Home > Risk > Managing risk means opening your eyes every day

Managing risk means opening your eyes every day

A piece proclaiming the results of a new survey of Canadian financial executives by FEI Canada and Chartered Professional Accountants of Canada caught my eye (thank you, John Fraser).

It makes some good points:

  • While many Canadian organizations are concerned with risk and have a documented management plan in place, a significant number (one in five) do not.
  • Robust, institutionalized enterprise risk management programs are common among large and public companies, where nearly half have one in place. The percentages decline for smaller and private companies.
  • The majority of respondents (66 per cent) describe themselves as only “somewhat confident” in their organization’s ability to manage risk and the research also suggests there is a greater need for organizations to bolster oversight and operational responsibilities relating to risk.
  • “With the speed of change in today’s economy, identifying, understanding and addressing risks in a timely fashion is critical to an organization’s success. It’s also essential to communicate these risks to employees. The study results indicate that a communication gap exists in companies today with regards to risk. FEI Canada increasingly sees this communication as part of the role of today’s CFOs.”

On the surface, it is good news that the majority of Canadian CFOs are confident in their management of risk and believe that employees understand the risks to the organization. 72% feel that their strategy is aligned with their risk appetite.

But, do the authors of the study understand what effective risk management entails?

I am less than sure, especially when I see that they expect top management (including the CFO) to tell the rest of the organization what the risks are.

While some risks are ‘strategic’, most risks are created or modified by everyday business decisions and actions. Thinking that you can identify a list of risks and communicate them down is missing the major part of risk management. Every business decision, by every decision-maker across the extended enterprise, needs to be informed by what might happen. This is not managing a list of risks at all! This is part of managing the organization every day!

The study, to my mind, considers risk management as thinking about and taking action to avoid or mitigate the effect of the storm that might hit at some future date.

But, truly effective risk management is about making the right decisions every day, optimizing outcomes in the face of uncertainty about what might happen.

I wonder what the CFOs surveyed would have said if asked this question?

How confident are you that people are making intelligent, informed decision that consider what might happen in the future – not only what might go wrong but what needs to go right – and how that decision might affect achieving the objectives of the enterprise?

I welcome your views.

By the way. seats are still available for our conversations about effective risk management in Chicago (April) and London (May). Contact me for details or visit riskreimagined.com.

  1. Richard Fowler
    March 7, 2016 at 5:16 AM

    I really like that question, Norman. It succinctly identifies what risk management really needs to be. Thanks for sharing it!

  2. Kaya Kwinana
    March 9, 2016 at 2:16 AM

    As usual, Norman, you raise an important issue but in addressing it you muddy the waters instead of clarifying them.

    Each level of an organisation has objectives to achieve and internalauditing’s role is to provide the appropriate service (be it assurance or consulting), for particular circumstances to all the respective levels on governance, risk management and control processes required to provide reasonable assurance that those objectives will be achieved.

    One can within a short space of time be able to assess whether or not adequate and effective governance, risk management and control processes are being implemented at all of the organisational units and levels. No matter how much time internalauditors are given, they will never be able to assess whether or not all significant risks (not just any risks) are being adequately addressed at all of the organisational units and levels. That is why 2100 is a great piece of insight.

    The answer to your parting question is provided by focusing internalaudit effort (assurance or consulting, as appropriate) on the governance, risk management and control processes throughout the organisation rather than on discrete risks. in the absence of this, no CFO or any other members of the C-suite, can reply in the affirmative to your question.

    • Norman Marks
      March 9, 2016 at 6:44 AM

      Kaya, this is not about internal audit. Its is about managing risk – a management responsibility.

      How does that change your view?

  3. Rodney Clifford
    March 9, 2016 at 1:57 PM

    Never a truer word spoken than:

    “While some risks are ‘strategic’, most risks are created or modified by everyday business decisions and actions. Thinking that you can identify a list of risks and communicate them down is missing the major part of risk management. Every business decision, by every decision-maker across the extended enterprise, needs to be informed by what might happen. This is not managing a list of risks at all! This is part of managing the organization every day!”

  4. Paul Barker
    March 10, 2016 at 12:00 AM

    The adoption of a culture of dynamic risk assessment so fully integrated into management that it occurs unconsciously is still a long way off when institutionally organisations and their IT infrastructure (which delivers their data points) is still rooted in a T+ concept and periodic reporting cycles. Financial firms need to take a lesson learned from the armed forces and the fire service…can you imagine patrolling in Kabul and only sweeping for mines once a month? Sounds ridiculous but that’s what happens in FS today.

  5. Oluseyi Oyedele
    March 16, 2016 at 12:59 PM

    Norman.
    Again a great write up to challenge us. But what’s wrong in identifying and documenting key risks facing the organisation even if they are daily occurring?
    I also agree with a previous contribution that IA’s role is to evaluate the GRC processes at every level of the organisation and providing reasonable assurance and improvements to Management.

  6. Brad Lunn
    March 19, 2016 at 10:15 AM

    These are very good points. It’s even more challenging than what is noted. Enterprise risks arise by decisions that are made, but also in actions that are not taken. What are things that should be done that are not? Are we innovating enough to keep pace? Are we making the right bets on technology or market trends? Are we really hiring the best people for what will be relevant in the future?

    My last point is the perspective noted by “confident” CFO’s. Was the C-Suite at Target “confident” in their IT systems before they learned life as they knew it was over? While I understand their sentiment, a dose of paranoia or healthy concern for the unknown may serve us better than “confidence” in our ERM reports. Like Andy Grove says, only the paranoid survive.

    Cheers

  7. Norman Marks
    May 30, 2016 at 9:21 AM

    Mr. Marks:

    Your March 5, 2016 blog “Managing risk means opening your eyes every day” drew its inspiration from a survey of Canadian financial executives conducted for Chartered Professional Accountants of Canada and FEI Canada. We thank you for outlining a number of the survey findings.

    You stress that effective risk management is about more than preparing for the future, it also is about the decisions made every day.

    We fully agree and provide some background information for you.

    First of all, it is important to remember that the goal of our research was to better understand the state of risk management in Canada today and that objective has been achieved. Another key intention was to spark discussion about corporate risk management – something your blog kindly does.

    Moving beyond our news release, the report we prepared makes clear that risk and uncertainty are constant elements of the business environment. And as is stated in the report, the Institute of Risk Management notes: “Consequences can range from positive to negative.”

    You raise an interesting question in your blog: “How confident are you that people are making intelligent, informed decision that consider what might happen in the future – not only what might go wrong but what needs to go right – and how that decision might affect achieving the objectives of the enterprise.”

    While your specific question was not asked as part of our survey, some insights can be pulled from the research. For example on page 13 of our report, it is pointed out that there is less confidence in employees understanding the opportunities and threats to their organization when compared to management and board directors. It also is noted that this may reflect a communications gap from the top of the organization to other levels.

    In our view, all employees must understand the risk appetite of the organization. However, employees, especially those working on the front-lines, can be valuable in helping the organization assess market conditions and also offer constructive insight into the development of a realistic risk management strategy.

    This matter also was addressed by Michael Kobrin, President, Michael Kobrin Consulting, on page 36 of our report:

    Mr. Kobrin noted:

    “Many companies tend to focus on the formal aspect of their risk frameworks, and I find that sometimes it creates a bit of a false sense of security. Even if you have a great risk framework and documented procedures, if you don’t have an open, transparent environment in which people feel comfortable challenging ideas, and a communication mechanism to facilitate this, those formal processes simply won’t be as effective. Often, boards look at their organizations’ formal frameworks and processes and say `Okay, we’ve got all these great matrices and colourful heat maps,’ but what they really need to ask is what is the true corporate culture with respect to openness and transparency, and how does risk management fit within the broader strategic plan.”

    Yes, Canadian organizations have more work to do when it comes to risk management planning but actions such our research and your blog are helping to keep the issue in the spotlight and on the minds of business leaders.

    Best regards,

    Carol Raven and Laura Pacheco (VP Research, FEI Canada)

    Carol Raven CPA, CA
    Principal/Directrice de projet
    Strategy, Management Accounting & Finance/Comptabilité de gestion stratégique et finance
    Research, Guidance and Support/Recherche, orientation et soutien
    craven@cpacanada.ca

    Chartered Professional Accountants of Canada / Comptables professionnels agréés du Canada
    277 Wellington St. West, Toronto ON CANADA M5V 3H2

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: