Does PwC understand risk management? Are they giving boards good advice?
There are thousands of PwC employees around the world. There have to be some that understand how the effective management of risk helps boards and management teams achieve enterprise objectives through informed and intelligent decisions. It enables people to take the right level of the right risks for success.
But their Director’s Guide to ERM Fundamentals is a disappointment.
Take the first sentence of the web page:
ERM programs are intended to formalize how risks are identified, assessed, managed, monitored and reported on in light of strategic priorities.
That is NOT effective risk management.
You need to manage the business not risks.
You need to take the right risks as part of informed and intelligent decision-making, both strategic and tactical.
I have to say that PwC is at least consistent. I asked the same question, does PwC understand risk management, in 2015. My answer then was that they did not. I’m afraid they haven’t changed my view with this latest misguidance for directors.
They got it right when they said:
Having an effective ERM program can help the board and management make more informed decisions in the face of uncertainty.
But there is little more to commend after that.
They define the highest level of ERM Maturity as:
Systems, processes and culture are integrated with key organizational programs, linked directly with the strategic priorities and use technology to optimize governance, risk management and monitoring/reporting.
I included a far more detailed (and useful) maturity model in Risk Management for Success, and encourage every director, executive, and practitioner to use that model instead of PwC’s.
Let me suggest a metaphor for effective risk management. It is far simpler than what any organization, even any individual, actually faces. But it might help people understand my thinking.
I own an Acura TSX, a car I have enjoyed for many years.
I don’t drive it a lot, but I will take it in for an oil change and vehicle safety inspection about once a year. Since it’s quite old (2008 with about 70,000 miles on it) if I am planning a long trip I might get it checked out and some work done (for example, on my tires) without waiting for the annual check-up.
This is somewhat equivalent to the periodic review of enterprise risks that many organizations limit their risk management programs to performing.
But it’s not enough.
Even on short trips (to the grocery store or to my yoga studio), I am aware of and monitoring sources of risk all the time. For example, I am:
- Watching the cars around and ahead of me for dangerous situations.
- Watching behind me, alert to reckless drivers and (if I am speeding) the police.
- Alert to potential issues with the brakes, should they seem slow to respond.
- Noticing whether the engine warning light comes on, indicating a problem.
- Checking to make sure I have sufficient fuel.
- Seeing if there is slow traffic or even a jam ahead of me, indicating I should consider changing my route.
- Listening for warning horns from other vehicles, or the sirens of emergency vehicles.
- Watching for pedestrians, especially those that might run in front of me or who are getting out of a parked vehicle.
- Making sure I stay in my lane and that the steering is responsive.
- Checking for traffic when I want to change lanes.
- Noticing traffic light signal changes.
- Aware of changes in the weather that may require corrective action by me, such as turning on the windshield wipers. (I don’t live in an area where ice is at all likely.)
- Making sure my eyesight is OK. I may clean my glasses at a traffic light.
And there is more.
I am making tactical decisions throughout my journey, even including where and how I park at the end of it.
Risk management is not only about periodic reviews of significant sources of risk. It is also about making sure that as management and the board run or oversee the organization, they are doing so with reliable and current information about the path ahead. They are making the informed and intelligent decisions necessary to achieve their objectives – such as getting to the grocery store or yoga studio on time and safely.
You can have effective risk management without a CRO or risk team (despite what PwC says) if the management team is skilled at decision-making – including getting the information they need about the current state and the path ahead. But risk management and a risk team can help management do that well.
PwC has some suggested questions for directors to ask of management.
I have one that I suggest is far better. It’s the start of a conversation, with more questions following management’s responses.
How do you and your team make decisions? (With thanks to Grant Purdy.)
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Case closed, I think, any of the big 4 are clueless about risk management despite some individual exceptions working for them and this is unlikely to change any time soon
In the abscence of a more structured, formal and systematic approach, PWC ERM lines of defense policy remains dominating, unfortunately!
Ok, that’s simply not true and quite insulting to risk professionals to think pwc is a benchmark of any kind and I wrote big chunk of the previous global pwc risk framework ))
You are correct Norman. I tried to explain to them that their understanding of Risk Management was 30 years old, but they either didn’t understand or felt that I was the one who was out of touch.
The PwC definition of ERM maturity is a perfect example of the flaws of maturity models. Doing the wrong thing righter should not be the goal of ERM
Have you seen my maturity model?
Norman, I think the key word is ‘information’ . In you driving journey you are constantly taking in information, assessing whether it constitutes a risk, or opportunity, and making a decision to do something or nothing.
The advantage of ERM is that it allows anticipation of some risks, which your driving experience has provided. As you say that doesn’t stop the need for constant monitoring.