Are risk registers a useful tool or a trap?
One of the thought leaders with whom I frequently debate/argue is Tim Leech. Tim has a passion that is usually divergent from mine, so it is always refreshing to see situations where we agree.
This is how Tim replied to a recent post by me on a study by KPMG on risk management (reproduced in full with his approval).
Norman: Thanks for drawing attention to the KPMG survey results. My primary concern with the survey is that it has not recognized that the “risk centric” approach to ERM, an approach [with] a heavy focus on creating and maintaining a “risk register” and assigning “risk owners” used by a large percentage of organizations in the world today who claim they are practising ERM is in fact “risky”. This approach has diverted people’s attention and focus from the real purpose of risk management – increasing certainty [that] important value creation (e.g. Increase market share by X%) and potentially value eroding objectives (e.g. publish reliable financial statements) will be achieved operating with a tolerable level of retained risk.
The “risk register” approach has been promoted and implemented in tens of thousands of organizations by consultancy and software firms and the IIA has promoted it in a number of its guidance publications. I believe that many of the points noted above from the survey are linked to the dysfunctional consequences of using “risk centric/risk register” type approaches to risk management. It’s ironic that risk consultants and software vendors are now part of the world’s risk problems.
Regulators in each country who are increasing their focus and requirements in this area also need to ensure they are not part of the global regulatory wave forcing companies to implement risk centric approaches to risk management diverting attention to the true power of formal risk assessment as a business tool.
We are promoting “board driven/objective centric” approaches to improve the way organizations manage risk. It starts with boards that want reliable information on the state of residual risk linked to key value creation and potentially value eroding objectives. For those interested simply Google “THE HIGH COST OF ERM HERD MENTALITY” and/or our newest presentation on the approach we are recommending to address key failings noted in the KPMG survey results. It can be downloaded at:
If we want senior management to truly embrace risk management they need to see it as another tool in their arsenal to manage their organizations within a level of retained risk acceptable to them, their board, regulators, credit rating agencies, investors and other key stakeholders. This won’t happen using “risk registers” as a primary foundation building block.
Before explaining why I agree on the core points of Tim’s comment, let me address a few minor points of disagreement. First, I don’t use the expression ‘residual risk’ anymore; the adjective ‘residual’ is assumed and is only useful when comparing current state to the level of risk should controls fail (which some refer to as ‘inherent risk’). Then, rather than limit myself to a “tolerable level of retained risk”, I prefer to use the terminology of ISO 31000:2009 and talk about risk criteria. Another point of disagreement is that I believe every risk should have an owner – the person responsible for achieving the affected objective. Finally, while providing the board and executive management with reliable reports on risk is important, I believe the more significant need is enabling managers across the organization to make risk-aware and intelligent business decisions every day.
So, where and why do Tim’s and my opinion converge?
It is that if used without due care and attention, risk registers are a trap.
There is a belief among many that organizations need to manage a defined list of risks. Some have as few as 10 or 25 because that is the limit of their management’s and board’s attention. Others have far more, recognizing that all risks to the achievement of objectives need to be understood and managed where significant.
Some consultants love to provide guidance on the risks that should be included in a risk register, with studies of the top risks of the moment.
But, by creating a risk register, they are creating the impression that risks are static. They are not.
Just as business conditions change all the time and decisions have to be made every day, new risks emerge and old risks change all the time.
Running the business with a static (and it is essentially static if it only changes once each quarter when the business changes much faster) risk register is Enterprise List Management (a phrase coined by my friend, Jim DeLoach of Protiviti).
So I join with Tim, although I don’t use precisely the same words, in urging organizations to ensure they have the capability to manage risks to value creation and the surpassing of objectives every day – in setting and modifying strategy, in monitoring and managing performance, and in daily decision-making across the enterprise.
I also urge internal audit departments to assess and report on whether management has that capability.
I welcome your views and comments.