Ten Common Misconceptions About Enterprise Risk Management

A well‐designed and carefully executed ERM program can increase firm value by strengthening the confidence of investors in management's ability to carry out its business plan—and, perhaps equally important, the rating agencies' confidence in the company's ability to meet its debt service—under most foreseeable circumstances. While only about 10% of companies responding to recent surveys claim to have achieved successful implementations of ERM, the authors begin by arguing that even these claims overstate the degree of progress in establishing truly enterprise‐wide systems. In their view, there are a large number of common misconceptions about both the approach and the process that have become obstacles to successful implementation. After arguing that ERM is a more simple and straightforward undertaking than most people realize, the authors go on to correct what they take to be the ten most common corporate misconceptions that now stand in the way of effective applications of ERM. Among the most important errors of thinking or execution is widespread confusion about concepts like “inherent risk” and “risk appetite,” and an equally common failure to tie such concepts to the firm's overall business and financial strategy. Another common mistake is continued reliance on decentralized risk management practices while failing to achieve an effective corporate‐wide purview and controls. In a related failing, the development of highly specialized risk management skill sets without a solid grounding in the firm's strategy and culture is a prescription for trouble. Finally, the widespread view that ERM is simply another category of response to Sarbanes‐Oxley reflects a near total misunderstanding of the spirit and aspirations of ERM. Whereas compliance with SOX is mainly a backward‐looking exercise, the intent of ERM is to help senior management maximize value. For that reason the shortest, most reliable path to a successful implementation is to get executive management or board‐level buy‐in, reach agreement on business objectives and risk tolerances, and allocate resources through the business planning process to manage identified risks from all sources that could pose a threat to those objectives.