Home > Risk > Six principles for effective risk management

Six principles for effective risk management

August 5, 2017 Leave a comment Go to comments

In World-Class Risk Management, I review the eleven principles in the ISO 31000:2009 global risk management standard and condense them to just six. (Later in the book, I discuss a possible risk management maturity model as well as what it takes to go beyond simply effective to deliver world-class value.)

  1. Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
  2. Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
  3. Risk management is dynamic, iterative and responsive to change.
  4. Risk management is systematic and structured.
  5. Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
  6. Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.

I believe it is useful to assess your risk management activity against these principles.

As my friend Alex Sidorenko says in a recent video (which I recommend), risk management is not about managing risks: it’s about enabling informed decisions.

Informed and intelligent decisions are how we achieve objectives. Those decisions need to consider what might happen (harms, opportunities, and combinations of the two) as we strive to succeed.

With that in mind, I suggest a different definition of risk management in the book:

The effective management of risk enables risk-aware decision-making, from decisions about the direction of the organization, to its core strategies, to the decisions made every day across the extended enterprise.

The processes and related policies, structures, and systems for identifying, analyzing, evaluating, and responding to risks are established by management with oversight by the board to ensure that the effects of uncertainty (both positive and negative) on the achievement of objectives are understood and managed to support the realization of the organization’s mission and commitment to stakeholders.

My understanding is that COSO will publish its update of the ERM Framework very soon. It will be interesting to see the principles they have come up with and how they compare with mine.

In the meantime, I welcome your thoughts on the above – and any other comments you may have on this best-selling book.

  1. Ross Wescott
    August 5, 2017 at 2:43 PM
    Reply

    Ultimately, all tools and processes used in business should support decision-making. Some are more intelligent than others but the target must be informed decision making.

    As you have said previously, “list” management is not the end. ERM, eGRC, and everything that supports those processes must lead management and Boards to a place that confirms what they already know or confirms that they do not know everything they should.

    If risk management does not do that, why even bother.

  2. Alex Sidorenko
    August 5, 2017 at 10:51 PM
    Reply

    Reblogged this on RISK-ACADEMY Blog and commented:
    This is a great summary of risk management principles. To be effective, risk management doesn’t have to be complex. And yes risk management is really not about managing risks 🙂

  3. GARY LIM
    August 6, 2017 at 7:04 AM
    Reply

    It always amazes me reading “innovative” management terms as as the years unfold, there tends to be a lag for the information to get from the developed countries to the developing countries, probably forget about the underdeveloped ones, they have more urgent matters to address. By the time it reaches them, its no longer relevant to the latest, so there is a catching up to do. Corporation would spend resources on it because it is the in-thing in the market.
    Guess this is one way of ensure that the concept of Life Long Learning is being promoted hence there is works for the EXPERTS. Honest it is very confusing for the learned it would be beyond the understanding of the lesser educated ones. I read to understand so that when some experts are talk about it, I am aware of what’s its all about.

  4. David Griffiths
    August 8, 2017 at 7:04 AM
    Reply

    I wonder if Robert Baden-Powell didn’t beat us all to a simple risk management principle in the Scouts’ motto, ‘Be Prepared’ (1908).

  5. Clive Higgins
    August 14, 2017 at 6:09 PM
    Reply

    Informed decision making. What will they think of next!! Am a strong believer in the KISS principle and this is another good step in that direction. The easier principles are to understand the more people will use them and the better the outcomes will be,
    no matter what country they are applied in.

  1. August 7, 2017 at 2:32 AM
    What Are Your Enterprise Risk Management Principles? | Razor Risk

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.