If you've watched the Discovery Channel's “MythBusters,” you know that on occasion the show deals with what might be called risk-management issues.

For example, the show has explored such compelling questions as: When faced with a shark attack, is it a good idea to punch the animal in the nose?  And, can a fire extinguisher be successfully used to defend against a flame thrower? The show either confirms or busts the myths, depending on the results of several, often explosive, tests.  

Following the show's format, we can look at questions that have more direct relevance in a corporate risk-management setting.

The following are some common risk-management myths that may or may not live up to reality. You'll see that they will be either confirmed or busted!

Myth 1 – Every company has ERM, with some more advanced than others. Certainly all mid-size and large companies deal with risk in one way or another, on an ad hoc basis or with an organized effort. Indeed, it's safe to say that every company, even a one-person firm, addresses risk in some fashion. And many, if not most, larger organizations have designed processes for identifying, assessing, and managing risk, and do it with varying degrees of effectiveness.

Inherent in this myth is the notion that “risk management” and “enterprise risk management” are synonymous. The reality, however, is that this simply is not true. Although these terms often are used interchangeably, enterprise risk management, or ERM, is a small subset of the much broader concept of risk management.

In looking at the COSO Enterprise Risk Management—Integrated Framework we see that to qualify as ERM, an organization's risk-management process must not only flow throughout every business, level, and staff unit of an enterprise, it also requires other specified attributes. The entity, for instance, must apply risk-management techniques in strategy setting; establish a risk appetite and risk tolerances, and manage risks within those constraints; effectively communicate relevant information; develope an entity-level portfolio view of risk; and monitor the entire process. The reality is that while some companies' executives may accurately say that their organizations indeed have ERM, many more who say their companies do are mis-speaking.

The fact is that across Corporate America few risk-management processes rise to the level of ERM, and while it might sound nice for an executive to say the organization has arrived at that level, more often it is simply not the case.

Conclusion: Busted!

Myth 2 – The most effective way to implement ERM is by gradual evolution. Some companies seek to advance their risk-management programs by seeding risk-management techniques into a range of management functions. These initiatives sometimes are led by the chief financial officer, chief audit executive, or other C-level executive, based on the premise that business managers will recognize the benefits of focusing on risk in making decisions, and the appreciation of risk management and its use will grow within the organization.

When coupled with a roadmap of how risk management is intended to evolve in the organization, with related support, training, and tools, this approach can yield positive results. And while it's conceivable that some of these initiatives will grow into full-fledged ERM processes, I personally have never known it to have been accomplished in this fashion.

Experience shows that for ERM to be successfully implemented within an organization, the process must be thoughtfully designed. That is, the parameters of the process and how it should work within the organization needs to be mapped out in advance. This typically involves establishing a core team of professionals to lead the effort, with business unit and process owners involved from the start. Success often is enhanced with use of a steering committee of senior executives, who are involved in shaping the design and garnering support throughout the organization. And gaining the full support of the chief executive is an absolute necessity. Without it, an initiative might begin with great intentions, but cannot survive in the face of ongoing business challenges and new initiatives drawing attention and resources elsewhere.

The fact is that across Corporate America few risk-management processes rise to the level of ERM, and while it might sound nice for an executive to say the organization has arrived at that level, more often it is simply not the case.

There are a number of other elements that go into successfully implementing ERM, including building risk management into HR programs—including setting objectives, defining clear-cut responsibilities, and stressing accountability—and developing an effective roll-out program and related training. These efforts need to clearly demonstrate to personnel throughout the organization why embracing ERM will indeed support and better enable them to achieve their business objectives. In a larger organization, software support is extremely useful if not essential.

There are several ways to roll out ERM within an organization, and the best way for a company depends on its corporate culture and desire for speed. One method is to use a “big bang” approach, to include the entirety of the organization in one fell swoop. Another is to begin with the senior executive team by using relevant risk-management techniques in the strategic planning and budgeting process, to gain further support at the top of the organization. This may be accompanied with implementation in one or two major business units, preferably those with executives who are considered successful leaders in the organization. And then the roll-out can expand from there over time.

So, while there can be a phased-in implementation of ERM, ERM doesn't just happen by seeding risk-management techniques and gradual organizational evolution. Rather, it requires a carefully designed process and effective implantation plan, with all the requisite support, for the initiative to be truly successful.

Conclusion: Busted!

Myth 3 – Boards of directors are more sharply focused on risk management. For some time now, especially in the aftermath of the financial crisis, boards of major companies have been significantly more focused on risk management in the organizations they oversee. Boards are spending more time looking at significant risks and management's plans for dealing with them. They're getting more information and asking more probing questions of the CEO and, if there is one, the chief risk officer. Certain industries have gone even further. At financial services firms, for example, risk committees at the board level are taking on direct responsibility for overseeing risk profiles.

For many boards, however, risk oversight could and should be further enhanced. Some boards are still looking for management to identify the “top 5” or “top 10” risks, with directed focus on those issues. That approach falls woefully short of looking carefully into what processes management has in place in the organization to identify risks as they emerge, to assess those risks, and to take actions to appropriately manage them. The approach also fails to consider how the CEO knows that he or she is sufficiently apprised of all significant risks. And in some instances, directors and managers don't really communicate well, with one using the term “risk” to mean uncertainty with respect to what events might transpire, and another meaning the results or outcomes of events that have already occurred.

Some boards continue to consider individual risks, while others have advanced to call for management to provide a portfolio view of all significant risks, which provides context and a more complete picture. Some now look at the company's overall risk appetite and related risk tolerances, enabling a better meeting of the minds with senior management and enhanced ability to monitor risk taking within the organization.

The reality is that boards on the whole are focusing more closely on risk management, although many need to do more. As such, with the myth presented as it is, we can say:

Conclusion: Confirmed.

While this episode of risk-management mythbusters may have been less explosive than the show it is based on, I hope that it goes at least a little way toward helping companies identify and mitigate risks that could potentially blow up the company.