Time for a leap change in risk management guidance
Even though both COSO ERM and ISO 31000:2009 are evolving, moving to a greater emphasis on decision-making and the setting and execution of strategy, the practice of managing risk continues to lag.
I have written in my blogs and spoken in person to thought leaders involved in both COSO ERM and ISO 31000 updates about the need to take a huge leap forward.
When the practice is seen as failing to contribute to success, and limited to a compliance function, something dramatic has to happen.
Nothing recent exemplifies the scale of the problem as A Practical Approach to Institutional Risk Management.
This paper was developed through over 100,000 interviews by the staff of the Education Advisory Board and insights and advice from around 120 practitioners and consultants. (I recognize a number of names in the list of advisors. This may reflect their 2012 rather than 2016 thinking, and it is possible that their advice and insight was not heard.)
So does this paper reflect existing practice?
If so, it is clear why risk management is seen as incidental at best to organizational success.
The authors are focused entirely on risk registers – a list of risks. A list of things that might go wrong.
The issues they discuss are making the list of risks manageable and being able to “treat” those risks.
You will not find a single reference to decision-making.
The only reference to decisions is when the authors point out that the consequences of decisions, risks that are created or modified, are frequently not considered.
As EY points out, using a term I love, the management of risk has to be part of the rhythm of the business.
It has to be integral to how we make decisions, every hour of the day, at all levels across the extended enterprise.
Enterprise list management (to quote Jim DeLoach) is scratching the surface. While those scratches may be sufficient to fool some that risk management is in place, a periodic review of a limited list of risks is like driving down the freeway at speed and only looking at the traffic around you every 15 minutes.
COSO and ISO: it is time for a dramatic move in guidance and standards. You have to lead the way out of the pit of enterprise list management towards the goal of effective enterprise management.
Yes, enterprise management, because the management of risk is not a separate activity. You only succeed if you can anticipate (my new favorite word) what might happen as you journey towards your objectives, and make informed and intelligent decisions as you run the business.
COSO and ISO, are you listening?
Practitioners, please join me in demanding a leap forward.
ENTERPRISE RISK MANAGEMENT