How to mess up your risk management program
My friend and sometime colleague Rick Steinberg has penned an amusing but spot-on piece that was recently published in Compliance Week.
Ten simple ways to manage risk … or not is a quick way to test whether you have an adult’s or a child’s risk management program.
Does your risk management activity ‘check the box’, or does it help the organization succeed by making more intelligent and informed decisions?
Tell me what you think of Rick’s ten. Here are some of my own, in addition to his excellent ones:
- Be satisfied with the periodic review of a list of risks
- Separate the discussions of strategy, performance, and risk
- Ignore the fact that risk is created or modified with every decision
- Don’t question how people make decisions, whether they do so in a disciplined manner that considers what might happen
- Believe that an enterprise risk appetite statement drives decisions and risk-taking at all levels of the extended enterprise
- Fail to assess the reliability of your risk management practices
Let me expand on the latter, a principal theme of World-Class Risk Management.
If you follow the principle that you set objectives, identify risks to those objectives, then ensure that there are measures in place to provide reasonable assurance that the objectives will be met, then we have objectives for risk management. They include:
- Identify the more significant risks to the achievement of enterprise objectives
- Analyze the risks to determine their potential effects (consequences) and the likelihood of those consequences
- Evaluate the risks (individually and in aggregate) to each objective and determine whether they are acceptable
- Respond when the risks are at unacceptable levels
- Monitor the condition of controls to ensure that the likelihood and extent of a failure in controls continues to be at acceptable levels
- Communicate risk information to all who need it, when and how they need it
- Manage all of the above at the speed of risk
There are risks to the achievement of these objectives. In the book, I reference a number of sources of risk, such as:
- Unreliable information
- Failing to involve all the necessary people
- Failing to communicate to decision-makers guidance that will help them take the right level of the right risks
- And many more
Few self-assess their risk management program. Where internal audit assess it, I believe they focus more often on compliance with policy than with the level of risk that risk management will fail.
So, let me leave you with a couple of questions.
- What other signs are there that you have messed up your risk management program?
- Have you defined the objectives of your risk management activity, identified and assessed the risks to their achievement, and reported your assessment to executive management and the board?