A Need for a Challenge Culture in Enterprise Risk Management

INTRODUCTIONEnterprise risk management (ERM) has its roots in the late 1990s, as companies searched for ways to provide more effective and proactive containment of their business risks. They sought to put aside the traditional "silo" approach to risk management that compartmentalized the management of risks, and to replace it with a unified, holistic structure that evaluated and prioritized risks, and managed the mitigation of their key risks in an efficient and more effective manner. No longer would financial risks be managed in isolation, separate from operational risks and the traditional insurance risks. There was compelling evidence that some risks were being over-managed, while other risks were being under-managed. This new approach, companies believed, would lead to an enhanced ability to "de-risk" their organizations and avoid severe, or even ruinous, risk debacles that could result in value destruction (Barton et al., 2002). Leading-edge ERM companies at the time included Microsoft, Wal-Mart and DuPont. But there were missteps also in those early years. Some authors cited Enron as a model risk management company, but it became apparent quickly that this was not so.As with almost any significant, new management initiative, ERM requires a strong commitment to its effective implementation by senior management, chiefly the C-suite. This has proven to be a problem over the years. It was tempting for organizations to claim they were practicing a form of ERM but when examined more closely, their programs fell far short of the characteristics of a true ERM initiative. So it would be no surprise when later, a major risk debacle occurred and the risk management system failed to contain it. JPMorgan Chase & Co. had been routinely cited as an organization that practiced effective risk management and had even survived the Great Recession relatively unscathed. Yet in 2012, the company experienced some $6 billion in losses, resulting from the transactions of a single trader in England, now known as the "London Whale" (Ackerman et al., 2013).An ERM system that is in place for "window dressing" or merely to demonstrate that the organization takes managing its risks seriously but actually is not up to the task of containing serious risk exposure could be worse than no system at all. It could give a false impression of effective risk management when it doesn't really exist.One key aspect of effective ERM implementation is the culture of the organization. An ERM system may be in place but is potentially ineffective because cultural considerations trump the operation of the system itself. For example, in an organizational culture that values loyalty to management, employees may be reluctant to identify risk exposures that reflect badly on management.The Institute of Management Accountants (IMA®) and the Association of Chartered Certified Accountants (ACCA) commissioned a major study in 2013 to examine ERM within the context of a need for a "challenge culture." The motivation for the study centered around the realization that effective risk management can only exist in an organization when members of the organization are free to "challenge" the riskiness of the status quo.The IMA-ACCA study states that "[a] challenge culture is an environment that encourages, requires, and rewards enquiries that challenge existing conditions." (Walker et al., 2014). Based on extensive interviews and research of the literature, the IMA-ACCA study explains how a challenge risk culture must start at the board and C-suite levels as a necessary prerequisite for it to successfully permeate the entire enterprise and for it to become a natural part of corporate life. This should lead to what was succinctly stated at the ACCA-IMA roundtable in Dubai: "Every manager is a bit of a risk manager" (Walker et al., 2014).THE RECENT EXAMPLE OF GENERAL MOTORSOne of the most widely-publicized risk debacles in recent years is the General Motors (GM) ignition switch recall. …