Home > Risk > A great review of World-Class Risk Management

A great review of World-Class Risk Management

September 2, 2015 Leave a comment Go to comments

My thanks go to Deborah Ritchie, editor of Continuity and Risk magazine, for reviewing and commenting on World-Class Risk Management. My thanks also to James Stevenson for letting me know about it (it was a pleasant surprise!)

This is what she said in the September issue (see page 9).

While the principles of risk management are well established, there are numerous hurdles to be overcome in creating and maintaining a long term, effective and valued programme that truly supports the business. Focusing on this challenge, this book sets about tackling the lofty goal of achieving world class risk management – something that author Norman Marks, having spent his entire career leading audit, risk and compliance programmes for a variety of firms, is well positioned to advise on.

In this his fourth book, Marks ultimately proposes that world class risk management can support better decision making – not a new idea in itself, but by dissecting the two common standards used for risk management (COSO and ISO 31000) he offers us a new angle through a critique of the steps involved, along with his own recommendations for improving them.

Marks argues that the risk management apparatus we put in place can often develop a life of its own and may be detached from day-to-day management decision making. To help combat this, one simple recommendation is to simply ask the executives about how they make decisions, and to use their response to evaluate and inform how effective and embedded risk management activity actually is. World Class Risk Management offers a pragmatic, practical and yet sophisticated guide to risk management. It will be useful to professionals seeking to improve their risk management programmes and those involved in considering the practical issues associated with COSO or ISO 31000 implementation.

There are some areas where the author’s recommendations may be difficult to implement in full – perhaps no surprise given that truly ‘world class’ risk management is never going to be an easy ask. As Marks himself admits, achieving world class risk management is not easy and very few (if any) have done so, but hopefully the advice in this book will help many business leaders take practical steps to improve and establish a clearer vision of what it might actually look like.

A text book, dear readers, this is not – neither is it suitable for newcomers to risk management; instead offering a useful and practical commentary to challenge and advance effective risk management at the executive level.

If you have read the book, I would love to hear what you think about it – both whether you obtained any benefit and whether you have substantial disagreement. As my friend Jim DeLoach has said about the book (paraphrased), “if you are wedded to traditional risk management practices, this is not for you. Norman challenges traditional ideas and makes you think”.

  1. September 2, 2015 at 7:40 AM

    Good review, indeed

  2. September 2, 2015 at 8:37 AM

    Having re-read it twice now, I keep on going back for little nuggets of wisdom to use when I engage in the inevitable C-suite battles regarding the positioning and role of risk management.

    Directors are incredulous when I say that the maturity of decision making in the organisation, is measured by how little I had to do as CRO to make sure that all the options and their associated uncertainties are on the table when decisions are made. Positively working myself out of a job – and that’s fine with me 🙂

    • Norman Marks
      September 2, 2015 at 8:40 AM


  3. Glenn Daly
    September 22, 2015 at 12:01 AM

    Just got the book, first comment (more to come) re the emphasis on surveys in the book to justify the contention that risk management is not in a good state etc. Are surveys and the answers given to them, a good way of assessing the relative maturity of enterprise risk management?. You do not appear to question this aspect in the book at all. The questions in these types of surveys can be interpreted in many different ways, with very big implications for the answers given (the biggest one of them all in my view is the aspect to do with what I would call “formal” risk management process V “informal” risk management going on in companies every day). Whilst the theory in a perfect world is that formal and the informal should probably be so integrated and therefore indistinguishable, when people are answering these survey questions they are not in a perfect world, and I am never sure whether they are thinking of simply the formal risk management process set up by their risk department or the wider risk management practiced throughout the company on a daily basis?. The way these questions are sometimes written in these surveys also tend to be self serving and designed to illicit a particular type of answer anyway. Most surveys are designed by consultants who have a particular objective – we have got to be realistic, the chances of a consultant’s survey saying risk management in companies is robust and does not require improvement are probably about zero. Another aspect to consider is the Boards themselves may not wish to invest in having formal risk management processes or if they do, they may wish to keep this investment at a level which meets the minimal “governance” requirements only (they of course will never admit this in some survey). A question to ponder….Is a good risk management process one that meets or conforms to some individuals perceptions of what is effective V one that aligns with the objectives of the Board?. For job security, I suppose the latter wins out and within this limitation people who are in actual formal risk management roles (those who do not resign and give up), hopefully they will try and push the formal risk management aspect as hard as they can and try and progress the Board’s thinking on the value of having both formal and informal risk management, taking on board areas for improvement from people like you and addressing where they are allowed to address as best they can. Have just started reading the book (some of your observations in the book are quite insightful), will progressively add more comments as they come to hand. Hopefully my comments (some of which you may well take issue with) will facilitate further (as you say) “thinking”. Regards

  4. Glenn Daly
    September 22, 2015 at 12:21 AM

    In relation to surveys quoting “companies in the top 20% of risk management maturity delivered three times the level of EBITDA than the bottom 20%”,….. being in a company that is heavily reliant on commodity prices which can be very volatile and significantly impact the bottom line, am not so sure profitability is always a good indicator even over a medium term as was done in the EY study (2004 – 2011). If we go through a sustained period of increased commodity prices leading to significantly enhanced profitability, does this mean my risk management is more effective?. Not so sure that medium term profitability is necessarily a full proof indicator either particularly in todays world where market volatility is increasing because of speed of information flows throughout the world. Longer longer term probably yes it is a useful indicator. Regards


  5. Glenn Daly
    September 22, 2015 at 12:40 AM

    Your observation….“A serious issue is that financial services organisations, encouraged by the regulators, have executives charged with risk management (typically with the title of CRO) that are independent of management. The concept is that an independent CRO serves as a check on “cowboy” management, who are seen as a quick to take high levels of risks because of the potential for reward. This is not teamwork. This is not the risk expert and the trader working as colleagues to develop trades that are in the best interest of the company. Only when both management and the risk officers work effectively together to consider options and take the right risk will performance be optimised”…..agree entirely with this thought. The problem is that independence plays well in annual reports, and for those companies who are into perception, they like this sort of stuff. I have made the point in a linked in forum discussion, that being so called independent creates difficulties with undertaking my function in that the part time Risk Champions in the businesses who supposedly are helping me coordinate a risk update, will obviously have some difficulty raising issues when they know they are reporting into a GHO function that reports directly to a Board member (RMC Chairman). Even though I am in theory “independent”, I have such a small risk management team that the only way I can be effective is as you say to engage with the business and collaborate with management….I am far from being “independent” in the true sense of the word, and regard one of my roles as being more of a constructive challenger to the business. Would strongly suggest that someone in my circumstances should be working to perhaps the CEO or a management level Risk Committee, with possibly a Board level Risk Committee in existence doing a high level oversighting role that the Management Committee is doing its job effectively (after all management should be the ones who are expert at discussing the risks). Seems far more practical and integrates me into the organization more. Regards

  6. Norman Marks
    September 22, 2015 at 12:44 AM

    Glenn, thank you for your thoughtful and constructive comments. I hope that as you read the book further that I have addressed some, if not all, your concerns. With respect to the survey, the results are consistent with my less formal “surveys” by talking to board members, CROs, and executives.

    • Glenn Daly
      October 6, 2015 at 3:39 AM

      Dear Norman Thank you for taking the time to respond to my queries – greatly appreciated. Have now read the book in its entirety….as I have mentioned in another post on linked in, whilst there are a couple of aspects I may take issue with, would consider your book one of the rare pieces of risk management literature out there which provides in my humble opinion, practical and intelligent insights on risk management. As mentioned above the numerous references to surveys detracts a bit from it in my view (if its based on your discussions with Risk Heads etc then I would have probably have just said this, however I think I understand why you felt the need to include them) …..here are a couple of thoughts though for you to consider…a number of references to internal audit reviewing the risk management “system”…tips on how they should do this? (or is that in your other book on internal audit? or another book to come out in the future?)…. the reason I raise this is because from my experience IA understandably focus on what they can see (ie typically the formal risk management process)..and as we all know, and as you point out in the book, risk management involves decision making all over the organization, and the formal process should (in utopia) be indistinguishable from this…..how to audit this more effectively, giving more weight to what I will call the more important informal aspects? On the role of a Board Risk Committee (or equivalent) you indicate they should not necessarily be debating risks etc but satisfying themselves that the overall system is working effectively..no argument from me on this, however as you concede reporting periodically on risks has to be done albeit against the context of objectives (despite the acknowledged pitfalls with periodic reporting)….but here is the conundrum by reporting on risks and mitigating measures (even against the backdrop of objectives) we end up provoking the Board Risk Committee to do the very thing we agree should not be done (unless they disagree with management’s conclusion) ie that is they feel compelled to debate risks and whether they are being controlled properly. Sure we can tell them they should be checking the overall process or system, but if they are getting a report every quarter with this type of info..fortunately I am in a conglomerate where the Board Risk Committee is at a high level and may not always have the necessary expertise on specific risks to debate….still can be difficult though. Any thoughts?. Regulatory bodies including the requirement for Senior Management / Boards to sign off on the adequacy of risk management frameworks, and you speak favourably about certain countries (such as the one where I currently reside Malaysia) having this in their Codes on Corporate Governance..on the face of it good, but how sure are you these Statements are robustly and effectively externally audited???. Everyone can write up pretty and lovely statements about what they do (or are thinking of doing) in the Annual Reports….am not so sure the external auditors have the same robustness of validating these statements as they do their bread and butter checking of numbers against accounting standards. An area for improvement maybe? (am not even sure they ie external auditors are equipped to be doing the validation?). You did not comment on this in the book, or maybe this is a bit too …sensitive for our friends in Big 4. I highlight this because as a passionate risk management professional who believes in substance over form, I would welcome more scrutiny…am afraid (particularly in perhaps non-FI, non-SOX environments) it is all a bit loose. The requirement is there for a Statement without the necessary intellectual thought put into how on earth it can be effectively validated (both the formal and informal aspects)….particularly important if as I suggest above, the robustness of the internal audit monitoring of the framework may be slightly questionable….Welcome your thoughts. There are other aspects but will leave that for another day. Regards Glenn

  7. Norman Marks
    October 7, 2015 at 1:28 AM

    Glenn, I appreciate your comment. I achieved my purpose, which was to stimulate thinking about the effective management of risk. I never expected that everybody would agree with everything I suggested. I will have to think about your comments if there is a second edition or if I decide to write a book about auditing risk management. Again, thanks!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: