New Insights on ERM Obstacles
Every organization says it wants to get better at managing risk, even though lots of organizations struggle to achieve that goal in practice. Now a new report has flagged some of the possible obstacles to strong risk management, which in turn raises some interesting questions about how risk management teams might overcome said obstacles.
The report, “Enhanced Enterprise Risk Management and Strategic Decision-Making,” comes from the Institute of Internal Auditors and advisory firm Baker Tilly. They polled 567 risk management executives at organizations around the world to ask how mature their ERM functions are, what technology they use to drive ERM, and how well they tie their ERM functions to better decision-making — which is, let’s remember, the whole point of this stuff.
Why should we care about this stuff? Well, because current risk management efforts are a mess these days: too many risks coming from too many directions, with the overlap of those risks not fully clear. So corporations end up spending more time than they’d like simply understanding and taming their risks, rather than working in a more risk-aware environment to, ya know, do whatever it is your organization does.
Most executives know this at an abstract level, and want better technology so they can understand their risks more clearly. They just don’t know how to structure their IT systems and risk management roles to put that abstract idea into practice. So let’s see what this IIA-Baker Tilly report had to say.
(Disclosure: I am also a paid columnist for the IIA. They did not pay me to write this post, nor did I show it to anyone there before publishing it here.)
Frequency of ERM Risk Assessments
Seventy-five percent of respondents to the IIA-Baker Tilly survey said their organization had conducted an enterprise risk assessment at least once in the last three years. That’s somewhat reassuring, except the percentages start to diverge quite a bit when you look at specific types of organization.
For example, among publicly traded companies, only 9 percent hadn’t conducted a risk assessment in the last three years; that’s good. For public sector organizations (read: government agencies with no money), the figure was 27 percent; that’s not good. See Figure 1, below.
Source: IIA
Best practice among internal audit thinkers is that you should do an enterprise risk assessment at least once every three years, and ideally every year. But at the rate modern risks are evolving, I wonder whether even annual risk assessments are enough — or, more accurately, whether we should disassemble the enterprise risk assessment into smaller component parts, some of them done more often and others done less.
I appreciate the risk in that idea: that audit teams might fall into the rote habit of assessing some risks more often than others, without stepping back to consider how all those pieces fit into a bigger picture. But the rate of change for some risks is now so fast, and the potential consequences so severe, that developing the right rhythm for risk assessments is probably one of the most important tasks for audit, compliance, and risk management leaders today.
And when organizations aren’t conducting risk assessments in a timely manner, why not? Don’t die of surprise here, but the leading reasons are insufficient resources and lack of senior management support. See Figure 2, below.
Source: IIA
How to overcome those obstacles? The flippant answer would be to say, “Invest in better technology, it will save you boatloads and give you the answers you need!” Which actually brings us to another interesting point…
From Bad Tech to GRC to AI
Another reason that ERM programs aren’t living up to full potential: most risk management teams still use desktop software tools to track and study risk data, which is a recipe for inefficiency.
Specifically, 59 percent of respondents said they only use desktop software tools to help with ERM processes; the rest used some sort of GRC tool, whether from a vendor (21 percent) or something concocted by the in-house IT team (20 percent). Again, percentages differed substantially depending on the type of organization, with public-sector organizations trailing way behind on ERM maturity. See Figure 3, below.
Source: IIA
This is typically where GRC software vendors say, “See, there’s huge potential for you to improve your ERM! All you need to do is buy our tech!” and the rest of us mutter, “Sure, like you were going to say anything else.”
In this instance, however, the GRC cheerleaders might have a point. If your ERM processes are stuck and scattered among Word documents, Excel spreadsheets, and email archives — could clever use of artificial intelligence be the way forward here?
After all, the AI vendors all say this is exactly what artificial intelligence was born to do. You feed it all your unstructured data trapped in those desktop software tools, layer some sort of generative AI interface on top of it, and then the AI can give you all the risk insights you want. Complete with charts, graphics, and other information you might want to put into a report to management.
My point is simply that the rapid evolution of AI might allow ERM laggards to leapfrog over the “traditional” GRC technology that’s been around for 10 or 15 years, straight to AI-driven risk management. That’s why every GRC vendor you meet now claims that they are embedding AI into their products. Some of them might even be telling the truth.
Apparently there is room for this leapfrog forward, too. Sixty percent of respondents to the IIA-Baker Tilly survey said they don’t use AI at all right now for risk management; another 31 percent they use AI only on an ad hoc, informal basis, which probably means they just use ChatGPT when nobody’s looking. That leaves tremendous room for future adoption of AI in risk management.
So another challenge for internal audit and risk managers in coming years (in addition to risk assessments, discussed above) is figuring out how AI will fit into your technology investment strategies.
You can’t avoid AI, really; every vendor you encounter will be offering it, including Microsoft, Google, and other makers of desktop software tools you use. Nor should any risk management leader want to avoid AI; it has fantastic potential. But AI also brings many thorny questions about AI governance, data management, and personnel restructuring that will need answers too.