Home > Risk > The greatest risk – one generally overlooked by risk practitioners

The greatest risk – one generally overlooked by risk practitioners

September 12, 2012 Leave a comment Go to comments

The greatest risk? The risk that the risk management program is insufficient to identify, evaluate and assess, and respond to all the potential effects of uncertainty as we strive to achieve or objectives.

How many risk practitioners measure and report on the limitations of the risk management program? (And don’t tell me that everybody has perfect systems that will identify, promptly and accurately, and address appropriately all situations and events. I don’t believe it.)

I suspect that most practitioners are at least subconsciously aware of the limitations and the likelihood that risk management will ‘fail’, with undesired effects. But, I doubt that more than a handful have completed a risk assessment of the risk management program.

Neither COSO ERM nor ISO 31000:2009 tell you to do this, although the process in 31000 will work – once you realize that ineffective risk management is a risk source! You could argue, but I think its weak, that the monitoring activity in COSO handles this; I don’t recall any discussion of risk assessing the program in that document.

What do you think?

Isn’t this something we should do every year, at least?

  1. September 12, 2012 at 6:05 AM

    Yes, fully agree Norman. I would certainly want to cover the risk management system each year and react according to the findings it provides related to risk maturity. Of course this is only a significant audit problem if the audit is in any way risk based, and a critical audit failing if the audit approach is to fully rely on the risk management system.

  2. September 12, 2012 at 6:58 AM

    Norman, I prefer to spend my precious assurance and consulting (internal audit) time on the enterprise value management process versus just the risk management process. After all the generation of free cash flow is the goal of every organization expect the federal government.

  3. Gabriel
    September 12, 2012 at 9:27 AM

    Hi Norman,
    completely agree. Is the first risk and we should realize it.

  4. Kumaresan
    September 12, 2012 at 8:53 PM

    Basically all the risk practitioners having this limitation rather than as a risk. Just how we define it. However, continuos monitoring, education, understanding of business, emerging risk and issues surrounding each organisation, risk maturity within organisation to be updated and followed up. This way we could minimise the potential gap within the risk management process.

  5. September 13, 2012 at 1:30 AM

    Norman, this is definitely a risk that internal audit should explore. I find that a lot of organizations still do not have a structured approach to risk management. Therefore, it becomes difficult to truly evaluate the fragmented risk management process. And so we conclude that there is no structured disciplined approach to risk management and Management indicates that there is no issue because they have experienced significant loss. It’s a perpetual circle in which nothing gets done until something happens.

  6. Bill Stephens
    September 13, 2012 at 7:32 AM

    I totally agree. We perform our risk assessments and they are presented to the Audit Committee but Management/CRO doesn’t have a structured process in evaluating risk management and our control risks. We lack strong monitoring controls in some of our key risk areas and it isn’t a priority to address them until something happens. It basically comes down to lack of proper accountability throughout the organization.

  7. September 13, 2012 at 4:11 PM

    I would only make the point that if the risk management system is properly supported by a robust auditing regime, which should be evaluating whether controls are a) implemented and b) effective in reducing the risk, this self-regulating mechanism should be sufficient to highlight deficiencies in the system. Bill Stephens said it: “We lack strong monitoring controls…”. Something in me resists the urge to go round in ever-decreasing circles until the inevitable happens..

  8. Per Kurowski
    September 14, 2012 at 3:57 AM

    Moving forward is about 50% of risk considering and 50% of risk ignoring, but the hard thing is to know which is which, and when.

  9. Beulah
    September 15, 2012 at 8:32 AM

    Maybe I am naïve – no system can ‘own’ your risk other than the risk owners. Therefor in my mind the solution lies not in the system but the organisational or institutional risk culture. When manager within silo and collectively accept that risk and opportunity as ‘the way we do business’, no system will solve the problem. I view another factor as – this is ‘good old earth’ we will always have risks that is why we have jobs – therefore is not the risk but our response to risk that is the critical factor.

  10. Norman Marks
    September 15, 2012 at 9:09 AM

    As CRO, I would not rely on and wait for an internal audit assessment. I would make sure that, as owner of my own process, I understand the frailties of the ERM program and the risks presented to achievement of objectives.

    Why would we not have a risk workshop on the ERM program, just as we do in other areas?

  11. Andrew Forte
    September 17, 2012 at 11:08 AM

    In the Navy, all programs, organizations, and commands must have an Internal Control program (i.e. risk management) that addresses operational risks at the command/enterprise level and funnels down to the lowest levels. Assessing risk and developing strategies to mitigate those risk has been something we’ve done in government since the mid 1980’s. As an Audit Director, I ensure that we asses the effectiveness of the IC program and include those results in our audit reports. Strong IC programs do reduce operational risks if effectively implemented,and monitored.

  12. J'vel
    September 19, 2012 at 7:30 AM

    Business leaders have been trained for years to pay attention to revenue streams, unfortunately risk management does not fall primarily into value creation. Consequently I believe that the business world needs to be educated more on the subject matter to create the cultural shift that is needed. As several of you commented previously organizations take the high road until something happens and then they seek to resolve the situation. People have been trained to respond to dollars and cents and because all risks can not be expressed in this manner they are simply ignored until they can be.

    That being said you are correct Norman COSO does not address the issue that all risks cannot be modeled and that this flaw is something that should be given greater attention. I believe that the answer to this issue is education because an educated and experienced professional would be better equipped to make more informed judgments to rectify and compensate for this problem.

  13. September 21, 2012 at 5:07 AM

    Norman is absolutely correct. There will always be a risk that the risk management programme is inadequate. However, whereas the role of creation and ownership of the system is that of the risk manager I am of the opinion that the annual monitoring and testing of it is the domain of Internal Audit as an independent source.

  14. Peter Nägelein
    September 23, 2012 at 5:57 AM

    The philosophy of continuous improvement should also count for risk management activities, not just operational processes.
    I therefore agree with Norman that especially the identification + analysis of the risks plus corporate risk appetite should be consequently reviewed and measures. The most crucial point from my perspective is the identification of risks. The list of yearly incidents should be mapped with the identified risks on a yearly base. In a second step then your analysis parameters need to be checked for their capability to really put focus only on the true risks. last but not least, if corporate risk appetite and tolernance is transparent, the question of mitigation does not have to be posed again, as its following a clear process in line with shareholder expectations (of course shareholder/corporate risk appetite should also be checked and adjusted).

  1. September 18, 2012 at 10:39 AM
  2. November 4, 2012 at 8:29 AM
  3. November 5, 2012 at 5:00 AM
  4. June 16, 2013 at 4:34 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: