Home > Risk > Two words to transform discussions of risk management

Two words to transform discussions of risk management

I have written extensively about the disconnect between risk practitioners and executives when it comes to risk management.

I have urged practitioners to:

  1. Use the language of the business instead of risk techno-babble;
  2. Try to stop using the R word entirely! Try to talk instead about what might happen, is that OK, and what are we going to do about it?; and
  3. Focus on enabling intelligent and informed decision-making rather than a periodic list of risks (enterprise list management)

Now I have a new suggestion.

If you have to use the R word, add two more.

Instead of talking about risk, talk about risk to objectives.

Review of a list of risks to objectives and consider how much risk to objectives you are willing to take.

If you have to talk about risk appetite, talk instead about the appetite for risk to objectives.

Those simple two words make you focus, not on risk for its own sake, but how enterprise objectives might be affected.

Which objectives are “at risk”? Be specific if you want to drive the necessary actions.

Are you more or less likely to achieve them? Is that OK?

It’s not about managing risk – it’s about achieving objectives.

What do you think?

Would this improve the discussion?

It’s a simple thought but I think it can make a huge difference.

Do you agree?

  1. July 29, 2017 at 10:40 AM

    Good suggestion and I think I may have an even better idea. I shot a short video yesterday on exactly that topic and it should back from production soon

    • Norman Marks
      July 29, 2017 at 10:41 AM

      Please share when its up, Alex

    • Carrie Frandsen
      July 29, 2017 at 11:58 AM

      I definitely agree – risk management (the R word) is about managing the uncertainty in achieving objectives, so framing discussions with that context is key to productive risk discussions.

  2. July 29, 2017 at 11:53 AM

    Norman, definitely agree. Indeed my whole website (www.internalaudit.biz) is about internal auditing related to objectives. (Of course, that gives me a problem with the term ‘Risk based internal auditing’ which really should be called ‘Objectives-based internal auditing’. I’ll amend the books when the weeds stop growing and the grass no longer needs cutting).
    I am shortly to help a charity identify their risks and opportunities. My message will be simple: be clear on your objectives. If you don’t know those, you will never identify your opportunities and risks. The only reason you have opportunities and risks is because you have objectives!

    • Norman Marks
      July 29, 2017 at 11:59 AM

      David, as you know I still like “enterprise risk-based auditing”. Audits are designed to assess whether the risks to specified objectives are adequately addressed by internal controls. We don’t audit the objectives themselves. “Objective-based auditing” can mislead. Just my opinion

      • July 30, 2017 at 3:13 AM

        Norman, I take your point. Ideally just ‘internal auditing’ should suffice but that includes such a wide range of methodologies it isn’t good enough. Personally, I’d like clearer guidance from the IIA.

  3. John Pease
    July 29, 2017 at 4:31 PM

    Hello Norman … its a very useful suggestion. It shows value from the start as the C-suite sees the risk team focussing on organisational objectives and immedately enables executives think about risk in terms that register for them. From the practitioners’ perspective, it is mitigates against the risk (pun intended) of see their role as producing a beautiful red, green and amber register of risks.

  4. Glenn Daly
    July 29, 2017 at 5:25 PM

    1. Is there really a disconnect between risk practitioners and executives?. I would suggest executives get what they want and its when risk practitioners attempt to move it to what you describe when the disconnect often happens (with risk practitioners potentially no longer risk practitioners). Executives/Board members are not this powerless/impotent body of people who remain at the mercy of risk practitioners, the assumption so often implied or assumed by many who write about risk management. They have the authority to change things in an instant, if they so desire. And if we think they are not aware, please think again. These people are highly intelligent. Often they see their risk function ss simply doing things that have become accepted practice for CG purposes. And that is all they want from them. Muddying the waters with talking about objectives and what might happen etc may create doubt as to whether the CG responsibilities are really being met. Keep it simple thank you very much, is often unfortunately the view and if the techno babble with a list of risks keeps the regulators happy, so be it.
    2. Instead of a list of risks to objectives, what about a risk visualisation overview map showing the interconnected risks to objectives. At least in this way it depicts the real world, not this artificial environment where risks occur in isolation from one another. Supporting details can be provided showing how the risks individually and together impact particular risk with strategic enablers.
    3. Some regulatory clarity would help the situation.

    July 30, 2017 at 9:30 PM

    I read through the above posts did not come across ISO31000, it is clearly defined in the standard which is Objective focus. I always wonder when Risk Management is being implemented at the workplace, is there a guide or reference the client could follow? My guess is that each RM Practitioner has its patented RM guides or templates, etc so they proceed with their implementation. In this respect the client will have a dependency situation and this is not good from the risk perspective of the client.

  6. July 31, 2017 at 12:23 AM

    I did like the ISO 31000 concept of not only looking at the defense part but also looking at the opportunity part to reach objectives. However, the publication “The Hazards of Expert Control: Chief Risk Officers and Risky Derivatives” (already quoted as “Hiring Chief Risk Officers Led Banks to Take on Even More Risk”) showes that the opportunity part may get to much attention over the defense part with devastating results. Maybe we should ad something like ‘sound’ or ‘balanced’ risk to objectives.

  7. August 1, 2017 at 2:20 AM

    Hi Norman. I completely agree. Starting by defining S.M.A.R.T. objectives is a great best practice and laying out the risks of not achieving these objectives will definitely help converge the point of view of risk practitioners with business executives. Thanks again for this useful article.

  8. Robert Arvanitis
    August 4, 2017 at 6:18 AM

    Excellent way to restore perspective.
    If the objective is, say, “this new product launch,” good.
    Alas the real answer is all too often “my bonus”

  9. Larry Brown
    August 4, 2017 at 11:38 AM

    COSO pablum?

    • Norman Marks
      August 4, 2017 at 12:14 PM

      Hardly, Larry

  10. David
    August 6, 2017 at 11:04 PM

    My experience has always been consistent with Norman’s wider suggestions – re language to use, avoidance of technical babble – so I have always taken it for granted that Risk managers and teams focus on risks that materially impact objectives. What else is the point?

  11. Marie-Therese Day
    August 9, 2017 at 12:19 AM

    Not using the R word and linking to objectives could be the way to engage people to about what exactly it is that is helping or hindering achieving these. What I experience is that organisations struggle to translate – cascade – the strategic objectives and risk-taking tolerances at all levels of the organisation, and with how to play back the information to make informed decisions. Stringelntly linking risk (and opportunities) to outcomes and performance indicators helps identify outcomes at risk (or with a potential opportunity to tap into).

  12. August 14, 2017 at 3:29 AM

    A nice step in the right direction. The R word conjures up images of a toxic substance that needs managing. Exactly the wrong idea. The important thing to consider is the likelihood of achieving objectives, and the possibility of better or worse outcomes. The ‘level of risk’ is really the outcome difference and the likelihood of that different outcome being realised. It makes sense to make all this clear before using the R word. Avoiding the R word might be better, but it’s impossible to do that in public forums with established vocabulary. I think it’s important to emphasise that all these suggestions (including other posts in this blog) are absolutely consistent with ISO 31000 and also pretty much with COSO ERM. The problem isn’t with the standards, it’s in the entrenched misunderstandings of what they are saying. Discussed in depth in the link. http://clearlinesaudit.com.au/what-is-risk-management/

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: