Risk Management is not about Defense
From time to time, I get into trouble with the IIA.
Here’s another opportunity.
The IIA has embraced the Three Lines of Defense Model and in 2013 issued a Position Paper (identified as strongly recommended guidance[i]) The Three Lines of Defense in Effective Risk Management and Control. Since then, IIA leadership has advocated the model, including in its recent Enhancing value Through collaboration: A call to action (see this related post).
The idea of the model has some merit. It distinguishes between functions that own and manage risk (operational[ii] management: the 1st line of defense), those that “oversee risk” (including risk management facilitation and monitoring of risk management practices: the 2nd line of defense), and those who provide independent assurance (primarily internal audit: the 3rd line of defense).
Distinguishing the roles of management, risk management, and internal audit has merit. It is also useful to talk about the need for coordination.
However, I believe the IIA has made a grave mistake.
Risk management is not about defense.
It’s about management making informed decisions and taking the right risks.
If anything, that is offense.
Defense implies you are defending against risk. If you don’t take risk, you wither and die.
Defense implies that risk is bad. It is not. It can be positive or negative and, as one sage individual commented on my blog, there is often an opportunity to change a potential negative into a positive.
Last week, I met a top financial services risk management expert in Singapore (Martin Davies of Causal Capital). He told me about a situation where a trader submitted a proposed transaction for risk management review and approval. It was rejected because it fell outside the organization’s “risk appetite” (used in this context, it really referred to risk criteria[iii] rather than risk appetite as defined by COSO ERM). The risk manager rejected it. Martin explained how if he were in this situation he would sit down with the trader and work with him on how the deal could be restructured such that it is acceptable[iv].
This is offense, not defense.
In any event, my view is that when you put responsibility for managing risk in the hands of a siloed risk management function you are at the same time removing that responsibility from operating management.
This is not a good thing.
Management needs to own risk, with risk management serving as facilitator.
The IIA paper talks about risk management “overseeing” and “monitoring” risk management practices – which sounds awfully (and I mean awful in every sense) like corporate police and a siloed, adversarial risk management function.
No. This is a practice that will only stifle an organization and limit achievement.
Let’s talk about the lines of offense instead of defense.
How can risk management enable the organization to take the right risks, optimize outcomes, and not only achieve but surpass objectives?
I welcome your comments.
PS – controls help the organization go faster, not just preserve value
[i] Why this is considered guidance escapes me. I understand how it can represent the IIA’s thinking but it is information in nature rather than guidance for the professional practice of internal auditing. I contrast this with the Position Papers on the role of internal audit in risk management and governance, which did provide guidance.
[ii] IIA refers to risk management as being owned by operational management. I don’t understand why they don’t include executive management and the board. They refer to senior management as setting strategies and objectives and defining the governance structure, but that is taking risks and making decisions is not limited to operating management.
[iii] Follow the links to a paper by Martin on risk appetite that relies on ISO 31000:2009 rather than COSO ERM.
[iv] I am with Martin and would fire the risk manager who simply stamps reject the proposed trade.