Friday, March 7, 2008

Enterprise Risk Management

I wouldn't recommend pursuing Enterprise Risk Management as the best or most serious way of "doing" risk management.

Humphrey's Capability Maturity Model (CMM) forms the theoretical basis for ERM. According to Wikipedia, "CMM was originally intended as a tool for objectively assessing the ability of government contractors' processes to perform a contracted software project." According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), ERM "is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." The success to date of CMM and ERM is mixed.

In my opinion, ERM, as currently marketed by management consulting firms, is an ill-conceived and overly simplistic attempt at "risk management." For example, consider the concept of "risk appetite." This is a nebulous concept that, if you think about it, doesn't make sense. Why would anyone want any "appetite" for risk? In essence, risk appetite analysis is a soft method for determining preferences that can be more accurately estimated by more robust methods.

Instead, I'd recommend thinking about risk management as preferences for risk-cost-benefit combinations. For example, in risk-cost-benefit analysis (RCBA), you can follow a straightforward procedure as follows:

1. List adverse consequences (C) given certain operations or technologies
2. Estimate the probabilities of occurrence for each C
3. Estimate the costs associated with each C
4. Calculate the expected losses for each C
5. Calculate the total expected losses to which you're subject as the sum of the expected loss for each C for each operation and technology
6. Repeat steps 1 to 5 for benefits (B)
7. If (B – C) is positive, the operation or technology is feasible. (For the overall entity, of course, Total B - Total C must be positive to ensure survival.)

7. gives you a method for examining operations and technologies that need to be scrutinized. These can be tweaked, eliminated, transferred to others, etc. Importantly, RCBA also readily displays its weaknesses. For example,

1. It is impossible to enumerate all of the benefits or costs of one's operations and technologies
2. It is impossible to assign an appropriate value to these benefits and costs (e.g., the value-to-life problem)
3. It is impossible to align benefits and costs fully to a common metric (i.e., the commensurability problem)
4. It is difficult to reconcile one's needs and values with utility maximization
5. It is difficult to reconcile with the concepts of social and ecological justice

Many standards bodies incorporate concepts such as ERM. However, this doesn't make such concepts correct or even useful. It simply makes them trendy (and, sometimes, a regulatory burden). Many decision and risk analysis methods are better developed and more technically sound.

No comments: