Home > Audit, Compliance, COSO, Governance, GRC, ISO, Risk > A Risk Management Challenge for You

A Risk Management Challenge for You

I hope I have been consistent in my message: that risk appetite and other top-level guidance only enables an after-the-fact answer to the question of “did we take the right risks”.

They don’t provide the guidance people need when they make decisions as part of running the business on a daily basis.

I am in the middle of an email discussion with a leader of one of the Big 4 CPA firms’ risk management consulting practices. He is one of the few from the Big 4 that I have heard say the same thing I do – that risk is taken every time you make (or decide not to make) a decision, and that those making decisions need guidance on which are the right ones to take.

This gentleman has developed a somewhat complex process that takes the organizations’ objectives, identifies the type and general source of risks to each of those objectives, determines at a high level the aggregate level of risk to each objective that would be acceptable, and then drives this down to the decision-makers whose actions create or modify those risks – and finally determines what would constitute an acceptable level of risk at their level.

It’s a valiant attempt to deliver guidance to those taking or modifying risk every day.

But is it enough?

I asked him this question, to which he has not yet replied:

“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”

We say that risk is the effect of uncertainty on objectives and that you have to assess each risk within the context of objectives.

But what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?

In practice, the HR manager has his own objectives, as does the HR department. For example, he probably believes that one of his primary objectives is staying within budget. Can he achieve that without adversely affecting another department’s objectives to an unacceptable extent?

It’s not only that delaying hiring or hiring somebody with insufficient experience may adversely affect the operation of the new service center, but problems at the new service center might result in failures to bill customers accurately, pay critical vendors on time, produce accurate financial and operational reporting, and more. The ripple effect could be substantial and affect multiple organizational objectives.

A (COSO) risk appetite statement or framework set by the top management team and approved by the board is of no help.

Are (ISO 31000) risk criteria any better?

Management decisions like this are made every day.

Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?

Which is the right risk to take? How can she know?

I welcome your comments.

Isn’t this the core, the heart of risk management?

  1. rohit
    June 21, 2014 at 9:04 AM

    For a business to run, decisions need to be taken and risks are associated with each decision that we take. So to answer the questions, one should begin by identifying the risks and then prioritizing them before defining the risk acceptance level. The prioritization process is where factors such as cost, talent, resources, other exogenous factors come into play. It is after this process that the risk acceptance level should be defined.

  2. Norman Marks
    June 21, 2014 at 9:10 AM

    Rohit, thanks for the comment. How do you identify the risks? Does the HR manager know what they all are? Does he even know what organizational objectives may be affected?

    Does the HR manager understand that his decision may increase the risk of inaccurate operational reporting or errors in customer billing?

    • July 3, 2014 at 12:30 AM

      Good point Norman –

      The HR Manager might have his / her objectives to stay within budget. He may not be expected to comprehend the associated risks of a decision that may go wrong. However the risks yet can be mitigated when

      1. You have functional authority to vet and assess the candidate to test on capabilities
      2. The HR (and possibly legal, depending on seniority & criticality of position) need to be involved in background checks, that ensures the hire will carry clean background (hence mitigate fraud risk)

      Cost (within budget – addressed by HR), unethical behaviour/ practices (hired an employee from clean background based on inputs from authentic source), ability to meet core functional/ business objectives – duly assessed by functional member, cultural fit (assessed by HR again)

      To meet above, the risks may not be explicitly mentioned in some document; however given the management position that such steps must be followed – does it leave us with reasonable assurance ?

  3. June 21, 2014 at 12:54 PM


    First of all thanks for involving us. I have limited knowledge of ERM as compared to your vast knowledge. However, I take this as an opportunity to learn from these discussions.

    As per COSO Risk Management Framework –

    Risk Management is a process, effected by an entity’s board of directors, management “and other personnel”, applied in strategy setting and “across the enterprise”, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide “reasonable assurance” regarding the achievement of entity objectives.

    a. Other Personnel includes HR Manager
    b. across the enterprise includes day to day decision
    c. its reasonable assurance AND not Absolute Assurance

    Now Let’s talk about HR Manager…what is KRA of HR Deptt. i.e. any Organisation should have HR Deptt. at all….Any HR Manager will be and should be in position to answer this basic question.

    HR Deptt’s KRA is to hire and retain right skillful resource as per organisation need and Org. culture in timely and effective manner and impart training to bridge the gap.

    While taking business decision by HR Manager, if he/she is of the opinion that he/she is able to achieve set objective. Risk Management never stops business decision rather guide decision maker to consider all the internal and external factors which can prevent to achieve set objectives.

    Now let’s talk about risk appetite here…Org. may have set zero tolerance for not hiring resource who has been involved in fraudulent activities in past. This should be guiding principle for HR manager to take decision.

    Further as definition of risk management suggest that Risk Management is a process (which includes HR policies and procedures approved by management) The Risk appetite and tolerances need to be implemented in policies and procedures.

    ERM requires lot of training in org. to inculcate risk culture in day to day decision making.


  4. June 21, 2014 at 4:28 PM

    Norman – You are right on the money here. The real issue is not a theoretical risk management one, but a practical one. It is the fact that the real world is complex, messy and human. It is for this reason that risk management in practice is not simple. Risk appetite (or tolerance) is, for example. a product of many day to day decisions, some taken with suboptimal data, time and experience. The real benefit of risk management is the post event review. Done often enough one can have a sense of how much risk is building up and whether it ‘feels’ too much. I am not sure many systems can articulate this, thus risk culture is the key control framework here. Just as I try to anticipate what my boss worries about and keep them informed, I learn from experience and get better and more aligned risk appetite. If an organisation can establish this, then it will get a better set of risk management outcomes, become more confident in taking risk and therefore take more, promoting success, for the management capacity is the core basis for organisational competitive advantage.


    • Deb
      June 22, 2014 at 11:34 PM

      “risk culture is the key control framework” – bingo! I once heard it said that “Culture eats strategy for lunch”!

  5. June 21, 2014 at 6:28 PM

    The reward/ punishment for risk decisions is a significant driver in getting people to take the right actions. The HR manager/ recruitment scenario is a great example.

    Suppose the HR manager waits 3 months, hires someone below budget to cram 6 months’ worth of work into 3, and there are delays. This may be a substantial cause, but there will be plenty of finger-pointing to go around. As long as the HR manager was under budget, s/he will be fine.

    Now suppose the HR manager wants to be absolutely certain they are staffed w the right people to open the facility on time. S/he hires someone w the right experience, well enough in advance, and is willing to pay a premium for it. The facility opening goes off without a hitch. The HR manager’s contribution to this will be difficult to identify. Many others will seek to take credit for the job well done. The HR manager is confronted w going over budget at next performance review and gets a mediocre review.

    Another process from another expert won’t fix this.

  6. June 22, 2014 at 8:06 AM

    Norman- Risk Management at strategic level and at operation level are both important. As per COSO Risk Management Framework which sets a tone across the organization is more strategic in nature and in light of that operational level risks should be taken care of.

    There are organizations who developed their own risk management framework based on COSO and ISO requirements having more guidance on operational aspects with set examples but none can provide an exhaustive lists of risks [and proposed actions] for every business operational scenario. That is practically impossible as the business environment is also changing every day and every scenario has its unique characteristics.

    I totally agree with Douglas on the part of reward/ punishment for risk decisions. A manager needs to analyze the situation before taking the call. At the end of the day, it is the theory of opportunity cost. You choose the best alternative based on what you need which might be very different from case to case.

    In a tight budgetary situation, consideration of budget might get a serious priority but on the contrary for an strategically important project, budget consideration might be at the bottom on the consideration list. Same goes with procurement preference. Respective manager should have the skill set to judge what is best and get reward/punishment accordingly.

    • Norman Marks
      June 22, 2014 at 8:13 AM

      Everybody, thanks for the comments. Please answer this question for me: How does the HR manager know what the risks and rewards are – how his actions will affect the organization as a whole?

  7. Paul O'Farrell
    June 22, 2014 at 6:21 PM

    Norman – this is the most pertinent question in risk management today and a fantastic question to ask ! Putting aside frameworks, regulatory guidance, industry standards, etc., how do people use “risk thinking” in their day-to-day decision making ?

    In my view, it is a combination of clear enterprise focus, risk culture, formal training, good recruitment practices, prioritisation, people’s personal characteristics ! Some of these are very broad areas but all impact on “risk thinking” (may be other factors).

    Deloittes have produced a guide on risk decision making which I think is a good thought starter in this issue which goes to the heart of risk management :

  8. Michael Werneburg
    June 23, 2014 at 8:44 AM

    Hi, excellent example. When you say, “Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision” I think the answer lies in decision making. First, this can’t be the HR manager’s sole responsibility. The “stakeholders” have to participate providing their objectives and reaching some form of consensus on the needs and priorities before this can be handed over to an HR manager. At a guess, I think this might include: whoever understands the operational requirements; the project management team; those familiar with culture on the ground (e.g. in Thailand), if they exist; and anyone else who has live with the consequences of the decision. I’m reading a book called “Smart Choices” by Hammon, Keeney, and Raiffa (http://www.amazon.ca/Smart-Choices-Practical-Making-Decisions/dp/0767908864) that I’m finding to have some strong insights into “risk management”.

    Following the decision(s) around hiring, I would expect that the organization would have processes for managing the performance of the new operation and the new hire, both in terms of business and HR processes. Some form of governance on both of those review activities ensure that they are being conducted. These are “operational risk management” functions in my opinion.

  9. Kris
    June 23, 2014 at 10:25 AM

    Does the answer not lie with each and every person within the organization understanding the strategic and financial objectives of the organization they work for? ERM is so initimitely linked with strategy. To do it right, you need to always continue to draw the lines between the two.

  10. Mike Corcoran
    June 24, 2014 at 6:21 AM

    I think if you adopt the “three lines of defense” framework advocated for the financial services industry the HR person would allow the hiring of Corzine to bet the farm and shoot for the moon. The procurement manager will sole source to accomplish lean six sigma goals.

    Good examples and value/risk are personal decisions. When advising good to go from the store floor to the CEO suite to understand behavior.

    I like the recent ad question. Dad, why do investment advisors make money from you when they lose your money?

  11. Eric Pynnonen
    June 24, 2014 at 7:03 AM

    The idea of “ensuring” that line managers are making the “right decisions” teeters on the brink of universal micromanagement, and there’s no better way to destroy employee motivation and organizational improvement.

    Many organizations have little or no ability to distinguish between good (“right”) decisions and good (lucky) outcomes. But where they can use their risk management activities to help identify/develop models for what works and what doesn’t (call it “risk criteria”, “risk models”, “risk drivers”, “risk factors”, or use one of a multitude of other identifiers from other disciplines), and will allow those organizations to provide evidence-based guidance to their decision-makers.

  12. Richard Fowler
    June 24, 2014 at 8:37 AM

    Your basic question – How does the HR manager know what the risks and rewards are, and how his actions will affect the organization as a whole – cannot be determined in a silo. This is where a great many difficulties in risk management occur. Before the risks can be identified, the objectives those risks will impact should be known. These come from senior management and the company executives.

    Assume the primary goal is to have a recruitment officer in Bangkok when a new service center is opened in 6 months. What other goals need to be met? Is there a diversity goal? Are we looking for innovation, which points to a younger candidate; or for stability, which points to a more experienced candidate? There are often competing goals, but that’s what managers and directors get paid to achieve, and discussion with other managers and senior management on an ongoing basis helps define what the true priorities are. The risks that impact these goals can then be identified: the risk of exceeding target budgets; the risk of hiring an unacceptable or unethical employee; the risk of having an unsupported service center; the risk of inadequate service center staffing solely from local hiring; the list can go on and on.

    We can sit down and map out the objectives, the risks, the mitigation plans, etc., but isn’t this what managers do as part of the thought process daily? Do we have a formal risk mitigation plan when we get in the car and check the gas? Or do we quickly determine that there’s enough for this trip and we’ll fill up when we return to save time or get to an appointment? The risk is that we’ll run out of gas if there’s a traffic jam; the reward is that we’ll get to where we need to more quickly if we don’t stop to fill up now. But as anyone who has worked in risk management knows, we cannot know all the risks, all the probabilities and all the outcomes. It makes it difficult to make the perfect decision with imperfect information, but that’s business. And life.

  13. John O
    June 25, 2014 at 12:55 PM

    I agree with Norman – risk management is (or should be) about people throughout an organisation making better, more consistent decisions, where the level of risk associated with each decision is understood and “acceptable” to the organisation. The difficulty is that what is acceptable will differ with each decision, as each decision has a different context – ie what is the decision trying to achieve, and are the associated risks sufficently outweighed by the expected benefits? I think the answer can be found (in part at least) by analysing decisions and assumptions made by senior management and turning these into some tangible principles and criteria that can be used by everyone. This can be done by discussing some decision scenarios with senior management teams and exploring what makes the level of risk in them acceptable (or not). This approahc helps to ensures that a “tone at the top” is set by senior management, and gets them thinking aobut why they make decisions.

  14. Arnold Schanfield
    June 27, 2014 at 2:30 AM

    why do you think it is important to ensure that the HR manager made the right decision at the time the decision is made and how would you suggest that this be done? I say that this is a complete waste of time because in the first instance you are making hundreds of decisions over the course of the year and you would end up spending 30% of your time doing and 70% of your time analyzing what were you doing.

    If you follow HB 436, which you clearly do understand unlike many of our colleagues, you will know that the process that is followed is the most important thing framed by the infrastructure in place. You will know whether the HR manager made the right decision by first auditing the process and secondly by checking at end of the period whether the strategic objectives were accomplished

    I will be shocked if you hear back from the Big 4 partner but if you do, please share the commentaries

  15. Olga
    July 6, 2014 at 4:26 AM

    Setting primary goals, providing guidelines+procedures and an organisation-wide control environment will facilitate such managerial decision.

    Practically speaking:

    1)Goals: If we are talking about a multinational company, I doubt that a hiring manager will be thinking of an effect of his decision to the organization as a whole.(unless he s really senior) He would rather think of how to fulfill this position with the best candidate for the mutually beneficial relationship (-this kind of thing should be set at the top as a goal).

    2) Operational guidelines enabling communication and expertise: It is risk management, control etc responsibilities to provide guidelines to support a manager’s daily actions and decisions to avoid unnecessary risk taking. If this is correctly set, manager will know that while taking the decision he should call for an operational+HR expertise, where communication, experience and expertise sharing will support the decision. considered: critical points for this position (for instance, we absolutely want someone with this one specific skill), whether similar cases were treated in past and what were the problems etc.

    3) Desk procedures – step by step: While hiring for a position, there must be for example: first- defined mandatory skill set, second- defined profile that the manager will search for, and then- defined sourcing strategy(ies)… Briefly, there must be guidelines and desk procedures to eliminate unnecessary risk taking.

    I am actually just a masters student, so I would appreciate your feedback on my comment.

  1. June 22, 2014 at 9:42 AM
  2. June 23, 2014 at 3:10 PM
  3. July 1, 2014 at 11:43 AM
  4. July 9, 2014 at 3:00 PM
  5. March 30, 2015 at 12:00 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: