Home > Audit, Compliance, COSO, Cyber, Governance, GRC, IIA, ISO, IT, Risk, Sarbanes, SOX, Technology > Dynamic, iterative, and responsive to change

Dynamic, iterative, and responsive to change

One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.

I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.

Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.

Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.

Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.

Stuff happens and it changes or creates risk.

The organization must be responsive to change, nimble and agile in modifying strategy and execution.

All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).

Is your internal audit function “dynamic, iterative, and responsive to change“?

For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?

Or are they slow, scattered, and stubbornly reluctant to change?

Is that a risk to which we must respond?

I welcome your comments.

  1. Alfred Rodas
    August 24, 2014 at 8:26 PM

    Norman – I believe that the ISO Principles of dynamic, Iterative and responsive to change really do need to undergird any internal audit department that wants to continue to exceed the expectations of its stakeholders. Being proactive is important, but I believe that the ISO principles as they apply to internal audit are saying that you need to be more than just proactive; you need to have a methodical, focused mechanism that allows you to translate creative thinking and focus into tangible value for the organization. Internal audit needs to support sound and effective decision making by those in governance. We can’t do that if we are not continually reassessing what are the ‘things that matter’ to the organization and what we should be examining.

  2. Sunil
    August 26, 2014 at 6:44 AM

    Norman, I think most internal audit functions still view risks is silos and stick to their annual audit plan or a long term rolling plan (like a 3 or 5 year plans). If a survey is carried out today the truth will be quiet surprising and I guess most internal audits would be behind in terms of being “dynamic, iterative and responsive to change”. The speed at which business (and the underlying risks) change in a post crisis world is alarming. I believe internal audit functions need to adhere to shorter time frames such as a quarterly audit plans, which I think you will agree to, so as to continuously adapt and change the plan to the changing business / risks areas. I couldn’t agree more with Alfred’s comments.

  3. allanmisner
    August 28, 2014 at 2:04 PM

    Norman, two great questions. I’ve spent most of my career at companies that changed extremely fast during my tenure. As a result, I’ve had my audit departments operate on a quarterly plan (and at times even that is too rigid). I haven’t come up with a truly adaptive plan, but we’re close. As for our client, I often find their reaction to change is very predictable (Seven Dynamics of Change), particularly #7 – “People revert to old habits when the pressure is off.”

  1. August 23, 2014 at 8:08 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: