World-Class Risk Management
For several years now, I have been writing, speaking, and networking with people around the world to discuss risk management. I have reviewed hundreds of articles, surveys, and other publications on the topic, and written about them in my two blogs (on the IIA site and on my personal site).
Writing makes you think, especially when you find something lacking in what you are reading and want to understand what it is – and then convey that to your readers.
All of this has helped me grow in my understanding of risk management – especially when I have an opportunity to debate and discuss the topic with world-class practitioners. I started in 1990 as the leader of an internal audit function taking a true enterprise risk-based approach and helping management understand and address the risks that matter, added the responsibility of building a risk-management function nearly 10 years ago, and today I am a semi-retired and self-styled evangelist for better-run business. This means that I try to help people run their business better through the effective management of risk, oversight and governance of the organization, world-class internal audit, and the wise deployment of technology.
I had fun writing my book on World-Class Internal Auditing,. So much so that I decided to write one on World-Class Risk Management (with the advice and support of luminaries such as Grant Purdy, John Fraser, Martin Davies, Jim DeLoach, Alex Dali, Felix Kloman, Arnold Schanfield, Richard Anderson, and more).
Grant Purdy was kind enough to write a challenging foreword.
What is risk management, truly, and what makes for a world-class risk management capability? Why do so many top executives and board members have difficulty seeing how enterprise risk management makes a positive contribution to the success of the organization?
These are the key questions I tackle in the book. A continuing theme is the need to make the management of risk a key ingredient in intelligent decision-making and the successful running of the business. I believe risk management is about more than avoiding pitfalls and threats; it’s about taking the right level of the right risks so that performance and value are optimized.
The book walks through each aspect of effective risk management, including culture; framework and context; risk identification; risk assessment, evaluation, and treatment; and complex issues such as whether a risk management function with a senior executive as chief risk officer who reports on risk to the CEO and the board is necessary or even healthy; whether you can or should try to calculate a single value for the level of a risk; whether risk appetite works in practice; issues with heat maps and other risk reporting methods; and more.
Finally, I suggest that a world-class risk management program goes beyond what many hitherto have described as effective. I disagree with both COSO ERM and ISO 31000:2009 guidance on effective risk management to describe and explain my view:
Not everybody will agree with the ideas and suggestions in the book. My hope is that through open minds and discussion, it will spark a debate that will move the practice of risk management forward.
Expert reviews include:
- “Whether you are a manager, an assurance provider or a risk management professional, the way Norman has written this book and the good sense it contains should cause you to rethink your understanding of risk and how you go about recognising and responding to it.” – Grant Purdy
- “I found World-Class Risk Management an engaging and interesting read. Fair warning: This is not a text book; it is a point-of-view book. If you are only interested in preserving the status quo, I advise you to put this book down! Now! But if you welcome a challenge to your view as to how risk management should function, I encourage you to let Norman take you on a journey to world-class risk management. These changing and disruptive times require that we constantly up our game.” – Jim DeLoach
- “In the last 6 years, Norman has evolved and challenged narrow minded views of risk management that have a bureaucratic audit or compliance-focus approach as well as academic thoughts that do little to increase the performance of an organization and create value. Today, he has gathered his current state of knowledge in risk management in his new book exploring, reviewing and questioning the concept of “World-Class Risk Management” with references to the internationally-adopted ISO 31000 risk management standard.” – Alex Dali
 My earlier book, Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization, is available from the IIA Bookstore or on Amazon. I also have a short book, How Good is your GRC?: Twelve Questions to Guide Executives, Boards, and Practitioners.