Dynamic, iterative, and responsive to change
One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.
I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.
“Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.
“Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.
Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.
Stuff happens and it changes or creates risk.
The organization must be responsive to change, nimble and agile in modifying strategy and execution.
All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).
Is your internal audit function “dynamic, iterative, and responsive to change“?
For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?
Or are they slow, scattered, and stubbornly reluctant to change?
Is that a risk to which we must respond?
I welcome your comments.