How do you evaluate your risk management program?
The IIA and others are developing guidance on how to assess risk management. For me, there is too much emphasis on the risk management framework and process (the policy, the procedures followed to identify, assess, and respond to risks) and too little on the risk culture.
Risk culture refers to whether the organization embraces and uses risk management as part of strategy-setting and decision-making at all levels of the business. We have seen a number of companies fail or have severe difficulties over the last couple of years because they had good processes but risk culture problems – such as risk managers going unheeded and even being fired for their bad news, failures to communicate risk levels to senior management and the board, and a short-term drive for profits and bonuses trumping consideration of risk.
I developed my own list of high level questions that can be used to assess the risk management process:
1) Does the organization have an effective risk culture? Attributes would include:
- Support for and use of risk management at board and executive management levels
- Devolvement of risk management into decision-making at all levels across the organization
- A clearly stated risk appetite that has been communicated effectively to all involved in risk management
- A risk policy and stated risk tolerances that enable a balanced approach to risk management (between risk and reward) and are communicated to all involved in risk management
- The ability of the executive responsible for risk management to access and influence executives and the board, ensuring that they receive complete, accurate, and timely risk information
- A common set of risk definitions and processes, enabling a view of risk across the enterprise
- Sufficient resources for the risk function, including numbers of experienced and trained personnel, budget, and other resources necessary to the task
- Appropriate training for operational and other managers involved in risk management and daily decision-making
- Those involved in risk management and decision-making have sufficient information to perform their responsibilities
- Risk is considered in setting organizational strategies and operating plans. The latter are adjusted as risks change
- When managing performance, projected results are modified as necessary to reflect risks
2) Are there adequate processes to ensure risks are promptly and appropriately identified and analyzed? Are appropriate individuals involved in the process? Consider the need for continuous monitoring of risks
3) Are the processes for evaluating and assessing risks, determining whether they are above tolerances, and selecting risk treatments adequate? Are appropriate individuals involved in the process? Are options for treatment considered and appropriately evaluated?
4) Are the controls relied upon to manage the more significant risks identified, adequately designed, and operating effectively so that risks are managed within tolerances?
5) Is risk oversight by the executive leadership and board (including assigned board committees) sufficient? Do they receive appropriate timely information?
6) Are corrective actions (risk treatments) managed to timely completion?
7) Is there appropriate monitoring of the risk management process to ensure it continues to function as intended. Are risk policy, risk appetite, risk tolerances, and other parameters and standards current? Do they reflect the current state of the business, its internal and external context, and the risk management needs of the organization?
8) Is the risk management efficient? Are the results of multiple risk assessment processes and systems efficiently combined to provide consistent reporting across the enterprise?
I would appreciate your comments.