What is effective risk management?
Some say that risk management is effective when it has all the components described in their favorite standard (ISO 31000:2009) or framework (COSO ERM). (COSO ERM specifically states this as the requirement).
Some say that risk management is effective when all the principles in their favorite guidance are present and functioning. (ISO talks about its “set of principles that organisations must follow to achieve effective risk management.”) The principles are (from a consultant’s site that provides a high-level view of the standard):
- Creates and protects value;
- Is an integral part of all of the organisation’s processes;
- Forms part of decision making;
- Explicitly expresses uncertainty;
- Is systematic, structured and timely;
- Is based on the best available information;
- Is tailored to the organisation;
- Takes human and cultural factors into account;
- Is transparent and inclusive;
- Is dynamic, iterative and responsive to change; and
- Facilitates continual improvement of the organisation.
Some say that risk management is effective when activities are compliant with the organization’s related policies and standards. But are those policies and standards adequate?
Some will say that risk management is effective when the board, operating and executive management believe it adds value and are satisfied that it provides the information they require. I believe that has merit but they may be satisfied with less than mature risk management (that seems to be the case with many current organizations who are satisfied with enterprise list management, until they are caught short).
Some will say that risk management is effective when an independent assessment/audit/examination is performed and the report says so. The trouble is that the people who do such audits generally rely on one of the above criteria (components present, principles in operation, etc.)
I would like to suggest a different approach.
Let’s start by considering why organizations should have risk management. It’s NOT because laws and regulations mandate it in many cases. It’s NOT because people say you need it. It’s because effective risk management provides a level of assurance that an organization will not only achieve its objectives (or exceed them) but will set the best objectives.
Quoting from COSO ERM:
“Enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
COSO explains that effective risk management enables:
- “A greater likelihood of achieving business objectives”
- “More informed risk-taking and decision-making”
Irish guidance on the ISO 31000:2009 risk management standard says:
“The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.”
The Australian mining company, BHP Billiton, has a risk management policy signed by its CEO. It includes:
“Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective.
- By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate.
- Successful risk management can be a source of competitive advantage.
- Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making.
“The effective management of risk is vital to the continued growth and success of our Group.”
I like what E&Y has to say:
“An effective [ERM] capability provides value by giving organizations the confidence to take on risk, rather than avoid it.
“By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk.”
So we can see that, as the BHP CEO said, effective risk management is not only essential to the success of an organization but “can be a source of competitive advantage”.
For the last year or two, I have been saying that you assess the effectiveness of risk management by asking decision-makers at all levels whether the risk information is enabling them to make better decisions and be more successful.
In other words, assess risk management not by its structure but by its effect.
I still think that is a key test, but I am going to add a new dimension to my thinking.
Let’s consider a company that has significant foreign currency exposure. It does business globally so it has bank accounts in a number of countries and has both payables and receivables in different currencies.
There are a number of strategies for reducing foreign exchange risk, but to manage the risk effectively you need to know what is happening with rates as well as how your bank account balances, payables, and receivables are changing.
If this company only has the ability to understand its foreign exchange risk once a month, in other words its monitoring of this risk is only monthly because that is the only time it is able to obtain all the necessary information and calculate its exposure, the risk is much higher than if it has the processes, people, and systems to monitor its exposure daily or better.
However, the investment necessary to upgrade the risk monitoring from monthly to daily may be significant. The company has to decide whether the reduction in exchange risk that can be improved by upgrading risk monitoring justifies the additional expense.
Until it upgrades risk monitoring, there is a risk that the information provided by risk management is insufficient. Management needs to decide whether that is an acceptable level of risk.
If management decides that the level of risk is too high, then I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks. But if management decides that the level of risk is acceptable, then that would not prevent me from assessing risk management as effective.
Let’s take another situation. An organization is concerned about its reputation risk. It has engaged a company to monitor reputation risk indicators (using social media analytics) and report once each quarter. However, it is in an industry where customer satisfaction can move quickly and significantly.
Quarterly risk monitoring creates a risk that the risk management program is not providing the information necessary to manage risks to the enterprise objectives. As in the prior example, management will need to decide whether an investment in more frequent reputation risk monitoring is justified by the potential reduction in reputation risk (because it would increase the ability to respond to customer complaints, etc.)
If management decides that quarterly risk monitoring represents a risk outside acceptable ranges, I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks, and management has determined that this is a risk (the risk of a bad decision) is unacceptable.
One final example. The company has an excellent risk management framework, formal policies and procedures, processes, and enabling systems. However, in the last year the level of staff turnover among the champions of risk management in the executive ranks and among the risk officers themselves means that the experience of the individuals relied upon to monitor, understand, assess, evaluate, and respond to risks has diminished.
There is an increased likelihood than in prior years that risks will not be managed as desired, the wrong risks taken, and that risk information that flows to top management and the board may not be reliable.
This is a deficiency in the operation of risk management and may represent a risk to the achievement of objectives because it results in less than reliable risk information on which decisions are based. If the risk is unacceptable, then until it is treated and brought back to within acceptable ranges I would say that the risk management program is less than effective.
So, where am I going?
If we revisit the objective of risk management, we see that we rely on it to provide management and the board with the information they need to run the business, make better decisions, and take the right risks.
But risk management is not and never will be perfect.
It is impossible to monitor every risk, including new risks, in real time and provide useful information – also in real time – to the people who need to act on it.
There will always be risk champions who are new to the company and because they don’t understand the business and their risk-related responsibilities, will fail in that respect.
There will be times when the people required to provide expert insight when assessing and evaluating risks are on vacation, sick, or otherwise unable to participate.
There will always be a risk that the risk management program fails to provide the information necessary for decision-making.
The key is whether that risk is known and is considered acceptable.
If the risk is acceptable, then I would consider the risk management program as effective.
That is not to say that all the principles described in ISO 31000 are not necessary, or that the components discussed in COSO ERM are not required. But, that is the structure of the program and that doesn’t mean it is effective and produces the results necessary for the organization to succeed.
Bottom line: CROs and executive management should assess their risk management program (auditors can help) and determine whether the level of risk that it will provide insufficient information to run the business, make informed decisions, and take the right risks is acceptable.
OK, I understand that this is a little complicated and a very different way of thinking about effective risk management. Does it make sense?
I welcome your views.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Sorry, sounds like a discussion on one of those ERM linkedin groups.
I will venture that any threat to revenue generation, billing, and collection (GBC) should be a primary consideration for any business in any industry vertical.
Obviously the capability of expenses to overcome GBC should be the second “primary” focus.
And that includes the risk management function. If the costs to implement and support ERM exceed either the estimated annualized loss exposure, the cost of the controls, or–obviously–too significant a percentage of GBC output then risk management becomes a threat itself.
Complexity will always be the enemy of any security (economic or otherwise).
Threat likelihood/frequency measurement (aka actuarials) should always be the common denominator to determine any risk appetite/tolerance.
Never spend a dollar to protect a dime.
This approach is a shift from traditional thinking. In an effort to clarify, please consider this example:
In year one, currency exchange risk was low because the company only traded in US dollars and Aussie dollars. So management only monitored exchange risk monthly. That level of monitoring was just right.
Q: Do you agree that exchange risk monitoring is a risk management activity?
By year five, the company had grown and now had significant exchange risk because it traded globally in local currencies.
The quarterly risk monitoring is recognized by management as insufficient. They need to decide how much to invest to increase the accuracy and frequency of monitoring.
Let’s say that real-time monitoring so they can react instantly is prohibitively expensive.
Q. Will they not decide how much risk monitoring to invest in based on at what point the level of risk that they miss a significant move in the exchange market is acceptable? In other words, they set risk criteria for risk monitoring at some level less than perfect.
Q. Are they not recognizing that they are prepared to accept a level of risk monitoring (a risk management activity) at something less than perfect, because they want just the ‘right’ level of risk management rather than ‘perfect’ risk management?
Q. Are they not recognizing that risk management can itself be a source of risk? When there are defects in risk management, that can impair decision-making and therefore the achievement of objectives?
Q. Are they not saying that they are willing to accept a level of risk that risk management not deliver complete, accurate, timely, and reliable information for decision-making?
Q. Does that not mean that effective risk management is achieved, not when there is ‘perfect’ risk management but when risk management operates at a level where the risk that it will provide insufficient information is acceptable?
I found your thinking and examples useful. Yes the risk management system can be a risk in itself if more is expected or assumed of it without understanding its limitations. We do not have “perfect information” hence we need to understand the limitations of that information and as you put it understand the risks of risk management as well as the risks that it is managing. An example of this is the risk rating we apply to a risk. This should be recognised as our best guess and nothing more. If we don’t understand this and place to much reliance upon this assessment we may miss an opportunity or suffer a greater detrimental effect if the risk crystalises and becomes a significant issue.
Thanks for provoking thought on the topic. For consideration: there are idealized outcomes and organizational attributes for “enhanced risk management” per ISO31000 Annex A which can be used to assess effectiveness of risk management. Since practical risk management will never be perfect, decisions must be made by stakeholders on whether the effectiveness of risk management is adequate for the organization regardless.
Excellent piece. One of the best and most applicable to business I have read in a long, long time. Thank You
Thanks, David!
Thank you for this post on risk management effectiveness. The example from the Australian mining company resonated most, although my industry is quite different. At our last presentation to our Board, the most provocative question was in regard to the time between assessments and trend reporting, leading us to believe that our credibility is good, but we must deliver risk information more timely if we are to keep pace with the speed of decision making.
Thank you for this attempt at documenting what I believe is a common sense approach to managing the risk of carrying out risk activities for the sake of it. I am assuming your piece speaks to all risk management activities though your examples focused mainly on the frequency of monitoring and reporting.
I believe that any risk manager worth his or her onions knows that in the current climate of intense competition for budget: risk management is only substainable when the cost of conducting risk activities is less than the value created.
My personal preference is to ensure all components of a good standard are functioning and the core values/principle of a comprehensive guidance are present and functioning. However each component, activity or principle is present to the extent and level of sophistication that is appropriate for the organization. So to your example monitoring should only be done daily if it creates a level of value that exceeds the cost involved.
Hope that helps
ERM as is seen is all abt whether the Top Mngt/Owner aware of their Risk apetite n whether there is enough visibility of all the relevant parameter so that business decisions are taken in the most optimum effect
You rightfully mention this as the key criterion to “assess the effectiveness of risk management”: “asking decision makers at all levels whether the risk information is enabling them to make better decisions and be more successful.”
In my view, as a decision-maker you do not only need to be informed about possible negative events, but also positive ones! You want a balanced picture of the future. Opportunities (and their expected rewards minus the costs of seizing them) and risks (and their estimated costs of controls and incidents) always go hand in hand. It’s up to the decision makers to balance them in an effort to create and preserve value for the stakeholders.
Since each stakeholder group tends to have their own interests and expectations, the decision makers need to balance these as well. That’s what makes management so challenging in practice.
like the answer, very much consistent with ISO 31000 and uses a principle based approach. Note the for most organizations the reality is a little bit of all the approaches describes, as you go from higher levels in the organization where strategy is formed, to lower levels such as the shipping dock – again the principle approaches described helps figure out just what method to creating and measuring effectiveness is appropriate for the context. Should always be possible to determine if risk management is creating value.
Senior management by and large needs to do a better job of developing a “corporate culture”, as it relates to risk management. Policies and procedures are but one part of the process. Greater transparency will often lead to greater efficiencies for everyone.