A revolution in risk management
The management of risk, whether you call it enterprise risk management, strategic risk management, or something else, is about helping an organization achieve its objectives.
All the standards, frameworks, and guidelines[1] talk about risk in terms of its ability to affect the achievement of the organization’s objectives.
Some things might happen that will help[2] and some that will interfere with our progress[3].
Typically, reporting to the management team and the board has been in terms of risks, focusing only on the things that might happen (collected together in categories that reflect where those risks might arise) that would be harmful.
This allows the consideration of risks, but not really how they might affect the achievement of objectives and which ones might be “at risk”.
Why not turn the information around and use it to indicate the likelihood that the organization will achieve each of its objectives. For each initiative, what is the likelihood of success?
Then we can answer these questions.
- Considering all the things that we have identified might happen, how confident are we that we will meet the objective (within an acceptable level of variation[4])?
- What is the possibility that we can exceed it?
- What is the possibility that we will fall short?
That assessment will not only provide valuable insight but enable decisions to be made that will increase the likelihood and extent of success.
The report might look something like this.
| Projected Achievement | ||||
| Fall Short | Achieve | Exceed | ||
| Business Objective | YTD Performance | <6.48% | 6.48%-6.52% | >6.52% |
| Improve revenue by 6.5% | 6.52%% | 15% | 80% | 5% |
What this tells us is that so far we are exceeding our target. However, when we consider all the things that might happen over the rest of the period, there is a 15% possibility that we will fall short of the target. (This should be the judgment of the people responsible for running that part of the business and achieving the objective. It is not intended to be the result of a precise calculation.)
Leadership can consider whether this is acceptable. Should action be taken to improve the likelihood of success?
Leadership can also see that there is a small possibility that the target can be exceeded. What can be done to improve that likelihood without increasing the possibility of falling short?
A report like this moves the conversation from focusing on failure to focusing on success.
It changes the discussion to one that resonates with the executive management team, helping them understand how the management of risk can help them achieve their objectives.
This is a revolution in a couple of ways:
- It turns the discussion of risk to objectives around 180 degrees to focus on objectives, and
- It demonstrates how the management of risk is of huge value to the organization.
I welcome your comments.
Is this an approach that COSO and ISO should adopt as they upgrade their guidance?
[1] This includes the COSO Enterprise Risk Management – Integrated Framework and the ISO 31000:2009 global risk management standard.
[2] COSO refers to these as opportunities.
[3] COSO refers to these as risks.
[4] COSO refers to this as risk tolerance.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Actually, this is the only reasonable way to do risk management! And it exists for long time, see decision analysis. But people are too enamored by risk matrixes, registers and other b…t.
Good idea. We used this in FP&A also to identify factors that could cause over/under performance vs. specific financial objectives.
I wholeheartedly support this approach and am actively involved in enabling management to engage in it in a practical way, using purpose-built software. Unfortunately, even though the standards, frameworks, and guidelines embody this in theory, they don’t go far enough as to explain the practicalities.
In this light, I think that alongside the projected achievement view demonstrated here, there is just as much of a need to detail the actions (or processes or controls) that are being taken (or not) in the enterprise to reach such a projection.
It is possible to quantify at least some of an organisation’s objectives, to provide some substance for the report structure you outline. See, for example, the case study at http://broadleaf.com.au/work/risk-adjusted-forecast-of-ebit/.
Sorry, I should have said it is possible to quantify at least some of an organisation’s forecast performance against objectives.
I’m not sure this is a “revolution”, more a ‘renaissance’ or a ‘reformation’. What you have illustrated Norman is the reason why why we first started ‘doing’ risk management – to help us understand the implications of decisions we were making. My colleague and many others are still using tools like monte carlo simulation to look at the uncertainty in predicted budgets, schedules and investment returns to both express the level of uncertainty and to take actions to increase certainty.
However, what has happened over the last 15 years or so is that a ‘religion’ or cult has mushroomed where risk management becomes the end in itself and not the means to an end: producing a risk register is more important than the decisions you support using it; attending a meeting to ‘review’ last year’s risk register is all that is required to make the world a better place.
Of course under-informed regulators have helped the cult gain credibility for its rituals. Boards as well have, until maybe recently, allowed these arcane self-serving practices to continue. For example, many board members still require to be told what are the organisation’s ‘risks’ rather than asking, when management asks for the endorsement of a decision, what steps are being taken to ensure the outcomes are certain and will support the organisation’s objectives and how management are confident that this is the case.
Unless regulators and oversight bodies start asking the right questions and understanding what are the right answers, the cult will continue to enact its rituals and worship its false gods.
In that Standards seem most often written by those with with a vested interest in prolonging the cult’s rituals and making them even more arcane and less accessible to normal humans, you can’t expect them to lead the renaissance or reformation.
Grant, you nailed it
1. Not all organisations express objectives in the way used in your example ie in my organisation the objective used would be one of a number of kpis I could use to determine whether a broader objective was being achieved. 2. Not all board members want a departure from the stock standard table of top 10 or so risks supported by the normal risk matrix of controls and action plans. Having already moved to this style of reporting ie performance and risk status for each strategic objective, am facing opposition from one of my subsidiary boards who have a couple of members who only want the normal type of report. In other words they want a tick a box simple to understand presentation which allows them to meet what “most” accept as being the norm for a board demonstrating good risk management. Formal risk management is in a mess and has a long way to go!. 3. If you are going to have the style of reporting you have to explain why you think the objective is in trouble or whatever etc. We have found that to do this you then need to have narratively written bullet points explaining the position and outlook…which then overlaps with what many others are reporting to the board. And so you can be criticised for duplication. Whilst you can explain that your report is the only holistic report putting together performance, risk outlook, objectives….all together, the response comes back….you just focus on the risk outlook. 4. All up what you propose is supported because we have already shifted our reporting to this….however it gets tricky with execution. And this gets back to the point have raised before in posts…..no one addresses when talking about formal risk management how it fits into / finds a value adding niche for itself inside an organisation ie cognisant of what others are doing. Sure it depends upon specific circumstances, but most large companies have similar set ups. If people started doing this some of the good ideas would resonate more and actually be adopted, in lieu of only being a theoretical good idea. See you in KL. Rgs
Norman, I certainly agree with your message, although I have doubts as to how you could objectively ‘judge’ your percentage possibility figures such that they wouldn’t be open to challenge. As we know, the first reaction of bringing bad news to management is to ‘shoot the messenger’.
If the reporting of risks is to focus on objectives, then the reporting on controls managing those risks (the internal audit report) must also concentrate on the achievement of objectives. So no more, ‘the controls were found to be unsatisfactory/satisfactory’ but an overall opinion ‘Are the risks to the organization’s objectives being managed to acceptable levels?’ (‘Acceptable’ having been defined by the board). (See http://www.internalaudit.biz Book4, page 119 for an example report).
Thanks all for the comments.
1. If objectives are not set with clear targets, how can the organization know where it needs to go?
2. If there are no measurements of where we stand relative to those targets, measured the same way as the targets, how will we know we are on the right track?
3. I am taking this further than adding KRIs to a report with KPIs. I am attempting to say what the KRIs, which underlie the projected achievement, mean.
4. I don’t know whether the CRO should present this information. I don’t know whether the CRO should present any risk information! This is management information and an expansion of performance management. Why not let management present it?
5. The percentage should be the estimation of the management team, the objective owner in particular. It should definitely not be the CRO.
Comments?
Norman, thanks, a good article. I think you had it right when you said that risk information is an expansion of performance management. In too many organisations performance is seen as the day to day business of management, and risk as a periodic reporting exercise. Linking the two more tightly, and in the language of performance, can only be positive.
4. ” I dont know whether the CRO should present the information. I dont know whether the CRO should present any information”. Now this is what I would call a bit of a radical change (albeit you are saying you do not know). As I have pointed out by moving towards the type of information proposed if Risk Management present such data it does tend to overlap in many instances with what others present to boards ie Strategy, Finance, Sustainability, HR.etc who are telling the board how they are progressing against their KPIs, which link up with the KPIs in their strategy blueprints agreed by the board (albeit perhaps not always as consolidated as it could be). Even the outllook can be there in reports in the form of “issues” or “challenges”. Does Risk Management need to duplicate?. To satisy the tick a box corporate governance defence mechanism apparently so or at least in the form of a table of top 10 risks…..with the supporting risk matrix of controls and action plans. Which has become so embedded as the de facto reporting standard. Risk Management is required to report something so until this changes we may as well try and report something meaningful, right?. Along the lines proposed by you. Even if it duplicates. With this being perhaps one of the many reasons explaining why formal Risk Management is perceived the way it is (not always value adding)….ie no practical thought given to how the formal discpline fits into a living breathing organisation which may already have explicitly or implicitly the practices, information etc being advocated under the banner of formal risk management. Crunch time….value add? or simply a corporate governance defence mechanism?. Of course everyone likes to say it does both…..but the reality of the situation is often saying something different. Until this gets resolved formal risk management remains as it is. Or as you have said “I do not know”. Grant Purdy’s comments basically hit the nail on the head. The regulators and those that guide them and interpret what good risk management is, have alot to answer for…but it continues. Rgs
Glenn, good questions and discussions. If we say (as we do) that risk needs to be embedded in performance management, then we do well to explain that the CRO is supporting the CFO or whomever reports progress against objectives. The CRO can provide a schedule of risks by objective that supports management’s estimation of achievement likelihood.
But this will depend on the organization, its desires, and working with the regulators.
I am still advocating a second report that just shows risks, with their significance based on their aggregate effect on objectives (which are defined)
I believe that what you are describing is what the Balanced Scorecard methodology espoused by Kaplan and Norton many years ago intended, i.e. Set objectives, identify KPIs as surrogates for each objective and then track and discuss the ways to achieve those objectives. Where ERM has become the third leg of the stool is in better identifying potential uncertainties in meeting the objectives so that these can be addressed from a holistic enterprise wide perspective versus silos.
I agree with Glenn’s thinking re the CRO not reporting but with a twist. Whenever I reported on risks to the board I made it clear that I was doing so on behalf of the CEO and executive team, I was merely the presenter. The board’s role is to question the CEO and executives on the risk profile and the risks to ensure they are involved, committed and knowledgeable about the risks. I think in too many cases the risk profile is presented as an irrelevant document not related to the real business of the organization. I still remember a board member sleeping through my first presentation on the top ten risks to the company (no, it was not that I was boring but rather he did not see the connection between a risk profile and his accountabilities ).
Execs and Boards are not ready to include risk into the decision-making process in the manner proposed – and it is up to us, as risk practitioners to change the conversation!
I recently had the opportunity to present the effect of risk on programme objectives and the anticipated/associated benefits to the board of a state-owned company – used a decision tree structure with aggregated values (and some colour-coding to my shame) to illustrate the results of extensive background MC-based risk analysis in one slide.
Got my a..s kicked by the CEO who insisted on a list of the top 10 risks – colour coded “in accordance with significance”.
Tim Leech (amongst others) has long advocated the use of an “objectives register” (as opposed to a risk register) and I’ve had some success in configuring kit such as ARM to provide reporting in this manner as well as developing a “value-based ERM” framework for a client which attempts to quantify the effect of risk on various management metrics/KPIs.
Grant is right – it is a renaissance but I am at a loss as to how we change the paradigm. I will however, be following this particular conversation with great anticipation given the views expressed various risk thought leaders both in the original text and subsequent commentary.
Quinton, I showed an example of the report illustrated in the post to the senior executives of a large company last week. They saw it separately but all agreed it would be useful.
The report needs to talk to them in their language.
I think the concept is good – but maybe mitigation to increase the possibility of achieveing strategic objectives are not achieved in the same way as we want to mitigate operational non-compliance (through controls) ? – discussion should be elaborated on…
Charl, may I suggest we stop using words and phrases like “mitigation” or “manage risk”. Instead, let’s talk about what we can and should do to increase the extent and likelihood of success.
Norman, I don’t share your concern about using words like ‘mitigate’ and ‘manage risk’ because I don’t see why they represent only negative actions. For example, there may be a risk that competitors reduce our market share by launching innovative products. We can mitigate this risk by setting up research and development programs to enable the launch of our own innovations, which would increase the extent and likelihood of success. These programs would be an internal control, just like any other. It is a process to reduce a risk to an acceptable level.
I think that care and a balanced approach is needed in defining “objectives”. Too often businesses are focused on short term results. Reckless pursuit of results is what led to the recent Wells Fargo debacle.
Norman – I’m with David on this. If you want to increase the likelyhood of success, you have to identify what is hampering you from achieving this(risk). Also – If you want to achieve strategic objectives, then you have to have an excellent operational environment.
“what can go wrong”(risk) and “how do you manage it ?”(Control). I find it difficult to turn it around and say “what can go right”(opportunity) and how do you manage it ? .The “what can go right” was determined earlier during the strategic planning phase. But we should debate this further.
Ye, let’s talk Enterprise Solutions, not just enterprise risk!
Great thoughts… thanks
The use of plain english in lieu of risk jargon in risk reports and inclusion of opportunities. Execution issues come up again. We are attempting to do this but have copped flak for our reports overlapping with Strategy, whose reports obviously are briefing the board on strategic pursuits/opportunities. Use of plain english can lead to our reports being described as “wordy”. Fully support these concepts and will persist however executing them is not without its challenges. To the extent our reports provide a consolidated overview of performance and outlook in regard to individual strategic objectives and also some specific risks… written in simple language highlighting both positive and negative aspects, they work and are much better than how we used to report, in my view. However that is where the problem lies. Not all directors share my view as they are perhaps looking at my reports with a view towards meeting their corporate governance responsibility only and probably feel they receive detailed info on performance, opportunities, challenges, etc from other areas. Sometimes I wonder whether we are just better off forgetting about reporting, risk registers and all the other stuff, and simply focusing all my little department’s efforts on educating people how to make logical decisions, and ensuring HR hire the right people (particularly at senior levels). This may add more value and have more impact across the enterprise than the things I spend majority of my time on at the moment (particularly in an environment where it is difficult to predict outlook anyway and having “agility” is critical). But unfortunately it would not satisfy the accepted corporate governance tick a box practices, which continue to be the ones mainly promoted to boards etc by those who make a living off them. Rgs
Norman – Great discussion regarding risk management and how we might better incorporate that process into executive and board decision making. While perhaps not groundbreaking theory for businesses whose core strategies revolve around the effective management of risk — such as pharma, oil/gas, or financial instruments — it is certainly worthwhile to extend this type of thinking into other less complex businesses. Risk management via decision analysis has actually been around a long time, and involves quantifying the economic cost/benefits of various outcomes, and then assigning probabilities to each of those outcomes. Simple decision trees can be used to determine the economic risk-weighted value of the probability weighted outcomes. In portfolio management, this can be particularly helpful when opportunities exceed resources ($ or people), and risk-weighted value can be an excellent method to prioritize and select superior projects in a resource constrained environment. If you want to really super-charge your analysis, Monte Carlo simulation can be employed to test the risk weighted value of a broad spectrum of outcomes (100’s or 1000’s of scenarios). Some great decision software is out there to facilitate this type of multi-variate scenario analysis — check out @Risk by Palisade, or Crystal Ball by Oracle.
This article has my mind racing towards thoughts of a matrix to capture the positive data around achieving objectives. It brings me back to the days when we focussed on our operational plans and what positive activities we were planning to implement to reach our objectives each month. I have spent most of the last 8-10 years focussed now more on capturing our hazard data and doing risk assessments and plans to minimise or eliminate them from our daily operations. I must say I can now appreciate how on reflection it totally bummed the guys out and brought their moods down to sit in a meeting discussing risk strategies compared to the past when we would go offsite totally for the day and brainstorm ideas to achieve our objectives. I guess similar outcomes but with less benefit to their health and well-being mentally. I saw them come in the next day excited to put the plans into action. It seemed more of a flatline of emotion after risk management activities.
Even though I embraced Governance and most of my experience in my working life was with quality compliance and audits/auditing, I witnessed the decline in interest in maintaining these systems by the workforce of today. I too would be more excited about brainstorming and having my ideas collectively discussed to assist with achieving a business objective. Let’s get positive people!!
Sally,
It’s actually a lot easier than risk registers and risk reviews. People find talking about the uncertainties for their objectives when making decisions a lot more relevant and interesting. After all, most of us are all interested in doing a good job and making the best decision possible.
I find (what has become) conventional risk management (ERM) like pushing a boulder up hill. It’s a chore that few people really appreciate.
Ultimately good governance comes down to the quality of decision making. It has little to do with lists of risks. Board members who still insist on seeing risk registers need to do their own risk assessments.
Grant
Really good idea to plan “the likelihood of success”. Particularly in Georisk.
“likelihood” has always applied to the likelihood of the consequence(s) of risk (and not the likelihood of the event/condition) itself – blame the software vendors who wanted a simplistic linear “event likelihood X single discrete consequence” arrangement for a deterministic result which could be displayed in a nicely coloured but meaningless picture (aka heatmap)
Dear Norman, I love this nuanced “role reversal”!
To me, similar to a Business Continuation plan.
I work with private schools, and offer free 360 risk assessments as we do other, revenue producing things with them.
I often find that offering to do an assessment for them,even a free one, is akin to offing someone a free “proctology” exam.
They know they should have it done, are “too busy” and are afraid if done, we’ll find something “bad” that they will have to address.
So thanks for offering a different slant.
Best,
Martin
I’ve been following this fascinating thread with interest as it expands to encompass more and more angles of view, while ultimately reinforcing in one way or another the thinking behind Norman’s original post. So, I ask you Norman and anyone else who identifies with the post: Why not take the opportunity to go ahead and formulate algorithms that will allow us to ‘manage objectives’.
Within the limitations of my understanding and subjectivity, I have in fact started such a process already, and constructed software components to support them. Simply put, I manage both objective and risk/opportunity registers, link these two object types as required and then define controls with various possible findings. Each finding has a predefined effect on the risk thus automatically modifying the risk/opportunity the moment CCM (continuous control monitoring) activity records it. This in turn reflects the ‘health’ of the objective due to the linkage with the risks and opportunities.
I will be happy to share more details of my work in progress with readers of this thread. Let me know if interested.
Neil, if you have found a way to estimate the likelihood of success that encompasses all the things that might happen, I am interested.
Hi Neil, I too would be interested.
Much, most, of my protocols (for schools) are evidence based and anecdotally predictive.v. based in software or “math”!
Thanks,
Martin
I’m in the process of writing it up right now in a more organized fashion. It might me take another week or two, then I will send it to you with pleasure.
Neil
Several people have got it right! Its all about decision making and people – stupid! Risk derives simply (apart from acts of God) from sub-optimal thinking. Often decisions are divorced from values and pay little attention to ALL the stakeholders involved. Too much collusion by small groups – often as low as 2 people with zero diversity of input. Most of the businesses I talk with admit they do not have a decision making framework or one which is properly articulated and utilised across the business. And if the wrong people are in charge with no checks and balances trouble follows for sure. No amount of risk systems can compensate for faulty decisioning by incompetent persons!.
This is what needs teaching and embedding from top to bottom constantly with multiple renewals so people don’t forget. If everyone in an organisation knows from Day 1 that their decisions count and they are to be held accountable, people may start to ACT with more CARE which means less Care-less-ness. The higher the levels of CARE about outcomes for everyone affected, the smaller the chances of putting the business and yourself at risk! That is why John Lewis, South West, W L Gore, Tata etc and others stay mainly out of trouble.
Shifting from discussing the possibility of failure to the likelihood of success is likely to consider the situation of a glass half empty when you want to full it up from a bottle: first you take care not to break/overthrow the glass, and estimate the quantity needed to full it up, then you evaluate remaining quantity in the bottle to full it up.
Possibilities of failure (material and human) are unlimited . You may have unforseen risk and no anticipated response as unforseen lack of capabilities expected for risk identified.
Likelihoods dépend on statistics based on facts’categories (positive or négative). Their exploitation in the futur is a linear projection of a processus – such as firing on a target- without any change in the initial trajectory which leads a bullet to the target.
But starting from a current situation you can move to different evaluated scenarii taking in account differents criterias : GPS do it very well, they do not take in account a road accident or a police control.
When one of this occurs, it can propose an alternative way and a new ETA. But you will be only in a new uncertainety. On a short as a long term . Even your initial wish can change : if you need to rest to prevent more accident and you want to be sure to arrive, later but alive . Without risk.
In the war as in the economic world, enemy and rival hide their goal, course of action selected, and capabilities which constitute threats and risks. Your (business) intelligence should try to detect and appreciate them giiving the most likely and the most dangerous for décision making , matching with impératives, contraints and ..risk appétence.
Likelihood may be useful on technical and controled processus, whose settings have a high reliability. It is just to remain a part of risk management on which a pragmatic and permanent improving processus should have an holistic/systemic approach, with heuristic method .
MaatPilot software* http://www.maat-ingenierie.fr/ provide flexibility to integrate both statistics data and lessons learnt and to share processus of risk management thanks this approach.
*US/UK présentation is available on request
Hi Norman. In the first instance your proposal is congruent with the concept of the 3 Impairments of risk which I am trying to hone, namely, impairment of profits, impairment of the balance sheet and, impairment of shareholder value. I know that these are not unrelated but I believe that they are sufficiently robust to capture the essence of operational risks, financial risks and strategic risks respectively. Every risk event has one of these direct financial consequences.
Second, in order for it to gain acceptance, though, it will be necessary for risk management to progress from being a reactive profession to a proactive discipline in which the focus becomes one of cause- effect analysis; ie practitioners would have identified the drivers of risks. Then using forecasts posted by experts or controlling internal elements which are understood to underlie risk events, will enable risk professionals to deliver the value which you correctly suggest is possible.
Hi Greg, would mind sharing how you are practically implementing this?. It sound very interesting to me because most decisions that are made in the organisation are made to have a positive effect the three pillars you are referring to.
In theory, I really like this approach as a reporting tool. The biggest challenge I see is collecting the informed data required to compile it. How did we measure the 80% success rate? How do we know the risk of failure is 15%? (Not that we can ever be exact in these things). I’m not saying we couldn’t collect this data, but it would be a considerable effort when applied across multiple objectives. That being said, I really like that it would require collaboration across the business to compile, and wouldn’t just be the view of risk managers. That’s in itself makes this a more valuable reporting tool for leadership, just one that might take a very long time to prepare.
OMG! This is brilliant! While risk managers still continue to deploy self assessments, collect loss events, or flag exceptions, reports to senior management and the board should take the paradigm shift to report – LIKELIHOOD OF SUCCESS, instead of probability of defaults, probability of losses, probability of failure!!
Will totally start to report the YANG instead of the YIN!!
Thank you Norman Marks!!
This is what ERM should have always been about and for the truly enlightened, has been and is. Nothing new.
Nothing new except next to nobody does this, Chris
An organization has objectives.
The achievement of these objectives is enhanced by benefits and threatened by risks.
Internal controls are processes which maximize benefits and minimize risks. (The organization defines the boundaries for maximum and minimum).
Let’s take an example: we have an objective, ‘Increase ice cream sales by 10%’. A benefit is a hot summer, a risk is a cold summer (I live in the UK).
An internal control we would expect to see is the use of weather forecasts to predict a hot summer, so we can ensure stock is available, or a cold summer so we can reduce stock and maybe increase advertising spend or promote offers.
But, do we internal auditors look for the controls which maximize benefits? I don’t think so.
@David – IA should not be looking for controls which maximise benefits – that is the role of the applicable risk owners. IA should be providing independent assurance that a risk management process is in place which supports the decision-making process.
IA (like accounting) is retrospective – RM is forward-looking and focused on providing input into the decision-making process with regard to the effect of uncertainty on those objectives being considered in the decision-making at hand.
Quinton, I believe that internal audit’s prime responsibility is to provide assurance that internal controls are managing benefits and risks to ensure they are acceptable to the board (and therefore the organization’s objectives will be achieved). A major part of this assurance is checking that a risk management process is in place but it also includes making sure that appropriate controls are in place (and are operating) now and in the foreseeable future.
The assertion that IA is retrospective contradicts the core principle that IA ‘Is insightful, proactive, and future-focused.’
Core principle enunciated by whom? IIA?
Just my view but I don’t believe that IA can be both player and referee.
Can’t wait to read the reaction of other (far more knowledgeable) commentators on this forum 🙂
It is an IIA core principle https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx
I am with you, David. Controls help provide assurance that people and systems are doing what they should – and that includes doing things well, not only not doing things wrong.
Surely controls are only there to enable an organisation to achieve its ultimate purpose as expressed in its highest level objectives. They are just enablers for those objectives.
If auditors are not looking at how controls enable the organisation to be successful, what is the point of having them (auditors)?