You may have seen the commercial for the room freshener about becoming “Nose Blind” to odors.
Well, the same thing happens all the time, even in good ERM programs.
In the early days of ERM, the smart CRO is willing to take the victories that they can get and not let the “perfect be the enemy of the good”. And if they do it right, they will end up with an ERM program much faster then the perfectionist CRO and his two or three successors.
But, that CRO will eventually become “nose blind” to the weak spots in ERM. Just as a long term homeowner who goes to sell a house and has a hard time believing that new buyers cannot just step over that bad spot on the floor just as they have been doing for 10 years.
That is the reason that an outside audit of an ERM program is needed every so often. The outside audit brings in a fresh nose. But you need to be careful in charging the auditor.
There are two aspects of the ERM program that the auditor needs to look for:
- Poor execution of the ERM Framework
- Incomplete ERM Framework
And the nose blindness might apply in either aspect. The CRO may have become nose blind to the places where someone is doing a weak job of execution. Again, this may have been the area that was least supportive of ERM when the program was new. So due to steady opposition, the CRO eventually just learns to live with whatever the managers in that area are willing to do, however minimal and ineffective. And the CRO could be responsible to choosing to not attempt some normal parts of an ERM program when they are first making up the ERM Framework of the company. Or, the standard that was initially used as the template for the ERM Framework might not have been very good for the types of risks that are taken by the company. For example, the COSO ERM standard is intended to be applicable to all sorts of firms. Its advise is fairly generic. An insurer is a firm whose business it is to accept financial responsibility for other people’s risks. There are a number of ERM standards developed specifically for insurers. But an insurer that uses the COSO ERM standard as its sole guide will have difficulty achieving the level of ERM program maturity of those who followed insurance specific standards.
For those without the budget to hire an outside auditor can use two techniques can help you to clear the air and smell things with fresh nose:
- For execution issues, ask your folks to do peer audits of each other. When people from your weakest area see the level of practice in another area, they will get some sense of what they are missing. And when the people from the strongest execution area folks do an audit of another area, their best practices can be spread more widely.
- Review your ERM Framework against a different standard than the one that you used to create it. Do not pull punches, if that different standard says to do something in a certain manner, mark your framework as potentially deficient if you are not operating in that manner. Then work to honestly resolve these issues. These alternate standards may have their own area of nose blindness, but they would never have risen to standard status unless they had some serious benefits for the users.
Riskviews 