Risk management in review
PwC’s latest Risk In Review study makes some very interesting points. It carries the title of “Managing risk from the front line” and I recommend downloading and reading it.
I like how it begins (with emphasis added):
Today a collaborative approach to risk management with risk accountability sitting squarely in the first line of defence can be the key to greater organisational resiliency and growth. That means an engaged first line that makes risk decisions in alignment with strategy. It means a proactive second line that influences decision making through effective challenge and timely consultation and collaboration. And it means a diligent, independent third line focused on its core missions of protecting the organisation and delivering value.
This recognizes that risk is being taken every hour of every day by decision-makers across the extended organization.
This is emphasized in a quote:
Melissa Lea, SAP AG chief global compliance officer, says that at her organisation, that direct connection is paramount. “We’re very first-line heavy. The more we can get risk responsibility out into the field—first into management’s hands and then to employees to make sure they’re armed with the right expectations to make the right decisions—the more successful we’ll be. We try to get people—either on the ground, in-country, or with the best lines of sight into how a particular risk might materialise—to really own that mitigation approach.”
Is the report perfect? No. For example, they still seem to believe that a risk appetite statement can drive the business decisions that take risk at all levels of the organization. I don’t.
They also don’t emphasize reporting to top management and the board the likelihood of achieving each and all enterprise objectives (i.e., the aggregate effect of risk, positive and negative in terms of the likelihood of success).
But let’s give them some credit for the pieces they got right and hope the emphasis on decision-making extends to the update of the COSO ERM Framework.
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I have to agree with your statement on risk appetite as well. I was particularly encouraged by the statement whereby an executive from TIAA stated that they used metrics to feed qualitative enterprise risk management efforts. It went on to say that how this leads to a risk appetite statement for each major line of business and they shared this with the board. In my world, this is the model we follow and the model we advise our clients to use. Too many times we find organizations using spurious risk management at the enterprise level, which is nothing more than picking low hanging fruit.
Norman; I agree that the newest PwC report focusing on the need to position risk management with the “front lines” is a positive step. When I read it I had to chuckle though. It was advocating what many of us were promoting in the 90s –
management owned risk and control self-assessment. Unfortunately SOX came along and seriously negatively impacted management ownership of ERM. COSO has promoted what I call “risk centric” ERM not objective centric. This may change in the new release scheduled for this summer. I continue to believe that the simple way to really position risk management with the “front lines” is to adopt objective centric ERM and assign “OWNER/SPONSORS” to top value creation and preservation objectives. OWNER/SPONSORS should have primary responsibility for assessing and reporting upwards on the true state of risk. A presentation I delivered at an IIA Miami Conference provides an overview of what needs to change. (https://goo.gl/d1aI97). Unfortunately the IIA has shown a strong reluctance to really putting its support behind risk self-assessment. My article, REINVENTING INTERNAL AUDIT, overviews the evolution and current status of IIA support for management owned risk self-assessment. (https://goo.gl/dw0wj3) As long as internal auditors believe that “direct report” internal auditing where IA is the primary risk/control assessor and reporter is the foundation of IA IA will continue to impede true ownership by the “FRONT LINES”
I agree with the overall approach of front lining. After all – it is not about risk management (as a function), but about how the company manages the uncertainties (i.e. risks and opportunties) they are faced with – or create. Our task as risk managers can be to educate front liners to do this effectively – without adding a ton of hassle in the process, which would make them refrain and rely on gut feeling. The issue of risk appetite, is also a systematic way of asking (given the facts and assessments at hand) … “do you really want to do this, or don’t you?”
Alex Sidorenko has some excellent perspectives on risk management.:
https://www.youtube.com/channel/UCog9jkDZdiRps2w27MZ5Azg
I especially like his quote from a recent webinar – “Nobody, not the CEO, CFO or any management cares about risk, except the risk manager” or words to that effect. I think it is quite revealing in the context of PWC’s report. Reality vs. Perception? I have found much the same thing – management will take whatever risks they need to take in order to achieve their goals and objectives.
When the topic of risk assessment came up with an executive of a global company he mentioned that he assesses risks daily when a decision making required it. In this respect, I kinda agree with this comment, however the management of a structured risk assessment/evaluation platform has better results led by assigned risk management in an entity and flowed up or down
.