Home > Risk > The State of Risk Management in Canada

The State of Risk Management in Canada

October 17, 2015 Leave a comment Go to comments

I don’t remember the last time I heavily criticized an IIA publication. While I disagree (heartily) with the naming of the Three Lines of Defense model, it does a decent job of describing the distinction between the responsibilities of operating management and internal audit. So, I don’t call my criticisms of the IIA’s commentary on the model a “heavy criticism”.

I wasn’t looking for anything to criticize when I started reading a publication by Crowe Horwath in collaboration with IIA Canada. Mastering Risk: The State of Risk Management in Canada 2015 is a mish-mash of confused thinking about the management of risk, the design of internal controls, and the effectiveness of the internal audit function.

First, how can anybody “master risk”? Nobody can predict with certainty what might happen, let alone dictate its effects on the organization. The management of risk is riddled with uncertainty; even the most mature risk management activity can only provide their best guesstimate of what might happen and do their best to optimize its consequences.

Second, does this report provide any true insight into the “state of risk management”? Does it indicate whether risk management is effective, helping organizations execute on strategy, make informed decisions, and deliver optimized performance? The report has nothing to say – yet, isn’t that the promise of the title?

Third, since when are risk management professionals defined as including “members of the internal audit, risk management, or internal control functions, along with operational managers who have responsibility for the application and maintenance of internal controls”. By combining these three separate activities, which they have in spite of first promoting the three lines of defense model, they make it difficult to know when they are talking about risk management vs. internal control vs. internal audit.

Only 26% of the respondents were true risk management professionals. The majority, 56%, were internal auditors.

I am not going to list all the problems with this report. I only want to point out one interesting survey statistic.

Exhibit 11 lists the areas of internal audit focus. The survey asked respondents to select areas where “Your organization’s internal audit work provides an ongoing assessment”. The areas from which they had to select do not include any reference to the management of risk!

Why am I taking the time to review and discuss the demerits of this document?

  1. We all need to recognize that many self-proclaimed risk management experts have a poor understanding of its effective practice
  2. We need to keep the “thought leaders” and those who ascribe to that title honest. When they publish rubbish, they must be called out
  3. If you are selecting consultants, make sure they are worth what they charge
  4. When you read guidance like this, it is not surprising to see surveys of board members and top executives saying that they lack confidence in the management of risk and that it does not make a valuable contribution to the execution of business strategies


By the way, what is the state of risk management in Canada?

  1. Rajarshi Ghosh
    October 17, 2015 at 9:26 PM

    Hi Norman I think you have given very relevant summary of the risk management practices and how this aspect is being pursued and applied in an organizational context. The risk management is so broad based that there is always room for criticism and constructive criticism and we believe that this is how we improve upon the risk function making it more relevant.

  2. October 18, 2015 at 2:47 AM

    Norman, while agreeing with your three specific comments above, I think you may be being rather harsh in describing it as a ‘mish mash’. The four opportunities listed in the report seem valid. However, they are not set into context and,as a result, the conclusion and executive summary are more of a shopping list (and nothing new).

    The only reference to a link between the organisation’s objectives and risks appears on page 12; there is no mention of this important link in the executive summary. I think the summary is a ‘mish mash’ and a lost opportunity to emphasise the importance of managing risk in order to achieve objectives. The phrase, ‘the need to master risk to gain competitive advantage’ is a sound bite that doesn’t do this and is irrelevant to some organisations.

  3. gavin
    October 19, 2015 at 2:05 AM

    Norman, agree, keep it simple and focused. I just can not understand why people have to make it complicated.

  4. Ian Clegg
    October 19, 2015 at 11:47 PM

    Your comments resonate strongly. As a risk practitioner embedded in an internal audit function, the risk management vs. internal control vs. internal audit dynamic continues to frustrate me.

    The high level intention that risk management is effective, helping organizations execute on strategy, make informed decisions, and deliver optimized performance is often lost in the eagerness to develop and deliver on an audit plan. Audits tend to be an end in themselves – the product is an audit report and a tick on the audit plan, regardless of whether the perspective provides pragmatic and useful assurance to management on internal controls.

    I would change the first sentence of the exec summary to: “Execution on strategy, making informed decisions, and delivering optimized performance have been a fundamental concern in business and public organisations throughout history.” Risk management and assurance are tools available to facilitate this. Managers need to measured on delivery of objectives – they should be able to demonstrate the application risk management in defining levels of uncertainty associated with these objectives, what additional actions are required and their assurance requirements. If audit work is performed, it should clearly address these assurance needs. Failure to deliver on objectives should prompt questions as to the adequacy of risk management and assurance.

    In other words, deliver on your objectives; risk and assurance are tools available to assist with this. If you fail to deliver, you had better be able to demonstrate the effective use of the tools available. If not, there will be consequences.

    I suspect this would quickly transform the risk and assurance disciplines.

    • Norman Marks
      October 20, 2015 at 7:07 AM

      Very well said, Ian!

  1. October 17, 2015 at 1:03 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: