ERM: Where to go from here

Why new tools are needed to help companies properly assess risks and opportunities

During the past decade, many corporations have embraced enterprise risk management (ERM) processes to identify and prioritize risk. The prioritization of risk is typically done through “heat maps” showing which risks are most likely and which may have the most severe consequences.

Effective ERM processes force an integrated consideration of risk, looking beyond single projects and departments. They take into account strategic, operational, financial, regulatory, environmental, and human issues. They involve the development of mitigation strategies, clarification of risk management responsibilities, sharing of best practices, and periodic monitoring and reassessment.

The problem is that current ERM processes, while useful, are primitive. The profession must do a better job of managing all kinds of risks, correcting for common risk-related misconceptions, and quantifying risk exposures.


Risk management involves weighing bad risks and good risks. Bad risks are events that a company wants to avoid, if possible, at a reasonable cost. Good risks arise from opportunities companies must seize to grow and prosper.

Standard ERM processes are reasonably effective at identifying and prioritizing bad risks. But they are much less effective at managing good risks. And that can make it difficult for executives to accurately determine a company’s risk appetite and manage their risks to stay within it.

The risk-appetite concept can easily be applied in areas such as considering whether to hedge foreign exchange risk or in assessing financial institutions that would prefer to invest in subprime mortgages rather than high-quality corporate debt.

But most companies cannot define, much less quantify, their risk appetite. Other than possibly placing some boundaries on what risks should be taken, ERM processes offer managers little good-risk or risk/return optimization guidance.

Risk management failures were at the heart of the 2008–09 U.S. economic crisis. Mortgage lenders and insurance companies did not understand the quality of the assets and liabilities they were managing. As a result, they did not correctly price the risks they were taking; they did not grasp the implications of how their balance sheets were being overleveraged; and they did not take necessary precautions to maintain their organizations’ liquidity.


When managers begin their ERM processes, they compile lists of “known risks”—problems they’ve encountered before, or problems they can envision. If an organizational structure does not provide for a clear separation of duties, for example, a company could face employee fraud. Similarly, if computer files are not backed up, a company risks losing important data.

Some risks can be predicted by extrapolating historical patterns. If margins continue to slip at the same rate as in the past five years, for instance, the company will run out of cash in 2014.

But history isn’t always a good guide to the future. Neither are humans.

The core risk management problem is that human beings are not good at visualizing a world they have never seen. Brainstorming, engaging outsiders to provide objective input or maybe even to play a devil’s advocate role, and scenario planning might help managers develop contingencies (see “Scenario Planning: Navigating Through Today’s Uncertain World,” JofA, March 2011, page 22). While it’s impossible to conceive of every scenario, using some of these approaches should uncover risk events that otherwise may not have been identified.

Humans are not good intuitive statisticians. They often are unable to comprehend highly improbable events. They can be overoptimistic about the likelihood of positive events, and can underestimate the likelihood of negative ones. Sometimes they latch onto an initial estimate and disregard new information. They will overvalue evidence consistent with a favored belief, undervalue evidence against, and often fail to search impartially for evidence.

It’s no surprise that many corporations and boards were blindsided by the economic downturn. The scenario that unfolded had not been seen before. Companies’ risk management weaknesses did not show up when times were good, but when the economy slumped, they were obvious.

Surveys show that most managers recognize that their ERM processes are underdeveloped. (See, e.g., COSO’s 2010 Report on ERM: Current State of Enterprise Risk Oversight and Market Perceptions of COSO’s ERM Framework ( by the Committee of Sponsoring Organizations of the Treadway Commission (COSO); Aon’s Global Enterprise Risk Management Survey ’10 (; and Deloitte’s Global Risk Management Survey, Seventh Edition: Navigating in a Changed World (

It’s clear that ERM processes need to become more sophisticated to compensate for inherent human limitations. People can be trained to be better intuitive statisticians. They also can be made more aware of their biases and provided with ways to avoid or adjust for them.


The ERM processes that most companies use involve the quantification of risk exposures on at least two dimensions: “likelihood” and “severity.” Some also estimate risk “velocity”—how quickly the effects would be felt. The scores on the resulting heat maps are ranked so that attention is directed to the areas of highest exposure.

But while ERM is advertised as providing a holistic view of risk, it tells us little about risk/return relationships. Scores typically are not consolidated into an overall view of how likely an organization is to meet its objectives given the totality of risks it faces. They are not used to assess the level of risk the company faces, as would be necessary to produce “risk-adjusted income statements.” If the correct assumptions had been made in measuring the risks, such statements would have been useful in revealing and, if linked to incentives, curtailing the excessive risk taking that caused much of the recent financial crisis.

Similarly, companies’ risk scores often are not compared over time or benchmarked with a peer group. They remain totally subjective. They are not subjected to an audit. And management incentives are usually not linked to improvements in anticipating and managing risks.

Certainly, there are good reasons not to blindly trust risk measurements. After all, different managers assess risk differently. The ratings of a single manager can fluctuate over time.

It is necessary to recognize that the crude, subjective measures currently used significantly limit today’s ERM processes. One adage of management is that “if you can’t measure something, you can’t manage it.” ERM processes only accomplish the first step: They force managers to holistically assess risk, but then they do not make much use of the measures. How can risks be managed if the measures aren’t trusted?

Maybe in the future more objective risk scorecards will be developed and compared over time and across entities. Some of the elements are already in place in the form of indicators such as default rates, inventory shrinkage, workplace accidents, and customer retention rates.

In the most obvious case, if managers could conclude from their scorecards that financial performance has improved, while the risk being borne has gone down, they could claim to have created economic value. Other cases, such as where risk has declined but at significant cost in expected future returns, are much more difficult to analyze.

Four Things Companies Can Do to Improve Risk Management

  1. Limit use of existing, more simplistic ERM tools (such as heat maps) to management of “bad” risks, that is, those that are to be avoided. To manage “good/prudent” risks, use standard strategic-management approaches (such as analyses of opportunities/threats and scenario planning).
  2. Encourage all engaged in risk management processes to think “outside the box” and to expand assumptions about what will happen in the future. Another solution is to hire or assign people to pay attention to market changes.
  3. Provide checklists or training for managers to minimize their perception- and information processing-related cognitive biases.
  4. Build a risk management process around a “risk scorecard” based on harder, less subjective risk indicators, such as customer retention or inventory. Such indicators can provide early warnings of emerging risks.


Even the most advanced ERM processes are insufficient. As a result, even those companies with state-of-the-art ERM processes may lack the ability to accurately predict and avoid high-risk events.

Four major challenges must be addressed to improve ERM. They involve finding better ways to (1) manage “good” risks or opportunities; (2) manage “unknown,” and possibly even unknowable, risks; (3) correct for common, risk-related misconceptions; and (4) quantify risk exposures.

The inability to properly identify and manage risk was at the heart of the 2008–09 global economic crisis. Directors of many financial institutions did not price the risks they were taking correctly; did not grasp the implications of how their balance sheets were being overleveraged and incorrectly valued; and did not take the necessary precautions to protect liquidity.

ERM needs to evolve to include new ways of thinking about risks. More attention must be paid to overlooked areas such as the value of brainstorming and scenario planning; the role of bias in risk analysis; and the development of more sophisticated data collection tools for use in the creation of risk “scorecards.”

Kenneth A. Merchant ( ) is the Deloitte & Touche LLP Chair of Accountancy at the University of Southern California in Los Angeles.

To comment on this article or to suggest an idea for another article, contact Jack Hagel, editorial director, at or 919-402-2111.


JofA articles


  • Accountant’s Business Manual (#029418, with CD-ROM toolkit; #ABM-XX, online subscription)
  • Case Studies on Enterprise Risk Management Implementation (#PCG1202E, ebook)
  • CPA Client Bulletin (#CB_FI12, #CB_FN12, and #CBEXX12)
  • Forecasting: Methods and Applications (#PCG1205E, ebook)
  • Identifying, Measuring and Managing Organizational Risks for Improved Performance—Management Accounting Guideline (#030001PDF, on-demand)
  • Integrating Social and Political Risk Into Management Decision-Making—Management Accounting Guideline (#030004PDF, on-demand)
  • Risk Assessment for Mid-Sized Companies: Tools for Developing a Tailored Approach to Risk Management (#091101)
  • Risk Management Strategies for a Turbulent Economy (#029886PDF, on-demand)
  • Smart Risk Management: A Guide to Identifying and Calibrating Business Risks (#PCG1204E, ebook)
  • The Small Business Jobs Act of 2010: Tools, Tips, and Tactics (#091052HS, CD-ROM)

CPE self-study

  • AICPA’s Annual Update for Controllers (#731978)
  • Critical Skills for Creating Great Budgets: Maximizing Profits, People and Power (#733782)
  • Strategic Planning: A Simplified and Workable Approach for Private Companies (#745270)


  • National Conference on Credit Unions, Oct. 22–24, San Diego
  • Not-for-Profit Financial Executive Forum, Oct. 22–24, San Francisco
  • Advanced Executive Risk Management Workshop, Oct. 25–26, New York City
  • AICPA & PDI National Oil & Gas Conference, Nov. 13–15, Denver

For more information or to make a purchase or register, go to or call the Institute at 888-777-7077.


CPEOs provide peace of mind around payroll services

The creation of these new IRS-certified service providers for small businesses clarifies some issues around traditional professional employer organizations.


8 sentences to help you master subject-verb agreement

When professionals prepare written material for readers inside their organization or outside, they should make sure that no errors distract from the message they need to convey. Take this short quiz for practice in subject-verb agreement.