Home > Risk > Do you have confidence in your risk management?

Do you have confidence in your risk management?

February 13, 2016 Leave a comment Go to comments

Maybe I should phrase the question differently:

Do you have confidence in your ability to manage risk?

The difference is huge and important:

  • The first question may be interpreted as an assessment of the risk management function. The value of such an assessment is limited.
  • The second question should be interpreted as an assessment of how the organization as a whole, not just any risk management function, addresses risk. The value of this assessment is huge.

When I talk about risk, of course I am talking about not just the potential adverse effects of any event or situation on enterprise objectives, but the potential positive opportunities that may be seized.

Often, the effects of a potential event or situation may be a combination of the positive and the adverse. Think about how often it is necessary to consider “trade-offs”. For example, it may be necessary to reduce working capital levels in order to invest in a new venture that will make a contribution to revenue and the bottom line. In this case, management may be increasing the risk that they won’t have sufficient funds for future investments while reducing the risk that they won’t achieve earnings and market share goals.

So, how confident are you that management can and will maintain risk at desired levels?

Is your confidence level 50%, 70%, 90% or something else?

Is that acceptable?

When you assess as acceptable the likelihood of a major failure in your ability to manage risk (given the cost of improving risk management further) you have the risk management you need.

That is the theme of my book, World-Class Risk Management.

Do you agree?

Is your risk of risk management failure acceptable?


Join us for a discussion of effective risk management in April, first in London and then in Chicago. Details are here.

  1. Mike Corcoran
    February 13, 2016 at 12:37 PM

    Norman, I am more concerned about management creating value based on their promises and the expectations of stakeholders. Very few global companies talk about the art/science of their managing risk process unless of course it is their business (e.g insurance) or forced to by regulators. So for those professions or professionals mostly focused on negative event risk management — see you in the rear view mirror. 👀

    • Norman Marks
      February 13, 2016 at 1:33 PM

      Mike, I share your perspective that there needs to be a focus on achieving success rather than avoiding failure. Key to that is understanding what might happen, both good and bad, and making informed decisions. The management of risk cannot be limited to the adverse. It needs to be part of how managers and others make decisions and deliver performance.


      • Mike Corcoran
        February 13, 2016 at 1:58 PM

        Agree, but starting point and messaging is troubling. It is first the management of value creation and then associated risk. Innovation and competition is the fuel of capitalism. You have to be able to advise on both. We get a better response from most business leaders and BOD’s with this approach. Leading with risk is not the starting point and should not be the language of proactive professional associations like the AICPA, IIA, IMA, NACD, etc. that are your audience. We need to advise first.

        • February 14, 2016 at 1:47 AM

          Mike, I agree with you, although I would say the starting point is the organisation setting its objectives (which may not always be value creation), identifying actions to achieve those objectives and then managing the risks which hinder those actions.

          • Mike Corcoran
            February 14, 2016 at 3:21 AM

            Hi David, yes but most companies manage the performance action plans (not risk) thus KPI’s.

  2. February 14, 2016 at 8:14 AM

    Spot on!

  3. Kaya Kwinana
    February 14, 2016 at 1:41 PM

    The differences noted are a matter of detail.

    Without the KPIs, risk identification is hit and miss. It IS to the KPIs that risks should respond to, rather than the objectives themselves. Fundamental then is that both objectives and KPIs are specified by the next higher level, for them to be properly authorised.

    Risk identification (risks being threats and opportunities, as pointed out by Norman), is then focused and after the risk assessment, all the identified risks should in the next stage, (the risk response process), be presented to the next higher level to decide on which ones should be addressed – the significant risks.

    ALL significant risks, throughout the organisation MUST be addressed appropriately because that is what the organisation has decided by classifying them as significant risks.

    The process owner and his/her boss are and must be involved in the risk management process, (in the generic sense of governance, risk management and control processes).

    From an internalaudit point of view, engagement planning considers which of assurance or consulting on these processes is appropriate for each particular situation. Each is bad internalaudit practice where it is not appropriate.

    An example of such bad internalaudit practice is the misguided risk-based approach which by definition assumes that the internalauditor knows more than all the incumbents in an organisation about what KPIs should be there and therefore what risks should be identified and are significant, and evaluates specific functional activities, (rather than the governance, risk management and control processes), regardless of particular situation.

  4. Glenn Daly
    February 14, 2016 at 8:25 PM

    Making the risk management process “iterative” is obviously key to the never ending process of meaningfully assessing risks/opportunities relating to actions flowing from objectives.. Unfortunately “formal” risk management is seen by many as being this ritualistic monthly, quarterly, etc thing (encouraged and supported by consultants, standards, text books that encourage a “formal” process to satisfy some code on corporate governance etc). Would therefore suggest that “formal” risk management does sometimes act as an impediment to the “real” risk management that is (or should) be going on in an organisation. If something goes wrong in my organisation, and it can be linked to “risk management”, will some consultant hired by the Board come in and evaluate whether we have an “iterative” risk management process in place or whether I have risks/controls documented in some risk register, and whether a Risk Committee exists etc????. I think we know the answer. Go for the more straightforward. To achieve what Norman is rightly suggesting should occur, it would be helpful if there was a rethink about what “formal” risk management entails, otherwise getting people to think about “opportunities” as part of risk management is going to be difficult. In my organisation (like many others I suggest), opportunity identification flowing from objectives ends up being the province of a Strategy department’s yearly strategy updating cycle or (flavour of the month) an “innovation program”, or a one off “war on waste” special exercise or “lean six sigma” etc…whereas, if risk management was operating properly as per Nornan’s perfect world, many of these opportunities could and should also be coming up through the “real” (and also perhaps “formal”) risk management process anyway. A way to go before we get to utopia with the reality being many organisations are challenged identifying all the negative events let alone the existence of positive ones through risk management…hence I suppose the perceived need to create a special exercise / program sometimes to identify them.

  5. Ken Hackshaw
    February 16, 2016 at 3:38 AM


    as we (ttrmi) complete our Post Grad diploma in Risk Management that we intend to offer to folks, I will like to consider/discuss with you adding your new book and the other on GRC to the list of required texts..


    On Sat, Feb 13, 2016 at 3:25 PM, Norman Marks on Governance, Risk Management, and Audit wrote:

    > Norman Marks posted: “Maybe I should phrase the question differently: Do > you have confidence in your ability to manage risk? The difference is huge > and important: The first question may be interpreted as an assessment of > the risk management function. The value of such an” >

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: