Enterprise Compliance Today

Why Aggregate Risk in an Enterprise Risk Management (ERM) System?

Posted by Greg Carroll on Fri, Nov 22, 2013 @ 10:40 PM

There appears to be a growing view that Risk does not need to be aggregated to have an effective ERM. I believe this is due to a combination of the rush of inadequate software products on the market and the infiltration of Q.A. mentality into ERM. 


enterprise compliance

Aggregating risks based on corporate objective measurements, both horizontally as well as vertically, thru neural networking to handle complex interrelationships, provides a useful decision making tool for management.

Feedback from of my last article on “How to Aggregate Risk in an Enterprise Risk Management system”, there appears to be a more widespread view than I expected, that Risk does not need to be aggregated in ERM.  This growing view is that if individual risks are managed and strategic risk are treated the same and managed independently, then you can have an effective ERM without the need to aggregate. 

I believe this is due to a combination of the majority of risk software products inability to correctly aggregate risk (we can't do it so you don't need it), and the infiltration of Quality Assurance mentality into ERM. The problem is QA is about managing consistency in processes to acheive a single defined outcome while Risk Management is managing uncertainty to prepare for multiple potential outcomes. Although symbiotic, management of Quality Assurance and Risk are not interchangeable.

So, why Aggregate Risk?

Accepting the ISO31000 definition of Risk as the measure of Uncertainty in a complex system (Business), then you have to accept that Business is subject to the physical world constraints of the Uncertainty Principle and Chaos Theory (see previous article: Risk and Chaos Theory).  The Uncertainty Principle says the act of measuring an item, changes what is being measured.  This is the case with risk.  Instituting Timesheets increases employees’ awareness of time utilisation which will improve productivity. Same with investigation of risk invariably increase awareness of the risk drivers and influences and produces subtle changes in work practices that inertly alters the risk profile. So producing a 50,000 item Risk Register, even if it was meaningful (which it isn’t), would soon be out of date due to its daily interactions with the real world.

Further, risk management needs to cover opportunities as well as threats.  If opportunities were simple, they would have already been exploited. The future will be complex, with a high level of uncertainty. This is the world mankind has built for itself and it needs a decision making tool that can handle real world complexity and uncertainty.

My previous article of How to Aggregate Risk was meant to stimulate people to re-evaluate their purpose of ERM.  My experience is there is a growing disillusionment amongst Boards and C-Level executives about the real value of ERM. Having a register of 50,000 risks is not leading to any better decision making nor helping reaction times to unseen events. 

My aim would be to restructure that intelligence database of 50,000 items, into a truly useful tool. As I stated in that article, a risk is not a risk in isolation, it only becomes a risk in certain circumstances, a risk event, due to what we refer to as risk drivers and influences. By aggregating risk you create a neural structure of these 50,000 items, which can be done using Scenario Analysis and then Bayesian modelling to apply their effect on one another. Then instead of trying to accumulate risk scores (eg 1-5) as most software tries to do, you should measure and aggregate the potential effect of each scenario on strategic objectives in $, tons, or hours (as Fast Track does).  This requires each objective having quantifiable KPIs.  With that done the board can identify where to put resources, e.g. develop tsunami DR or accelerate new products to market. 

My opinion is that without aggregation ERM is no more than an expensive record of why things went wrong, where as with aggregation ERM becomes an invaluable management tool for decision making and acheiving corporate objectives.

I will put together an extract from my book as a simple guide to how to design a true ERM system and post it up in the next few weeks which should explain it better.  Aggregation of risk is just one factor you need to reassess if you are serious about implementing an effective Enterprise Risk Management system.  Other issues include structuring a neural risk model to mapping the interrelationships and dependencies between risks, environmental scanning to identify changes in causes and drivers and triggers to initiate real-time re-evaluation of risk profiles.  My book “Mastering 21st Century Enterprise Risk Management” will be available from Amazon and the www.fasttrack365.com website in the next
couple of weeks.



reduce compliance costs  reduce non-compliance  reduce compliance costs
Risk Management Data Sheet
How Fast Track provides true ERM
Webinar Videos
See recorded webinar on 21st century Risk Management
Product Guide
Technical specifications, pricing, and more.

Tags: corporate governance, risk aggregation, risk management