Frequently Asked Questions

---

ERM is fundamentally not about COSO, ISO frameworks or any other framework. Enterprise risk is about decision-making and none of the existing risk frameworks explain how to improve decision-making. In fact, all existing risk frameworks are based on either audit-based risks or a prescriptive approach of how to establish a risk program. Contrary to conventional wisdom, mankind and business thrived for thousands of years quite well without a risk framework, so clearly risk frameworks are a NOT solution for managing risk. Managing risk is about making smart decisions about the risks that matters in achieving organizational objectives, improving efficiency and educating everyone on how top recognize and address their own risks real-time.

GRC is a tool, like any other tool to help understand the risks that matter. However, like any technology if you put garbage into your tool you will get garbage out of the tool. The "garbage" that I am referring to is  the data that fails to clarify risk. There is a basic fallacy among risk professionals that they "know" risks and that the input of risk data is a simple process. I would suggest that there are a range of risks that have been ignored by the vast majority of risk professionals that have exposed organizations to greater risks. The "hidden" risks that have been ignored are what I call "cognitive risks". What are cognitive risks? 

Cognitive risk is presented here as “homo periculum” to describe similar errors in judgment as “homo economicus”; the rational man theory in economics. Homo economicus is the portrayal of humans as agents who are consistently rational and narrowly self-interested, and who pursue their subjectively-defined ends optimally. It is generally assumed that home economicus has been refuted yet organizations still operate as if it is still the dominant operating theory. Homo periculum is coined by the authors to characterize the cognitive blindspots that inhibit mitigation of complex risks such as corporate governance and cybersecurity. Homo periculum represents a similar heuristic fallacy in risk governance, that humans possess an innate ability to calculate probabilistic outcomes in managing risks in complex organizations. My new book goes into detail regarding this neglected risk factor.

ERM and GRC have become multi-billion dollar industries dominated by private equity firms and public account firms. Both groups have conducted unprecedented marketing campaigns to promote ERM and GRC to make money. Marketing jargon have confused the goal and objectives of ERM and GRC and many of the "pundits" and influencers are opportunists who are more interested in making money than providing an honest assessment of the effectiveness of how these tools work. Caveat Emptor! Our approach is evidence-based and research-based. That doesn't mean we do not want to make money but we are ethical in our analysis of what works and what doesn't.