Management And Accounting Web

Merchant, K. 2012. ERM: Where do we go from here. Why new tools are needed to help companies properly assess risk and opportunities

Summary by James R. Martin, Ph.D., CMA
Professor Emeritus, University of South Florida

Change and Risk Management Main Page | Strategy Main Page

Many companies use risk assessment grids (heat maps) to prioritize risks based on the likelihood and potential impact of various events.1 Although current enterprise risk management approaches recognize various types of bad risks, develop mitigation strategies, then monitor, and reassess those risks, current ERM practices are still ineffective when it comes to managing good risks. The purpose of this paper is to show that risk management processes need to become more sophisticated to overcome the weaknesses and biases of current ERM processes.

Bad Risks vs. Good Risks

Bad risks are risks the organization wants to avoid, while good risks arise from opportunities to achieve the organizations objectives. Current ERM processes are fairly good at identifying and prioritizing bad risks, but less effective when it comes to good risks.2

Known Risks and Misperceived Risks

Some risks are easily predicted based on historical patterns, while other risks are more difficult to predict. Part of the risk identification problem is that humans are not good at visualizing risks and tend to overvalue evidence supporting positive outcomes and undervalue evidence to the contrary. ERM needs a mechanism that helps people become more aware of their biases and how to adjust for them.

Quantifying Risk Exposures

Most ERM processes focus on quantifying the likelihood and severity of undesirable events (bad risks). But they do not provide much information about risk/return relationships (good risks). Heat maps show which risks are the most serious, but do not show an overall consolidated view of the risks that an organization faces. In addition, subjective measurements currently in use seriously limit the effectiveness of enterprise risk management.


1. Limit the use of simplistic ERM tools such as heat maps that are used to manage bad risks. To manage good risks, use strategic management approaches such as analyses of opportunities, brainstorming and scenario planning.3

2. Encourage thinking outside the box to expand assumptions about future events. For example, hire or assign people to study market changes.

3. Provide training for managers to minimize their cognitive biases in risk analysis.

4. Build a risk management process around objective risk scorecards that provide indicators of emerging risks. Examples include data related to customer retention rates, default rates, workplace accidents, and inventory shrinkage.



1 See the McKay (2016) summary below for some examples of heat maps.

2 Kaplan and Mikes (2012) discuss three categories of risks: Preventable risks, strategy risks, and external risks that are beyond the organization's influence and control. Using their categories, preventable risk (internal) and external risk are bad risk. Strategy risk are good risk.

3 See the Axson (2011) summary for a discussion and example of scenario planning.

Summaries related to Enterprise Risk Management:

Axson, D. A. J. 2011. Scenario planning: Navigating through today's uncertain world. Journal of Accountancy (March): 22-27. (Summary).

COSO. 2016. Enterprise Risk Management: Aligning Risk with Strategy and Performance. Public Exposure Draft. (June). (Summary).

Malone, D. and M. Mouritsen. 2014. Change management: Risk, transition, and strategy. Cost Management (May/June): 6-13. (Summary).

McKay, S. 2016. CGMA tools: How to communicate risks using a heat map. Journal of Accountancy (June): 35-40. (Summary).

Kaplan, R. S. and A. Mikes. 2012. Managing risks: A new framework. Smart companies match their approach to the nature of the threats they face. Harvard Business Review (June): 48-60. (Summary).

Shenkir, W. G. and P. L. Walker. 2006. Enterprise risk management and the strategy-risk-focused organization. Cost Management (May/June): 32-38. (Summary).

Other related summaries:

Kaplan, R. S. and D. P. Norton. 1996. The Balanced Scorecard: Translating Strategy into Action Boston: Harvard Business School Press. (Summary).

Kaplan, R. S. and D. P. Norton. 2001. The Strategy-Focused Organization: How Balanced Scorecard Companies Thrive in the New Business Environment. Harvard Business School Press. (Summary).

Porter, M. E. 1996. What is a strategy? Harvard Business Review (November-December): 61-78. (Summary).

Sull, D. N. 1999. Why good companies go bad. Harvard Business Review (July-August): 42-48, 50, 52. (Summary).