The risk of ineffective risk management
Very few risk practitioners perform any kind of risk assessment regarding the possibility that the risk program at their organization might fail to deliver.
Yet we continue to read reports from consultants that executives and boards have less than full confidence in those risk management programs. For example, a 2013 Deloitte report found “only 13% of companies rate their risk management programs 5 out of 5 in terms of supporting the development and execution of strategy, and 40% consider them inadequate”.
We are also continually reading reports about organizations, many of whom probably feel that they have decent risk management in place, being badly surprised.
I am a strong believer that those responsible for risk management should understand, based on a regular assessment, the likelihood that their risk management processes might fail and how that might impact the organization.
With that in mind, here are a few questions to consider. I would appreciate your comments and also your suggestions of other questions to ask about risk management.
- How confident are you that new risks, or changes to existing risks, that might be significant to the organization’s success will be identified early enough to take necessary actions?
- Does the process for risk aggregation work in a reliable fashion, including the timeliness of aggregation?
- Will information about new risks or significant changes to known risks flow as quickly as necessary to the individuals able to take action?
- Will that information also flow as quickly as necessary to those responsible for risk oversight, especially when risks are now outside acceptable levels?
- Is there a possibility that management (at any level and for any reason) might intervene inappropriately and change the information flowing to decision-makers?
- What is the likelihood that the results of your processes for assessing risks (including changes to risks) will be in error to the extent that incorrect information is provided to decision-makers for action? Consider the reliability of models (including assumptions incorporated into the models); the level of attention given by those responsible for risk assessment; whether the best people ar involved in risk assessment; and so on.
- Is there a possibility that risk criteria/appetite statements used to evaluate risks are out of date or otherwise ‘wrong’ for the business?
- What is the likelihood that when decisions are made on whether the risk is acceptable or not (i.e., when the risk is evaluated), that the wrong assessment is made?
- What is the possibility that sub-optimal actions are taken to treat the risk, when needed? Consider the reliability of the information used in the decision, including whether all available options are considered, whether the appropriate individuals are making the decision; and, whether the risks inherent in each option are understood and appropriately considered.
- What is the likelihood that those responsible for taking risks (including in daily decision-making) are unaware of the level of risk that is acceptable and how their decisions will affect overall acceptable levels?
- What is the level of confidence that those responsible for taking actions, which may include many people across the organization, are aware of their responsibilities?
- What is the likelihood that individuals relied upon to take action in response to risk take those actions as desired?
I welcome your thoughts and suggestions for additional questions. I would love to hear from those who have assessed the risk of risk management program failures.