The ERM Tipping Point

Carol Fox


November 1, 2011

In 1962, Everett Rogers, a 30-year-old sociology professor, published a theory that would make him world renowned. Since then, best-selling author Malcolm Gladwell has made the term "the tipping point" a household phrase, but it was Rogers who coined it.

His theory proposed that every successful new innovation includes a distinct time line of acceptance. In the beginning, only true, forward-thinking innovators jump on board. Then come the pioneers, a group Rogers called "early adopters." Soon after, if an innovation is to become widespread, it catches on among the majority. Finally, even the laggards fall in line, leaving just a tiny percentage of people who may never adopt the change.

[caption id="attachment_10375" align="alignright" width="378"] Click to enlarge chart[/caption]

The genius of his "diffusion of innovations" theory was not simply a breakdown of who embraced the innovation. The brilliance was the precision with which Rogers was able to quantify when an innovation reached a tipping point. When was a budding innovation nearly certain to reach critical mass?

What Rogers found is that once the idea reaches a 15% to 18% adoption rate, it becomes very likely to begin increasing rapidly and eventually reach a saturation level of acceptance. After about one in six (the innovators and early adopters) accept something, the successive groups adopt the new idea in a typical bell curve progression and its market share (or diffusion level) takes off.

As it turns out, Rogers' near-50-year-old theory may apply to enterprise risk management (ERM). According to the 2011 RIMS Benchmark Survey of risk managers (which was conducted by this magazine's publisher), 80% of organizations either have or are in the process of developing an ERM program. Perhaps more importantly, 17% of the respondents stated that their programs are fully integrated and address risk across the organization. This is a full 5% increase from the 12% who reported so in 2009.

These ERM uptake numbers were virtually identical to a recent study by APQC, a benchmarking nonprofit. Those surveyed reported that more than 90% of their organizations have or are building an ERM program, and 17% have "greatly integrated" programs.

Based on the results of these two reports, it would seem that ERM has finally reached a tipping point. The innovators and early adopters have now accepted it as a core business practice. And if Rogers' theory can be any guide, the majority will jump on board soon, leaving only the laggards still wondering what all the fuss is about.

What has been the driving force behind this critical increase in ERM adoption? Certainly, shareholder, regulatory and credit agency pressures have highlighted the need for improved risk management. But more than that, organizations are increasingly seeing the value of ERM as a way to improve their odds of success. They have come to recognize that ERM is much more than a simple list of steps to follow or boxes to check off. Instead, it is now being recognized as what it is: a process that leverages the mastery of risk management competencies along a maturity continuum to improve strategy. ERM is now being viewed as integral to the achievement of an organization's strategic objectives rather than just being an end to itself.

By viewing ERM as more than merely an identification, risk-sharing or even management-control exercise, organizations gain a deeper understanding of the strategic risks that can mean the difference between survival and extinction. They are able to see that strategy depends on operational risks, financial/legal implications and insurable hazards -- all of which may transform how the organization chooses to deal with risk. In full maturity, ERM handles the interrelated threats to an organization's entire risk portfolio.

[caption id="attachment_10383" align="alignleft" width="378"] Click to enlarge chart[/caption]

If we use the RIMS definition of risk as "an uncertain future outcome that can either improve or worsen your position," the world has never been riskier. Given the complexity and speed of change in the world today, there is much more uncertainty than there was 50 -- or even 20 -- years ago. The key is to understand that risk is not only to be avoided or mitigated. Risks should be understood in light of an organization's strategic objectives and assessed for their relevance, importance and likelihood so that the known risks that could "improve our position" can be exploited, and those that could "worsen our position" can be managed.

Unfortunately, while incorporating ERM into strategy is how it creates true value, not every organization has come to this realization. In the 2011 RIMS Benchmark Survey, only one quarter of respondents found the primary value of ERM to be increased certainty for achieving the organization's strategic and operational objectives. Other respondents cited value protection and silo elimination as the primary benefits. Such returns are certainly helpful, but they hold relatively limited value when viewed in the context of the organization's overall objectives.

Moreover, by not exploring strategic goals, a company jeopardizes the utility of its entire ERM program. In his work at DePaul University's Strategic Risk Management Lab, Dr. Mark Frigo identified five reasons why ERM programs fail:

  1. Risk management is not connected or integrated with strategy and strategy execution.

  2. Risk assessments are focused on the "wrong" risks (i.e., not focused on strategic risks).

  3. Risk management is not executed as a continual, repeatable process.

  4. Risk management "silos" create barriers.

  5. Risk management is not viewed as valuable and is under-resourced and under-networked.

ERM efforts generally fail when they are not successfully linked to the organization's strategy development nor viewed as a core organizational competency. The bottom line is that if ERM is not put in the proper context, it will not be considered a priority within the organization.
So how do organizations achieve ERM success? There are five important steps to consider: organizational commitment, design, activation, monitoring/review and improvement.

Throughout the process, the risk practitioner should be able to convey positive responses to the following key success questions: Did we achieve our stated ERM objectives? Did we help the organization create and capture the value intended in planning its strategy and operational objectives? Did we do it better than our competitors?

Enterprise risk management, as a business discipline, has been practiced by pioneering organizations for more than a decade. Its acceptance is now reaching critical mass. It is quickly becoming an indispensable tool for achieving business success. Those who lag behind will soon find themselves at a disadvantage. Start now and it might not be too late to stay ahead of the curve.

Click to enlarge chart
Carol Fox, ARM, is the former vice president of strategic initiatives at RIMS.