Home > COSO, Risk > Does PwC understand risk management?

Does PwC understand risk management?

I would like to say that the answer is “yes”, because I used to work for PwC and know many of their people – very good people.

I would also like to say “yes” because COSO has hired PwC to lead the update of their Enterprise Risk Management – Integrated Framework.

But, I cannot say that they do – at least not what is required for the fully effective management of uncertainty.

I think they understand much of the common, traditional wisdom about risk management, that managing risk is about avoiding threats as you strive to achieve your objectives.

But, I think they fail to understand that uncertainty between where you are and where you want to go contains both threats and opportunities – and managing risk is about making intelligent decisions at all levels of the organization, both to limit the effect and likelihood of bad things happening and to increase the effect and likelihood of good things.

Risk management is more than a risk appetite framework set by executives and approved by the board.

It is more than “embedding” the consideration of risk into the strategy-setting and execution processes.

It is more than enabling the board and executive management to make informed decisions, or even for division leaders to make informed decisions. Every decision, whether by executives or junior employees, creates and/or modifies risk.

No. Effective risk management is something that is (or should be) an integral part of making decisions and running the business every minute of every day, at all levels across not just the enterprise but the extended enterprise.

It’s about enabling decision-makers to take the right amount of the right risk.

What’s the point of a risk appetite statement if it is not effective in driving decisions, which occur not only in the board and executive committee rooms, but in every corner and crevice of the organization?

I am using PwC’s latest publication as the basis for this opinion. While Risk in review: Decoding uncertainty, delivering value (subtitled How leading companies use risk management to drive strategic, operational, and financial performance) makes some good points, it also misses the key point about enabling decision-makers to take the right amount of the right risk. It focuses instead on a view of risk management that is centered on a periodic review of a limited, point-in-time list of negative risks – such as those found in a heat map.

(The good point made by PwC is that risk and strategy need to be entwined, both in the setting of strategy and its execution. It is also useful to see that few organizations, just 12% in their view, have achieved PwC’s limited view of risk management leadership.)

I will let you read PwC’s ideas and limit my comments to their Five steps to risk management program leadership.

1. Create a risk appetite framework, and take an aggregated view of risk

I have no problem with the principle that the board and top management should understand and provide guidance to decision-makers so that they take the right amount of the right risk. I also agree that there are multiple sources of risk to any business objective, and that it is necessary to see the full picture of how uncertainty might affect the achievement of each objective.

But, as I said, a risk appetite framework has little value if it is not sufficiently granular so that every decision-maker knows what he or she must do if they are to take the right amount of the right risk. Few organizations have been able to translate a risk appetite statement to actionable guidance for decision-makers, even when they try to use risk tolerance statements. Risk criteria at the decision-maker level must be established that are consistent with the aggregated enterprise view, and this is exceptionally difficult in practice.

In addition, decision-makers should not be excessively inhibited from seizing opportunities or taking/ retaining “negative risk” when it is justified. The focus is far too often on limiting risk, even when it is at a level that should be taken.

2. Monitor key business risks through dashboards and a common GRC technology platform

I agree that every decision-maker should know the current level of risk. But what is key is that the decision-makers have this information. While it is nice to have the risk function aware of current levels of risk, it is the decision-makers who have to act with that knowledge.

Further, why this nonsense about a “GRC technology platform”? Let’s talk about a risk management solution. I know that PwC makes a lot of money helping organizations select and then implement GRC solutions, but we are talking about risk management. Let’s focus on the technology needed for the effective management of risk by decision-makers at all levels across the organization. Integrating internal audit and policy management is far less important (IMHO).

Finally, people forget (and that includes PwC) that you need to monitor risk to each objective, not risk in isolation. Executives and managers need to receive integrated performance and risk information for each of their objectives.

3. Build a program around expanding and emerging business risk, such as third-party risk and the digital frontier

Everybody talks about risk expanding, that there is more risk today than in the past. I am not sure that is correct. Maybe we are just more attuned (which is a good thing) to thinking about risk, and certainly risk sources are becoming more complex. But is there actually more risk?

PwC talks about third-party risk, but that is not new at all. I wish they would talk about risk across the extended enterprise, which would broaden the picture some.

Technology-related business risk clearly merits everybody’s attention. It is unfortunate that insufficient resources are being applied by the majority of organizations to understanding and addressing both the potential harms and benefits of new technology.

4. Continuously strengthen your second and third lines of defense

Is there a reason we shouldn’t strengthen management’s ability to address uncertainty? (They are the so-called first line of defense.) Instead of the risk function feeding fish to management, why not train them to catch their own fish? Every decision-maker should be trained in disciplined decision-making, including the disciplined consideration of uncertainty.

Yes, the second line (risk management, compliance, information security, and so on) should be strengthened.

But, internal audit should not be limited to being seen as a “line of defense”. For a start, risk is not always something you need to defend against – often it should be actively sought as a source of value. Then, internal audit should help the organization actively take the right amount of the right risk, which it does by providing assurance that the processes for doing so are effective and by making suggestions for improvement.

I much prefer to talk about lines of offense. When you attack, you still need to be aware of IEDs, sniper positions, and mines. But the focus is on achieving success rather than avoiding failure.

5. Partner with a risk management provider to close the gap on internal competencies

Such a self-serving platitude! Yes, fill resource gaps with competent, knowledgeable professionals. But don’t hire a consultant to run periodic workshops – fill that need in-house.


Am I unfair to PwC?

Do they understand risk management and what it needs to be if an organization is to make the most of uncertainty?

We need to be tough on them if they are going to help COSO bring their ERM Framework up to the standard required for today and tomorrow – enabling better decisions so everyone takes the right level of the right risk.

I welcome your thoughts.

  1. April 18, 2015 at 9:49 AM

    Well summarised, Norman. I feel equally conflicted, as I was part of the working group responsible for PwC GRC risk methodology review back in 2011. However having spent last 4 years as a CRO and away from consulting, I strongly feel Big 4 (not just PwC) have a very vague, purely theoretical understanding of risk management.

    • Norman Marks
      April 18, 2015 at 9:52 AM

      Thanks, Alex. I wonder if Richard Steinberg will agree.

  2. April 18, 2015 at 12:53 PM

    Norman, definitely agree. There should only be a focus on risks because they impact objectives. I take the simplistic view that risks are always a threat to objectives but that one of the biggest risks is not taking risks! Risks are a fact of life. If your organisation needs to grow the secret is to maximise the risks you can take without losing the family farm.

  3. hiram
    April 18, 2015 at 1:16 PM

    insightful summary.
    I have seen organisations where risk management function exists but is not getting sufficient attention frm Snr management and bod. rather..it is staffed and its hoped it works out…almost like these organisations don’t know what to expect frm risk managers.

  4. April 18, 2015 at 2:58 PM

    Thanks Norman for this summary, and I agree with your points. In the Director education programs I lead, I talk about the fact that Risk is not just about avoidance, but also about how we use risk. For the for profit sector, there is a need to actively take on risk to achieve a profit. For the Public Sector or Not for Profit sector, where profit is not the motive, but where funding is often diminishing, the ability to maintain or increase services or performance and not make a loss is around how the organisation takes on and actively manages risk (i.e. opportunities).

    In regard to computer solutions, one organisation where I chaired their Audit and Risk Committee, there was no computer based solution, but over time management identified three fundamental questions, and these questions became the “mantra” for all staff in the organisation, and these questions were all about risk – this lead to one of the most effective risk management “systems” of any organisation I have been aware of.

    As technology is now becoming a discussion point in the board room (seriously long over due), every one is jumping on the 3rd party risk scenario. Organisations that have been involved in outsourcing or complex supplies chains have been thinking of this and the associated risks for a long time. Outsourcing is a risk mitigation tool, but most people seem to forget that whilst it is a risk mitigation tool, the organisation can not transfer accountability.

    Finally, I appreciate your comment on potential conflict of interest, it is a growing concern of mine as a Director and Chair of numerous Audit and Risk Committees the growth of the consulting arm of all the “professional services (a.k.a. accounting firms) and the potential for lack of independence in audit and advisory services again.

  5. Les Mitchell
    April 18, 2015 at 7:52 PM

    I’d say a bit unfair. Maybe because I read your thoughts followed by PwC’s publication but I found both useful and did not notice a major divergence in the message I gained from both. That, “…taking a risk-enabled approach to growth, examining both the risks and opportunities to help them understand where they should focus their efforts…” is an important message that does not seem to be reflected yet in practice in a majority of organisations. I look forward to improving my understanding, and hopefully practice within the organisation I support, by being able to consider the range of information sources that supplement my experience.

  6. CRGessentials
    April 19, 2015 at 1:56 AM

    I agree with your key points Norman but believe that practitioners who share our views ought to dump the phrase “line of defence”. Its fatal flaw is that it flows from the one-dimensional “anticipate and avoid/minimise threats” notion of risk exemplified by PWC‘s work. It is absurd to consider opportunities as things against which an organisation requires defence.

    The three line model is fine but in my workshops I use “lines of engagement” rather than defence; it feels like a better descriptor. What do others think?

  7. CRGessentials
    April 19, 2015 at 2:00 AM

    Sorry, last comment came in over my corporate handle – it’s Greg d’Arville from Australia here.

  8. April 19, 2015 at 2:49 AM

    I think you are right, Norman. I learned my first words and took my first steps in RM with PwC but COSO has long disappointed me. As an AC chairman and NED, the PwC approach is not what I/ my organisation need to address real issues of opportunity and uncertainty. And I recognise only too well the sale of “here’s one I prepared earlier” solutions to naive but aspirational customers. It’s sad when there is so much talent out there.

  9. F Araj
    April 19, 2015 at 5:13 AM

    Ouch! While I’m a big fan of COSO IC, I find the ERM framework a bit confusing and in particular the differentiation between it and COSO IC (How do you identify risk in COSO IC without identifying events, an ERM component? How do you have a holistic internal control framework without responding to risk, an ERM component?) Hopefully the COSO ERM update will do more than just breakdown the framework into principles of ERM!

  10. Ehtisham Syed
    April 19, 2015 at 7:00 AM

    See my response @ https://lnkd.in/eBVvUxv

    • Norman Marks
      April 19, 2015 at 7:57 AM

      Ehtisham, your explanation of uncertainty as a lack of knowledge about the future doesn’t change my point, since the effect of uncertainty on objectives is risk. You get to the same place by talking about the uncertainty that lies between where you are and where you need to get as talking about the imperfect knowledge you have about what lies ahead. I believe it is easier for people to understand uncertainty the way I put it, but recognize that ISO 31000 portrays it slightly differently.

      Do you agree?

  11. April 19, 2015 at 7:08 AM

    Good article, as usual, Norman.
    I’ve only read PwC’s Exec Summary, but came away with the feeling that they are promoting opportunity orientated calculated risk taking. So you might have been unfair. But behind the scene I’m also a bit reluctant and not so optimistic re the new COSO ERM Framework in the making.
    If I had the influence you should have chaired the COSO ERM group.
    Last week I was part of a seminar for BoDs in savings banks. Tomorrow I’m holding a seminar on insurance company risk strategies. My experience is that the BoDs of financial institutions are trying to get a breath of fresh air under the regulatory tsunami that has hit them. I’ve been into ERM the last 20 years. It seems that the Basel committee and EIOPA has reinvented ERM and created their own frameworks, processes and definitions. The amount of consultancy work going on in these institutions is staggering, mainly conducted by the Big 4. The whole intention behind Basel 3 and Solvency 2 is to protect the institution against downside risks. This then becomes a part of their consultancy ERM-practices.
    I’ve probably gone the whole cycle in ERM by now. I totally agree with the thinking of the ERM Evangelist. The basics of ERM are quite simple; and the aim is to get the thinking and behavior into the culture of the company. ERM is simply good management practices.
    What worries me the most is the (lack of) quality in decision-making. Good decisions, and only that, are the future of every organization. Having read D Kahneman et al, I wonder if we’re good at it. As McKinsey questions in a recent report: will artificial intelligence take over the C-suite? Exiting times ahead.
    I hope that the new COSO ERM will not be influenced by a heap of regulatory jargon. I’m afraid they’re going to complicate things. To me ERM is: Focus on the things that really matter (up/down). Keep it simple. Everybody has to understand.
    Keep up your great evangelical work, Norman.
    Kind regards,
    Per Aakenes

  12. Ehtisham Syed
    April 19, 2015 at 11:10 AM

    Norman, when you say uncertainty is the lack of knowledge about the future and that risk is the effect of uncertainty on objective then aren’t you making the case that risk has only downside effect EXCEPT one is lucky? https://lnkd.in/dMgeDiX

    • Norman Marks
      April 19, 2015 at 3:22 PM

      Ehtisham, that is not what I mean. Risk is the effect of uncertainty on objectives, and that effect may be either positive or adverse – and, of course, you can have a combination of effects, some of which are positive and some are negative.

      I don’t know, when I start down the freeway, whether there will be an accident (with an adverse effect) or whether I will be able to safely change lanes as needed and arrive at my destination early.

      • Ehtisham Syed
        April 20, 2015 at 6:01 AM

        How do you define opportunity?

        • Norman Marks
          April 20, 2015 at 6:29 AM

          I don’t define opportunity as the negative and risk as the positive, because I see risk as either effect on objectives.

          If I use the word ‘opportunity’ it would be a situation where, if action is taken, a (net) positive effect can be achieved.

          Does that work?

          • Ehtisham Syed
            April 20, 2015 at 7:00 AM

            No, it doesn’t.

            You said, opportunity is a situation where, if action is taken, a (net) positive effect can be achieved.

            Now back to your example: “I don’t know, when I start down the freeway, whether there will be an accident (with an adverse effect) or whether I will be able to safely change lanes as needed and arrive at my destination early.”

            I have two questions for you.

            Do you know that you are taking opportunities by safely changing lanes as needed to arrive at your destination early? Note also that every opportunity entails risk.

            Second, you said a (net) positive effect can be achieved. The question is how you can be so sure that safely changing lanes in the first place is free from any accident down the journey that may bring one to a hospital instead of initial destination?

            • Norman Marks
              April 20, 2015 at 7:10 AM

              My answers:

              1. Yes
              2. I cannot be sure. So I treat the potential for harm with controls (setting the rear-view and side mirrors properly, and maintaining my turn signals) and actions (looking carefully and signalling before changing lanes). I also treat the potential for good by only changing lanes when I can see the potential is high and highly likely.

              • Ehtisham Syed
                April 20, 2015 at 7:20 AM

                So you are agreeing that risk is the potential for harm and opportunity is the potential for good?

                • Norman Marks
                  April 20, 2015 at 7:27 AM

                  No. I use ISO 31000 terms. But if you prefer the COSO terms, they can be made to work.

                  • Ehtisham Syed
                    April 20, 2015 at 7:29 AM

                    It is not about COSO or ISO terms. These are common dictionary terms.

                    • Norman Marks
                      April 20, 2015 at 7:31 AM

                      You are defining these terms the way COSO does. I am defining them the way ISO does. I agree that common parlance is that risk is negative – which creates a problem in the understanding of risk management as encompassing both positive and negative.

                    • Ehtisham Syed
                      April 20, 2015 at 7:32 AM

                      Thank you for your time, Norman. It was a very useful discussion.

    • Norman Marks
      April 20, 2015 at 7:12 AM

      Ehtisham, are you familiar with ISO 31000? I thought you were.

  13. Clay Moran
    April 19, 2015 at 2:19 PM

    Norman, I can highly relate to your point that risk management is more than audit readiness. PwC is largely an audit firm, which causes their risk assessment to focus on audit-based principles. The truth is that other components of risk are becoming increasingly impactful to organizations, which at the same time are difficult to measure. Consider partner due diligence, reputation risk, stakeholder buy-in risk, among others. For these, indicators required to assess the risk may be more subjective and not clear cut.

  14. Norman Marks
    April 19, 2015 at 3:26 PM

    Please see this earlier piece for my thoughts on internal audit as a line of offsense:


  15. Deepak Mukherjee
    April 19, 2015 at 8:38 PM

    Well conceptualized Norman! Great write up. While I agree with what you have said I would replicate your thoughts for any professional services organization (i.e. service providers from outside). PwC has developed perhaps the most well balanced RM framework that can be used pretty effectively by an organization. Having said that, we also know that there is only to an extent a service provider can go. It is the people of the organization who have the best seat in the house when it comes to understanding of risks. Therefore, what I believe will work best……Use PwC RM framework, educate and build bridges across the functions. Use organization’s insights as the ingredients and see an effective Risk Management culture evolve.

  16. Arafat Naviwala
    April 19, 2015 at 11:48 PM

    Well Write up, Norman, I totally agree with you, however, I would like to mention the reason for this as well. I was also a part of PwC in their Internal Audit section and felt that the information and knowledge about the ERM was not properly disseminated to each office of PwC, as may be the people in USA who did get involve in drafting phase of COSO would be well versed with the concept, but these concepts were not properly explained to my PwC office and believe the same level of information was kept in other offices of PwC around the globe.

    I totally agree with Alex as well, as all big four firms are not very clear on Risk Management function and GRC, I have attended many conferences and seminars in which they were presenting contradictory knowledge regarding these subjects. I believe there hasn’t been done any combined effort by all big four firms to make the concept clear, currently each of them have their own interpretation of these concepts and their opinion is also biased with their commercial benefits.

  17. Gregory Sosbee
    April 20, 2015 at 7:14 AM

    Very good blog Norman. This quote “It’s about enabling decision-makers to take the right amount of the right risk.” sums it up for all involved.

  18. Arnold Schanfield
    April 20, 2015 at 8:09 AM

    you are being very fair to them Norman and I wish you had said this years ago. But we all evolve our thinking and relationships with folks and your evolvement to this way of thinking has been dramatic. It was always a bit frustrating for me to deal with you as I have always seen you as being this super intelligent guy who somehow should have nailed weak materials to the wall. But now you are doing this. As I stated years ago at a leadership conference we both attended in Florida from the IIA, it will not end well for COSO. I have used this expression on numerous occasions no different from my expression of “charlatanism.”

    Now the way I see it, they do not understand risk management. They did not understand risk management which is precisely why I quit the firm. I was interested in business development and more specifically years ago recognized the need to have companies perform proper risk assessments. The partners I worked for- all good people- were more interested in targeting companies for quality assessment reviews of the various internal audit functions, a useless activity for organizations since they always used this to try and get the companies to outsource their internal audit functions.

    Now the selection of PwC by COSO is just an example of the blind leading the blind. Who should they have selected? KPMG, E&Y, Deloitte? Would the results have been any different. So we should recognize the difference between someone being a good person and someone being knowledgeable and experienced. Some of us have honed our skills in this discipline over many years through extensive industry and professional experience and more importantly networking with folks in this discipline from around the globe and some have not. The fun thing is that you need to do absolutely nothing at all as they will come begging for your assistance and guidance and the reality of the situation is that you will have to decide among several dozen opportunities whether you want to help them. As I previously indicated, a number of us would agree to help them with this COSO monstrosity but it has to be on terms and conditions much different from what they envision. They brought this disaster on themselves from a combination of ignorance and arrogance. It is ridiculous that you can easily pick apart their documents and there is dead silence from them. Let their thought leaders respond to you.

  19. Per Aakenes
    April 20, 2015 at 11:08 AM

    The flood doors have opened, Arnold. Seems like the COSO ERM committee need to do their own ERM analysis (according to ISO 31000) before going any further; which needs to include a stakeholder analysis. Why not even a pre-mortem?
    On the issue of quality in decision-making McKinsey issued the following article today http://www.mckinsey.com/insights/strategy/are_you_ready_to_decide. Otherwise I highly recommend Stanford Strategic Decisions & Risk Mgmt. Great stuff.
    All the best/ Per

  20. April 20, 2015 at 12:44 PM

    Norman, you and I have talked past each other before. And I don’t want either one of us to waste our time continuing to do so. I would hope we can agree that there are so many interpretations of risk and risk management, meaningful debate and discussion is a challenge from the get-go.

    My interest is to find some common ground for mutual benefit, albeit maybe more mine than yours. But, I believe I am starting to see a distinction between our views that may be worth noting.

    It seems to me that the management of risks you describe is oriented toward controlling the amount of the risk burden, both at the level of individual risks and the also accumulation of all accepted risks. To me, this is risk identification, not risk management. My view is that the management aspect is about controlling the possible transformations of benign risks into real problems. I see this as a continuing aspect of risk management which is consistent with my view that risk management is a line, not staff function.

    My reading of past PWC postings on their view of risk management have been consistent with the “amount of risk accepted” view. (I am an alumnus of C&L on the consulting side.)

    Surely there is a critical value of managing (i.e., avoiding, anticipating, detecting) the potential transformations of the accumulated benign risks. What would call this phase? Mitigation? If so, is risk mitigation a part of risk management? To relegate this to general management would seem to sever the discipline of risk management from the final payoff and credit.

    Maybe my critical eye labels the management of accumulated risks too harshly by calling it risk identification only. However, I believe such bias can easily cause frameworks such as COSO and ISO 31000 to place too little emphasis on the subsequent phase that is unquestionably necessary.

  21. Norman Marks
    April 20, 2015 at 5:47 PM

    Tom, I am not sure we disagree. I think we use different language.

    I concur that the identification, assessment, evaluation, and response to risk are all line and not staff responsibilities. A line risk management function can help, but not take responsibility or ownership of these.

    The response to risk is what I believe you are referring to as the subsequent phase. Is that correct? That is where management acts to improve potential effects of uncertainty and their likelihood.

    • April 21, 2015 at 6:13 AM

      Norman, I believe we are in agreement. I offer three examples from my perspective.

      Avoidance: the building I manage is between a Federal Courthouse and City Hall. Our building is taller than the first and about the same as City Hall. Our risk management plan led us to secure the access to our roof so someone with a with a deer rifle and a grudge against a federal judge cannot gain access except with great difficulty (and noise).

      Anticipation: the office building is on a main street. I believe there is a risk of a toxic spill on or very near the premises. I have no influence over the amount of uncertainty about this happening, however if it does, I must have plans in-place to respond quickly and decisively.

      Detection: the transformation of a benign risk into a real problem may start small and grow gradually. Negative trends regarding the reliability, prices and/or schedule commitments by a supplier may start small and go unnoticed. I prefer to set what I call tripwires, defined well before any actual issue, that alert to the need for action to mitigate – could be a threshold such as >2% price increase in 6 months.

      I see little emphasis on on these mitigation tasks in the swirl of risk management discussions. But, in my opinion, this is where the rubber meets the road. I am very glad to learn you believe mitigation tasks come under the umbrella of risk management.

      In a discussion with a former PWC risk management consultant a couple of years ago, he characterized their approach as being at a high altitude. I see more value in being much closer to the ground.

  22. Mark Wilson
    April 22, 2015 at 5:31 AM

    It seems PwC’s five steps to leadership are not far up the maturity curve (perhaps they want to open the other doors under step five as they will naturally reserve their best advice for fee paying clients!) However, to be fair its not just PwC, but the broader audit profession that are to blame for focusing on the threats/negative aspects of risk. As a profession, each one of us has an obligation to correct these misconceptions. Let’s be clear, “risk management” is suffering an identity crisis!

    I broadly agree with your observations on lines of defence. I have accountability for risk AND internal audit and it works well. For the doubters, you need try this model to realise it is the best fit. But we can’t be both second and third line (defenders and goalkeeper) the 3 lines model is far too simplistic. Naturally, this means we spend a lot of time strengthening the first line of defence (the best teams have forwards and midfielders that are focused on defence too).

  23. April 24, 2015 at 1:33 PM

    Norman, it seems that your argument with the PwC approach is not that they do not understand risk management, but that they have not taken it outside a comfortable internal audit zone. Clearly, they have identified the right pieces to gaining information about risk and setting up a company to manage it. However, they do not then push through their comfort zone to then meet the needs of our stakeholders to be creative, provide insights and change the risk management paradigms.

    Auditors are smart people who look at evidence to solve problems – typically the problem of why a control failed (past tense). The assumption is that there must be a solution and we need to work to find it. With risk management, especially leveraging risk tolerance into opportunity taking, we face two challenges. First we must look forward (or at least around) rather than backwards. Second, in this case a tangible problem does not exist – no broken controls, crisis from which to recover or giant law with which to comply.

    Where I see the PwC guidance falling short is that it does not provide ideas to explore to build creativity, to utilize our business acumen, in short, to find ways to better meet the expectations of senior management.

    I didn’t realize I was a fan of creative internal auditing until I took my current position with a family-owned company, and found that their concepts of how “internal audit can help the business” and my learned ones were very different, and the extent to which the old ideas simply did not resonate.

    Thanks for another insightful piece!

  24. May 4, 2015 at 12:56 AM

    Fully agree Norman. No addtional comments

  25. May 6, 2015 at 1:22 AM

    Totally agree Norman, and my fear is that their brand and reputation will overshadow their potential shortcoming on the COSO update which may re-enable those decision makers that don’t want to change their risk management practices as it’s hard and it’s even harder to make the intuitive leap that an organisation with better more embedded risk management becomes more agile. Just like a F1 driver who’s comment was ‘the better the brakes, the faster I drive!’

  26. May 11, 2015 at 12:52 PM

    Norman. I agree with your comments. Thank you for sharing. Please know, my next set of questions/comments are not directed toward you per se, rather questions/comments that I would welcome your’s (and other’s) perspective.

    1. Do the members of this discussion agree that the term “Risk Management” is vague in and of itself? If so, how would you re-phrase the subject matter to be more specific and more meaningful to drive clarity?
    2. Do the members of this discussion agree that risk management needs to be attached to a business process, i.e. not one that is disconnected through a centralized function?
    3. Aren’t we striving to manage risk inside the “decision process” (which is not well defined today and non-standard across different people’s fluencies) at different decision nodes (i.e. decision-makers) that influence a business’ performance both inside and outside an enterprise?

    In other words, don’t we want decision makers to augment their existing business processes with risk management processes so they can become aware of the risks, do their best to control the risks (yet knowing it will never be a perfect risk-managed world) and shape risk-managed decisions (again, as best that can be done in context to the information available) so as to not negatively influence other stakeholders’ outcomes. The stakeholders in this context are: other process owners, investors, businesses (e.g. in a supply chain), etc. Once the businesses have the appropriate infrastructure in place (as noted above) wouldn’t they then want to put in processes to monitor the ever-changing risk indicators?


    Thanks for sharing your perspective.


  27. Karen
    May 24, 2016 at 10:06 AM

    Its difficult to argue with some of the comments posted here. The vast majority of Risk Mgt (ERM efforts) have focused on value protection and as a result are indeed defensive in nature. Its a common misconception to think that traditional ERM, which often begins by focusing internally, mapping internal processes, facilitated internal workshops and a heavy focus on internal functions can provide you with anything opportunistic (to leverage uncertainty for advantage) or that it can even provide you with all of the risks an organization faces (risks come from everywhere) including external forces. A transformation is needed in thinking. I was ready to leave risk management entirely (20+ career in this field) when after working with business growth leaders (not risk execs), discovered a new way to address risk opportunistically. Its a different way of thinking about risk….situation based and focuses on the big changes that organizations are seeking to make as part of their strategy or those imposed upon them. Identifying, evaluating and then navigating risk (you cant manage a lot of these risks) is what I found to be highly effective with the business growth leaders. Its not about just integrating risk, augmenting processes with traditional “risk processes or approaches” or getting a seat at the table. Its more than that, its a different approach. My focus had been on transforming thinking as this is a new way of thinking, old approaches, methods, etc don’t work. I work as as senior exec for a Big Four firm (client facing) and was recently hired to transform thinking (internally and externally) in this space and I am going to give it my best shot, leveraging a strong brand and a great reach. I have seen the value of this new approach with business leaders and I believe that a great opportunity exists for Risk Execs to engage in new conversations, use new methods, analytics and data and to provide significant value in terms of opportunity.

  28. Edward Clark
    January 22, 2017 at 6:16 AM

    Two Points.

    Norman, Your description of the granular nature of the RM process is the top down version of my description for why we need a relative risk register. If the register does not build by supporting tactical, operational and strategic risk, it s just another spreadsheet.

    Second, One of the reasons we stress for having a comprehensive risk management program is that both the proactive and reactive actions taken to mitigate risk (especially during crisis) often times better prepare you to move your organization in a direction that may have otherwise stopped or slowed progress.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: