leadership support for the effort.

Enterprise risk management activities are in-

Risk and risk management exist across the orga-

herently influenced by the Risk Philosophy and

nization and at all levels. Risk does not discrimi-

Risk Appetite of an organization. Definitions for

nate between good performers and poor per-

both of these terms come from the leadership

formers and is not influenced by management

of an organization. Some leaders have been de-

credentials or lack thereof. An effective ERM

liberate in articulating the Risk Philosophy and

program eventually needs to be implemented

Risk Appetite, while others hope that through

across the entire organization. Without strong

osmosis the concepts will filter down and be

leadership support that aligns the organization

understood by all. In any case, however, the

around common Risk Philosophy and Risk Ap-

leaders are influencing this whether they know

petite definitions, there will not be a consistent

it or not. If it is not self-evident, it is better to be

perspective on or response to risk.

deliberate about making certain that everyone

is on the same page with respect to these key
concepts.

The Seven Deadly Sins of ERM

The Seven Deadly Sins of ERM

Bottom-up Approach

It must have something to do with the personalities of auditors and

their love of detail. In spite of the obvious pain it was causing, most
Sarbanes-Oxley compliance projects in the early years were worked
from the most granular detail on up. Not surprisingly, many ERM
efforts run by auditors have taken the same bottom-up approach,
souring the experience for many who are still sensitive and wary of
company-wide initiatives coming from the finance organization.
One B2B products company described its early

Another organization described its efforts as a

approach in this way. The first step was to create

bottom-up survey of risks, which were then en-

a Risk Model and deploy an online risk identifi-

tered into logs used for tracking. The auditors

cation survey to identify the top risks. This pro-

regularly went back to the organization to re-

duced a large list of potential risks that might

fresh the risk universe. The result was a list of

face the organization, which was followed by a

over 2,000 monitored risks.

two-day workshop with executive management

to further understand and evaluate the core

Driving this approach is the classic risk ques-

business risks. In addition, face-to-face inter-

tion asked by auditors around the world: What

views were conducted with executive manage-

could go wrong? or, alternatively, What keeps

ment.

you up at night?

10

The Seven Deadly Sins of ERM

The important mistake to avoid here can be il-

The fundamental flaw here is a failure to apply

lustrated, again, by a familiar Sarbanes-Oxley

the COSO approach. The objective of ERM is to

experience. Through a bottom-up approach to

help organizations meet their stated objectives.

identification of Internal Control over Financial

This is accomplished by managing the risk that

Reporting (ICFR), the population of key controls

might prevent the achievement of the objec-

grew disproportionately to the objectives of

tives. Thus, a top-down COSO approach starts

ICFR. Simply stated, most organizations identi-

with the objectives, not with the risks. We have

fied too many controls; in later years, applying

discovered a simple but effective way to ac-

a top-down approach, they were able to reduce

complish this, and it lies in the question asked.

the number. Had a top-down approach been

Rather than asking What might go wrong?,

applied from the beginning, only the most im-

consider asking What must go right in order

portant controls directly connected to the objec-

for the company to achieve its objectives?

tives of ICFR would have been included.

In a conversation with an executive of a large
Now apply the principle to ERM. By taking a

waste management company, he identified the

bottom-up approach, organizations are includ-

greatest risk to his future as the failure to ex-

ing many risks that may or may not actually

ecute against his strategy. By asking the ques-

manifest themselves in the business. Compa-

tion What must go right? we are more clearly

nies are incurring inordinate costs to identify,

able to identify those activities that must affir-

log, assess and monitor risks that are unlikely

matively happen in order to meet the strategic

to occur or cannot be mitigated.

objectives of the company. Asking the question

What might go wrong? may lead you to the
correct risk, but it will almost certainly also add
risks that are not directly connected to achievement of strategic objectives.

The Seven Deadly Sins of ERM

11

Risk Confusion

When first entering the arena of ERM, you are bombarded by new
nomenclature, the most prevalent of which is the word risk followed
by something: Risk Philosophy, Risk Appetite, Risk Tolerance, Risk
Assessment and Risk Response, to name but a few. (I also recently
heard a new term, Risk Environment.)

The mistakes that organizations make with re-

time, effort and resources for your company.

spect to these terms are twofold.

Consultants and other outside organizations are
The first is failing to recognize that these are

complicit in adding to this lexicon confusion. For

not interchangeable terms that can take on

example, one of the questions posed by S&P

any definition we want them to have. Each has

with respect to ERM is: Is there a statement

specific meaning in the context of COSO ERM.

of risk appetite or risk tolerance?2 Without a

Each plays an important role in ERM, yet many

strong understanding of COSO ERM, one might

people substitute one for the other, either out

not recognize how this question goes astray.

of ignorance or lack of care. That brings me

to the second mistake. Each of these terms
needs to be defined and agreement reached
within the organization as to how they will be
used. Weve all been in meetings where the
person using a term means one thing and
the hearers understand something different.
Without a common language, miscommunication will be inevitable, resulting in wasted
12

The Seven Deadly Sins of ERM

Standard & Poors; S&P Extends Comment Period On Enterprise Risk Managementnalysis For Nonfinancial Co. Ratings; January 14, 2008; page 2.
2

While both Risk Appetite and Risk Tolerance

statement but would have many Risk Tolerance

deal with the amount of risk an entity is willing

statements in support of its multiple objectives.

to accept, they are different concepts which in

So, you can see it makes no sense to ask Is

practice do not comingle as easily as S&P has

there a statement of risk tolerance?

implied here. Risk Appetite is a component of a

companys internal environment and a higher
level statement that considers broadly the levels

COSO; FAQs for COSOs Enterprise Risk Management Integrated Framework, point
C1; http://www.coso.org/erm-faqs.htm.
3

Ibid.

of risks that management deems acceptable.3

Risk Tolerance, however, is a component of objective setting in the COSO model, reflecting the
measure put in place to determine achievement
of specific strategic objectives. Risk tolerances
are more narrow and set the acceptable level of
variation around [specific] objectives.4 While
it could be possible to distill a single Risk Appetite statement, Risk Tolerance can only be expressed in the context of a specific strategic objective. A company may have one Risk Appetite
The Seven Deadly Sins of ERM

13

Overly Complex Risk Assessment

Once the important risk events have been identified, some type of
prioritization is required to allow the organization to allocate finite
resources to the most important areas. We see two common mistakes
in the Risk Assessment process that are closely related.

The first deals with complexity in the quantita-

The second mistake is making Risk Assessment

tive analysis of risk events. And, it is not so much

the most important part of the process. One en-

the complexity, but rather the perception that

ergy company described Risk Assessment as

by using a complex approach to assessing risk,

the foundation for its whole ERM process, and

the outcome will somehow be better. The real-

another described it as the building blocks.

ity, however, is that management qualitatively

The result of this imbalanced approach is a dis-

has a good sense for risk remember that they

proportionate allocation of resources and time

have been managing it all along. The result we

to the assessment effort and the potential for

have seen is management simply manipulating

quarreling among management on the correct

the quantitative models to render the outcome

prioritization. While time spent on important

they expect. While this manipulation does gen-

aspects of ERM are cut short, significant time

erally result in the correct risk assessment, why

is spent determining the likelihood and signifi-

create the perception of quantitative analysis if

cance of each risk event.

the end result is qualitative?

14

The Seven Deadly Sins of ERM

The discussion ensues something like this: I

Any prioritization of risk must recognize the

think it is a 3; No, I think it is closer to 3.5 (on

importance of managements qualitative input.

a scale of 15, of course). Interestingly, many of

When using a What must go right? approach

these discussions about likelihood and signifi-

(discussed under the point on Bottom-up Ap-

cance fail to incorporate a holistic view of the

proach above) and considering the organiza-

company. Little recognition is given to an orga-

tions capacity to respond to the event along

nizations relevant experience and capability to

with likelihood and significance, it is easier to

respond to a specific risk event. An event may

come more quickly to effective assessment of

be both likely and significant, but if an organi-

the risk and allocation of valuable resources.

zation has dealt successfully with the same or

a similar issue many times in the past, the residual risk risk left over after considering this
history could be low, changing the response
that management might make.

The Seven Deadly Sins of ERM

15

Making ERM the Endgame

COSO guidance puts it this way: Enterprise

In a recent association meeting of company di-

risk management helps an entity get to where

rectors, including audit committee members,

it wants to go and avoid pitfalls and surprises

there was near-unanimous agreement that

along the way.5 The common and understand-

they are contributing more and more hours to

able mistake made by many organizations today

the companies they serve. However, less time

is to allow ERM to take a higher priority than it

is spent now on strategy and objective setting

should. ERM should support an organizations

and more time is spent on issues of compliance

ability to get where it wants to go or meet

and risk. If, in times past, the ratio of working

its strategic objectives. Often, however, ERM is

on company objectives versus compliance is-

playing too important a role, either alongside

sues was 80%/20%, today it is the reverse. ERM

strategy and objective setting or, in some ex-

is contributing to that. Properly deployed, ERM

treme cases, trumping strategy and objective

should support and help ensure achievement

setting.

of strategic objectives. It cannot become an objective unto itself, which is the trap that many
companies fall into. One products company
described it this way: Whereas some organizations establish ERM as a separate function, with
its own set of priorities and action plans, we decided to link the ERM process to our strategic
planning processes.
COSO; Enterprise Risk Management Integrated Framework, Executive Summary;
September 2004; page 1.
5

16

The Seven Deadly Sins of ERM

The Seven Deadly Sins of ERM

17

Conclusion

ERM has the capacity to deliver exceptional

ERM must start with the organizational objec-

value back to an organization that effectively

tives what, as an organization, we are trying

deploys the COSO methodology. Yet even the

to achieve. Knowing that gives us the goal. We

COSO methodology can seem or become com-

then need to define our Risk Tolerance, which,

plex and convoluted in its application. The re-

as described above, is nothing more than the

sult is that you may make the mistakes we have

performance measures that tell us whether we

described here the seven deadly sins.

have met our stated organizational objectives.

Moving on from Risk Tolerance, we must identi-

To be effective, ERM must start with a big-pic-

fy the events that are most important to achieve-

ture perspective, through which we define the

ment of our objectives within the Risk Tolerance

environment into which any ERM effort will fall.

the What must go right? question. This is

COSO refers to this as the Internal Environment,

followed up with the oversight aspects of ERM

and it includes the concepts of Risk Philosophy,

and links the system of internal control of an

Risk Appetite and the all-important Entity Level

organization to the achievement of its organiza-

Controls we spent so much time on during our

tional objectives. Oversight includes the control

Sarbanes-Oxley compliance work. Within this

activities we put in place to make sure that what

Internal Environment we can build an effective

must go right actually does. These controls feed

ERM program.

information into the organization about events,

and the information is monitored to ensure an
effective response to nonconforming events.

18

The Seven Deadly Sins of ERM

Reactions from the marketplace are mixed as

to the efficacy of ERM. All agree on the value

about the author

of managing risk, but many have become

Frank Edelblut is chief executive officer of

disillusioned through consultant-speak on the

Control Solutions International, a leading

topic that promises value but fails to deliver.

global provider of independent internal

Much of that failure stems from these seven

audit, compliance, risk management and

deadly sins of ERM mistakes made by

technology solutions.

real companies that have caused their ERM

programs to come up short. You can learn from

He is the creator of the OREO COSO-

them and understand them so that you dont

based ERM methodology, which has been

have to make the same mistakes. The key is to

titled by some as ERM Made Simple.

keep your ERM efforts simple and focused.

Using a simple and practical approach, he

has captured the essence of COSO ERM in
a way that no one else has. One consumer
products company that had been working
with a Big Four methodology for two years
stated, after understanding OREO, This
is what we have been looking for and
what has been eluding us for the past two
years. We have built so much process and
infrastructure using the [Big Four] model,
but we are no closer to managing our risk
than we were before we started.

The Seven Deadly Sins of ERM

19

The leading global risk and

control solutions advisory firm.

www.controlsolutions.com

2008 Control Solutions International, Inc. All rights reserved. Control Solutions International, Control
Solutions, the Control Solutions logo, Experience, the Difference, Foundations of Improvement,
SOXlite, OREO and OBRA are trademarks or registered trademarks or service marks of Control Solutions
International, Inc., in the United States or other countries. All other trademarks mentioned herein are the
property of their respective owners. The information contained herein is subject to change without notice.
Control Solutions is not licensed or registered as a public accounting firm and does not issue opinions on
financial statements or offer attestation services.

AP6610L