Home > Risk > What does your risk management activity seek to achieve?

What does your risk management activity seek to achieve?

From time to time, I am asked to help an organization take its risk management to the “next level”.

I strongly believe that, as ISO 31000:2009 says in one of its principles, risk management needs to be customized to meet the needs of the organization (and changed iteratively as the business and its needs change).

An organization that is relatively constant in its business and doesn’t face rapidly changing, even turbulent, risks doesn’t need the same design, structure, tools, and staffing for risk management as a trading company.

An organization where decision-making is centralized doesn’t need the same risk management activity as one that is highly decentralized.

It is essential to understand what the organization needs and how critical the management of risk is before settling on a design, let alone trying to implement or upgrade risk management.

That is why I like a feature in Enterprise Risk (the official magazine of the Institute of Risk Management) where Iain wright was interviewed. In Living on the Ceiling, Iain describes how he defined a vision for his risk management function at Old Mutual Wealth.

First, it needed to provide the business with consistent insight and challenge. Second, effectively advise and support the business and strategic decision making. Third, give assurance that customer and shareholder interests are protected. Finally, build trust with internal and external stakeholders through consistent delivery and high performance.

It is simply stated, meaningful, and sets the bar high.

If achieved, Iain’s team should be seen by the board and top management as having great value, helping them make informed and intelligent decisions that drive the successful achievement of objectives.

Before you can determine whether your risk management activity is effective, you have to know what the organization needs from it. Then you set objectives and strategies to achieve them before executing on them, monitoring performance, and adjusting as needed.“

It’s just like managing any other part of the business or the organization as a whole.

Is it clear what risk management needs to deliver at your organization for it to be successful?

I still like the question Deloitte asked of board members and executives: does risk management help you set and then execute your business strategies?

I welcome your comments.

Advertisements
  1. Glenn Daly
    July 8, 2017 at 5:46 PM

    What a Risk function’s activities need to achieve for a particular organisation and what activities it needs to do to keep its CRO employed can sometimes be 2 completely different things – as I have recently found out. On 31 Dec upon the company demerging and when I finish up, during the 7 years I was Head of Risk, no regrets as at least I had a real go at it, and did not settle for the normal tick the box stuff. Thx Norman for your guidance and wisdom.

    • Norman Marks
      July 8, 2017 at 6:05 PM

      Thank you!

  2. July 8, 2017 at 9:34 PM

    Excellent article on purpose, strategy and structure. Regulatory and technology risk are major categories in just about all organizations now, financial and non-financial.Would be interesting to have a follow-up article to this on how they push the risk management awareness and practices down and throughout the organization to achieve ‘consistency’.

  3. GSosbee
    July 10, 2017 at 8:19 AM

    While I agree with the basic thesis of the blog, I disagree with the following two statements as they violate basic risk management theory:

    – An organization that is relatively constant in its business and doesn’t face rapidly changing, even turbulent, risks doesn’t need the same design, structure, tools, and staffing for risk management as a trading company.

    – An organization where decision-making is centralized doesn’t need the same risk management activity as one that is highly decentralized.

    The basic design of an ERM program is the same for all organizations. Volume wise there are differences, but the requirement is the same – provide the organization with a clear picture of organizational risk.

    Unfortunately to have a functional ERM program, there can only be one ERM program. In a decentralized organization, the disparate parts have to be on the same basis using the same tools and definitions reporting to the Chief Risk Executive of the organization. Remember, if you have two ERM programs – you have no ERM program.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: