Home > Risk > The Crown Jewels and Risk Management

The Crown Jewels and Risk Management

February 6, 2016 Leave a comment Go to comments

When considering information security or cyber risk, you usually concentrate on risk to the ‘crown jewels’ – those information assets and services that are most vital to the enterprise.

I am going to suggest that we can extend the concept of a focus on crown jewels to broader risk management.

I think we all know that risk is created or modified with every decision.

We also know that those decisions are made by people, who we know are imperfect.

In my last post, Why do some take risks while others do not?, I talked about the fact that different people will make different decisions in the same circumstances. We need them to make the ‘right’ decisions, taking the desired level of risk. But, policies and procedures, even risk appetite or criteria statements, may not be enough to ensure they will do so.

People are influenced not only by the perceived ‘culture’ of the organization, but also by a number of personal factors including their prior experience, whether they feel ‘at risk’ if they take too much or not enough risk, and even whether they have a sunny disposition that day.

So we are dependent on these individuals and their actions.

What can be done? How can we obtain reasonable assurance that risks will be managed, by them and through their decisions and actions, at desired levels?

I suggest that we consider which individuals are making the decisions and taking the actions that are most likely to have the greater impact on whether the more significant risks to organizational objectives are at desired levels. Which individuals, which actions, and which risks?

If we can identify these individuals, the decisions and actions that need to be made, and the affected risks and objectives, then we can focus on them as the crown jewels of risk management.

  • Do these individuals understand the potential for their decisions and actions to affect risk levels and the achievement of enterprise objectives?
  • Do they understand desired levels of risk, whether in risk appetite or criteria statements?
  • Do they have sufficient information to make intelligent decisions and take the desired level of risk?
  • What might affect their decision-making in an adverse way, and what can be done about it?
  • What is the likelihood that they will make a decision that takes the level of risk outside desired parameters?
  • How will senior management know when they stray from the desired path?
  • How will we know when the decision-makers change?

There’s probably more that can be said and more that can be done to provide assurance that individuals, whether on the board, in top management, or at other levels, will take the desired level of risk.

What do you think? What should be done?

 

Richard Anderson and I will be discussing this in our Risk Conversations coming up in April in London and Chicago. Details are at www.riskreimagined.com. Join us!

 

  1. February 7, 2016 at 4:49 AM

    Norman,
    You raise some very interesting questions. I’d like to consider them by starting off with some of my definitions:

    • A risk is a set of circumstances that hinder the achievement of objectives.
    • When a risk occurs it results in a loss
    • An internal control is a process which manages a risk.

    The first statement implies individuals must be clear on the objectives, and their objectives within the overall objectives. Since the objectives will probably include developing the organisation, one set of circumstances will include the failure to take decisions and actions which ensure the full potential of the organisation.

    The losses which will occur may be a failure to increase profits, or may be the loss of actual profits because a competitor develops products we haven’t identified.

    So what about internal controls? Effective controls (for example approval processes) should deal, in part, with your last three questions. But the remaining questions represent a failure to act, as opposed to inappropriate action. As you have indicated a failure to act is initially a failure to make decisions. I would argue that decisions are internal controls, since they manage risks, particularly surrounding failures to identify growth opportunities. But decisions can only affect the future, not the past, which implies that accurate forecasting is essential to make proper decisions. Now I’ve been retired for some time, but I bet the monthly ‘information packs’ supplied to most boards comprise around 80% historical figures and 20% forecasts. I would also bet that 80% of accountants’ time is spent running around finding reasons for variances in these historical figures and 20% in improving the forecasts and assisting managers to make decisions which improve them. Yet the historical figures can’t be changed, so why spend time on them, as opposed to spending time getting accurate forecasts which then drive decisions? (My site at http://www.managing-information.org.uk gives more thoughts). The forecasts will define the level of risk, especially if these are subject to proper analysis using financial modelling.

    So my answer to your first four bullet points would be to ensure forecasting is made as accurate as possible and management concentrate on these as a basis for decision making. Oh… and ‘information packs’ to consist of 80% forecast information.

    • Norman Marks
      February 7, 2016 at 7:41 AM

      David, thanks for the comment.

      I don’t share your definition of risk as limited to the adverse effect of uncertainty on objectives. But that doesn’t matter for this discussion.

      When I talk about decisions, I am talking about decisions such as:
      – whether to select vendor A or B as the sole source provider of key materials
      – how much credit to offer a new customer
      – whether to move forward with a major project, systems implementation, or new venture
      – whether to approve a capital investment
      – how much material to order
      – and so on

      • February 7, 2016 at 11:48 AM

        Norman, I thought you were referring to the more ‘make or break’ decisions such as
        -do we launch a hostile takeover for company A?
        -how do we stop internet retailers taking our sales?
        What’s the next high-tech product we should launch?

        Looking at your examples, forecasting is again important but in terms of assessing the impact of each decision. What is the effect if a sole source provider fails, what is the financial stability of each vendor in the future?

        I would have thought the best way of encouraging risk taking is to set realistic targets. These should encourage risk taking without the danger of taking excessive risks.

  2. Caroline
    February 7, 2016 at 5:12 AM

    This is very good. In recent years we have focused a lot on culture and framework and cascading through the organization. All are essential. However, it is good to be reminded that there are generally just a few people whose daily actions contribute greatly to our risk profile. If we focus on them, we will be in a better place.

  3. Duston Sackett
    February 7, 2016 at 2:05 PM

    Very good points and it’s why on-going Steering Committees, Control Self-Assessments, independent Risk Assessments, etc are crucial to organizational success. We must always hold each other accountable and validate if we are achieving our objectives (“crown jewels”) without accepting too much risk or maybe even not taking enough risk.

  4. Michael
    February 8, 2016 at 3:52 PM

    Norman, you make very valid points from the perspective of the organization’s decision makers on how they understand the organizational risk appetite within their decision making functions to ensure they do what is considered right within the organization. Whilst the decision makers might not be the only sources or contributors to risk it is still an excellent question and could be extended to key players whom even identify key risks. That aside, this also questions the personal biases of decision makers and how that may result in a decision maker straying from the organizations risk appetite. Personally I have seen both risk culture and embedded processes being important here. More mature processes can help ensure there is an understanding of the risk appetite and possibly set out standard criteria to consider before making decisions.

  5. February 9, 2016 at 3:16 AM

    There is a name for this – cognitive biases. Risk managers have long been overlooking them when implementing risk culture and facilitating risk assessments and whatever else they do nowawadays🙂

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: