Home > Risk > The risk of ineffective risk management

The risk of ineffective risk management

October 11, 2014 Leave a comment Go to comments

Very few risk practitioners perform any kind of risk assessment regarding the possibility that the risk program at their organization might fail to deliver.

Yet we continue to read reports from consultants that executives and boards have less than full confidence in those risk management programs. For example, a 2013 Deloitte report found “only 13% of companies rate their risk management programs 5 out of 5 in terms of supporting the development and execution of strategy, and 40% consider them inadequate”.

We are also continually reading reports about organizations, many of whom probably feel that they have decent risk management in place, being badly surprised.

I am a strong believer that those responsible for risk management should understand, based on a regular assessment, the likelihood that their risk management processes might fail and how that might impact the organization.

With that in mind, here are a few questions to consider. I would appreciate your comments and also your suggestions of other questions to ask about risk management.

  1. How confident are you that new risks, or changes to existing risks, that might be significant to the organization’s success will be identified early enough to take necessary actions?
  2. Does the process for risk aggregation work in a reliable fashion, including the timeliness of aggregation?
  3. Will information about new risks or significant changes to known risks flow as quickly as necessary to the individuals able to take action?
  4. Will that information also flow as quickly as necessary to those responsible for risk oversight, especially when risks are now outside acceptable levels?
  5. Is there a possibility that management (at any level and for any reason) might intervene inappropriately and change the information flowing to decision-makers?
  6. What is the likelihood that the results of your processes for assessing risks (including changes to risks) will be in error to the extent that incorrect information is provided to decision-makers for action? Consider the reliability of models (including assumptions incorporated into the models); the level of attention given by those responsible for risk assessment; whether the best people ar involved in risk assessment; and so on.
  7. Is there a possibility that risk criteria/appetite statements used to evaluate risks are out of date or otherwise ‘wrong’ for the business?
  8. What is the likelihood that when decisions are made on whether the risk is acceptable or not (i.e., when the risk is evaluated), that the wrong assessment is made?
  9. What is the possibility that sub-optimal actions are taken to treat the risk, when needed? Consider the reliability of the information used in the decision, including whether all available options are considered, whether the appropriate individuals are making the decision; and, whether the risks inherent in each option are understood and appropriately considered.
  10. What is the likelihood that those responsible for taking risks (including in daily decision-making) are unaware of the level of risk that is acceptable and how their decisions will affect overall acceptable levels?
  11. What is the level of confidence that those responsible for taking actions, which may include many people across the organization, are aware of their responsibilities?
  12. What is the likelihood that individuals relied upon to take action in response to risk take those actions as desired?

I welcome your thoughts and suggestions for additional questions. I would love to hear from those who have assessed the risk of risk management program failures.

  1. Anand Varma
    October 11, 2014 at 9:21 PM

    Norman, you have come out some very good questions that an entity needs to answer in design & implementation of a RM system to make it effective. The crux is on “how to”? Very often, entity management remains uncertain or confused as to who should be doing what in the design & execution of an RM plan? To understand the RM process in its right perspective, may I mention that RM process should be viewed by both the (i) Exposure Management -EM and (ii) Risk Management Team. Whilst the primary duty to identify risk should be that of the day-to-day EM personnel, the RM team should then independently work closely with EM to vet the entire RM system (identification, assessment, risk treatment, risk appetite/tolerance, capital allocation, RM plan implementation and plan evaluation). In short, each of your questions need to be examined by both EM and RM team and come up with one well thought out response, entity-wide, to make the RM system a success the fruit of which could be measured if the RM system added any value (qualitative and quantitative) for entity’s stakeholders? This way, RM execution is everyone’s job; RM team supervises “how” each component of the RM process is being effectively executed by the EM and “how” RM process is improved upon?

  2. Norman Marks
    October 11, 2014 at 10:21 PM

    Thanks for the comment, Anand. Since the CRO is responsible for the overall risk management process design, should he/she not periodically assess and include that assessment of RM risk in his/her reports to management and the board?

    • Anand Varma
      October 11, 2014 at 10:46 PM

      I agree with you, Norman.

  3. October 12, 2014 at 2:36 AM

    The obvious answer to most questions is “not confident”, “does not” and “no”. The real question is – if the current risk management approach doesn’t quite work, then what? For me the answer is simple – 2 things: reingineer business processes (all of them) to make them risk-based and build risk competency within the risk team and use it in exec decision making (veto power)

  4. Fatima
    October 12, 2014 at 5:51 AM

    It also depends on how effectively ERM is embedding in all policy, and business processes of an organizations, as well as the culture of deligence and accountability is practiced. Otherwise, RM ends up as an isolated tasks to be done, and sometimes stuck in dorminnt risk register. Most importantly, whther RM is seen or actually brings value added benefits. Veto power ! Uuuh , power never brings long lasting ownership and commitment.

  5. Glenn Daly
    October 12, 2014 at 10:03 PM

    Would like to put forward a slightly different view on this subject. Would question whether questions asked of Senior Mangement/Boards like those posed above and in typical surveys by consultants, always lead to an accurate assessment of risk management. Half the recipients answering the questions are probably confused about what they are answering (is the question referring to what the Risk Management team do in terms of formal risk management practices or is it referring to risk management that is practiced more broadly across the organisation). The other half would probably not be able to answer accurately because they may not know or more significantly due to the way the question is worded, they feel they need to answer conservatively anyway. Whilst acknowledging it is not always perfect, the measure for me that indicates whether risk management is working is the degree to which the organisation is achieving its longer term strategic objectives/goals. Would suggest that no meaningful assessment of any organisation’s overall risk management program (covering both implicit and explicit practices) can be done without considering this aspect, and therefore we would go down a very different track in terms of the types of questions to be asked ie in the past, how successful has the company been in terms of meeting its sales targets? Profitability V Budget variances? etc. In other words, more of a focus on how successful the company has been at achieving objectives year in / year out over the longer term. Instead, we tend to resort to these theoretical questions relating often to prescriptive risk management practices that may or may not be a good indicator of how well the organisation has been in practice at managing its actual risks. Such an implied focus and emphasis on such prescriptive explicit risk management practices, can potentially create significant problems, as I have previously pointed out in another post. Regards

  6. Gregory Sosbee
    October 13, 2014 at 6:30 AM

    Every effective risk management program not only looks at itself, but all corporate functions including the Board. The set of questions posed are part of a portfolio of questions that should be asked to every manager and, in some modified form, every employee. Without this introspective look inside the organization corporate decisions become “best guess at the time” which, from a risk management viewpoint, is the biggest risk of all.

    The fact that Senior Management/Boards were unaware or “confused” by the questions(s) they were asked is THE issue. If they were confused the issue includes themselves as they set the tone and parameters of the risk management program.

  7. Richard Fowler
    October 13, 2014 at 7:21 AM

    Perhaps the best way to assess the risk management program is to assess the risk mitigation plans. Are the plans current? Does each significant risk have an appropriate risk mitigation? Are the plans being tracked and updated? Who is responsible for the plans, and do they have the appropriate authority to initiate new activities when necessary? Who decides what the cost-benefit limit is? These are steps that auditors should be familiar with, and can go a long way towards assessing the maturity of the ERM process.

  8. October 13, 2014 at 12:05 PM

    Like so many other things, risk management, risk assessment and compliance management systems (CMS) are all processes with no real shortcuts or magic bullets. Although there certainly are recommended ingredients, you have to continually inspect what you expect.

  9. Audrey
    October 20, 2014 at 2:42 AM

    Through Annual Business&Environment Analyses(BEAs), risk assessments, Key control as well as key risk testing, risk management reports and risk management meetings with business;failure of the risk management program is minimized through determining the effeciency and effectivess of controls used to mitigate risks.

  10. November 20, 2014 at 7:21 PM

    Hi Norman, I live in a developing country (Indonesia), we are struggling to implement risk management in our government institution. As an internal auditor, what is the crucial first step should we take to convince our client to develop and implement risk management?

    • Norman Marks
      November 21, 2014 at 6:37 AM

      Before any risk management implementation can be implemented with success, anywhere in the world, there has to be executive support. That has to come from the top, preferably the CEO. The board can mandate it, but without the active support of the CEO it will be tough.

      You will have to explain to the CEO why risk management is necessary and how it will help the organization succeed. A focus on complying with regulations will not get him enthusiastic. A focus on improving decisions and optimizing performance will.

      I hope this helps.

  1. October 12, 2014 at 12:45 AM
  2. October 12, 2014 at 6:29 AM
  3. October 13, 2014 at 12:03 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: