Home > Risk > Linking risk management to results

Linking risk management to results

COSO ERM 2004 defined risk management:

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Taking out the middle part, you get:

Enterprise risk management is a process…… designed to….. provide reasonable assurance regarding the achievement of entity objectives.

This is mistaken and I am glad that the exposure draft of COSO ERM 2017 has removed this assertion. It redefines enterprise risk management as:

The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.

The draft also says:

Integrating enterprise risk management throughout an organization improves decision-making in governance, strategy, objective-setting, and day-to-day operations. It helps to enhance performance by more closely linking strategy and business objectives to both risk and opportunity. The diligence required to integrate enterprise risk management provides an entity with a clear path to creating, preserving, and realizing value.

The ISO 31000:2009 global risk management standard has a set of principles (IMHO, better than those in the draft of COSO ERM 2017). The first three are:

1: Risk management creates and protects value.

2: Risk management is an integral part of all organizational processes.

3: Risk management is part of decision making.

How does risk management create and protect value?

  1. By improving the quality of decisions by making them ‘risk-aware’, ensuring that decision-makers consider all the potential consequences of their decisions
  2. Helping to identify what might go wrong so it can be addressed if unacceptable
  3. Helping identify opportunities for things to go better than planned so they can be evaluated and pursued if justified

Some have decided that you can measure the effectiveness of risk management by examining the success of the organization.

If it were true that risk management provided reasonable assurance that objectives would be achieved (i.e., if COSO ERM 2004 was correct), then fine.

But risk management only provides reasonable assurance that decisions can be made on reliable information about what might happen. It provides reasonable assurance that risks to the achievement of objectives are at desired levels.

It doesn’t provide reasonable assurance that those things will actually happen. It will only help you assess that the likelihood of a particular benefit or harm is x%.

History has proven time and again that companies that take more risk than stakeholders might desire can be highly successful, even for an extended period. At the same time, organizations that have gone to great lengths to understand, analyze, and treat their risks have still failed. Just think of NASA and its few disasters.

Every organization is at the mercy of actors beyond their control, such as the weather, the economy, the health of their customers, the vagaries of regulators, and so on. A quality risk management program may make you aware of potential events and situations that might arise and cause you grief, but it won’t keep them at bay.

So does it make sense to evaluate the effectiveness of risk management by looking at the frequency of safety incidents or compliance failures, or the gross margin achieved?

No.

It does make sense to analyze why failures occur and whether the root causes should have been, but were not, foreseen.

The value that is created by an effective risk management is the confidence of the board and decision-makers in the information they use to make decisions.

Do you agree?

I welcome your thoughts.

Advertisements
  1. August 12, 2017 at 4:58 PM

    I like your thinking here Norman. Setting up enterprise risk management as a panacea to all the organisations potential risks is doomed to failure, and further erosion of the value risk management can bring.
    Whilst we should learn from the lessons of the past and analyse whether a risk could and should have been mitigated, ERM should be strongly future facing.
    Assisting in making the best decisions possible by applying good risk analysis should see more opportunities realised and many threats avoided.
    But as with all things in life, every now and then life throws a curve ball!

  2. August 12, 2017 at 9:12 PM

    It’s an interesting perspective. Never really though about it that way. Maybe because this more an artificial problem than a real one. Of course risk management effectiveness should be measured on improving the quality of decisions by making them ‘risk-aware’. No doubt there. The somewhat artificial part is that someone decided to measure the effectiveness of risk management by examining the success of the organization. I don’t think anyone is that naive. I do however feel it is important to check both. I often have to do external validations. As an external person you have limited time and it’s not always possible to get to the bottom of what really happens, so we have to use triangulation. You spend 90% of the time checking the process and talking to people to understand how risk management improves the quality of decisions by making them ‘risk-aware’, but then you still spend 10% on looking at actual performance, actual financials and so on. Primarily to see if there any significant unexplained irregularities. So does it make sense to evaluate the effectiveness of risk management by looking at the frequency of safety incidents or compliance failures, or the gross margin achieved? Of course, if it’s just one of a 100 things you look at to make an assessment.

  3. msfedorov
    August 12, 2017 at 10:18 PM

    A Board can be confident even if there is ni risk management at all. Although usually not for long. But, again, that “not for long” can be quite extended given right circumstances.
    Unless you measure that confidence, you cannot tell about risk management. And IMHO the only way to measure that is by having a set of criteria any decision should meet in an organisation. Assessment can be subjective, but if you do it constantly and consistently you can see the value of risk management. Especially in cases where organisation took both paths – “with risk management” and “without it”. This does not always happen, but it is a good health – check.

  4. David
    August 13, 2017 at 4:07 AM

    I agree that seeing if Gross Margins improve and whether they are related to effective risk management is not very sensible. There are too many variables affecting Gross Margins. However when it comes to safety (which Norman quotes) I have a different opinion. Root causes are still many but are generally fewer than those affecting Gross Margin variations. Mitigation of these root causes should result in fewer safety incidents etc. I have spent many years reviewing causes of incidents, trying to mitigate them and seeing reported safety incidents reduce. Therefore I think the general extrapolation of monitoring ‘results’ is too wide and I agree with Alex that examination of these, where there are fewer influencing variables, should be part of the whole process, be it 10% as Alex mentions, when carrying out an overall review. I recently reviewed a fraud case where a quick check of the business processes showed clearly the root cause. When this was ‘repaired’ this particular type of fraud was impossible and the frequency of it reduced accordingly. Other types of fraud were not affected by this change but the overall incidence of fraud was reduced.

  5. August 13, 2017 at 4:30 AM

    You say: ‘So does it make sense to evaluate the effectiveness of risk management by looking at the frequency of safety incidents or compliance failures, or the gross margin achieved?
    No.
    It does make sense to analyze why failures occur and whether the root causes should have been, but were not, foreseen’.

    I don’t think these are substitute activities. You have to have the data (and other supporting information) to be able to analyse performance (on failures and causes), part of which includes the evidence from the past on, in this case, safety incidents and gross margins.

  6. GSosbee
    August 13, 2017 at 8:32 AM

    Norman’s last sentence says it all. A quant would calculate value “lost” or value “gained” by a decision supported by risk management’s input. Successful Boards rarely make a decision based on one data point. Thus, what the Board really wants is sound consistent information from risk management to go with all of their other data.

  7. Khanh Vuong
    August 13, 2017 at 4:32 PM

    Risk is multi-faceted (and in turn risk mgt is therefore multi-faceted). Taking the old-fashioned concept of risk as a list of adverse events with potential impacts on an organization, then the results of reducing the chance of those events occurring or of their impacts upon occurrence would be measurable. However, if taking the broader concept of risk, then the answer is a NO.

  8. August 14, 2017 at 7:16 AM

    Risk measures based on well-defined quantities like annual probability of a risk event and a probability distribution of potential losses are preferable to the types of ordinal scales, ratings and heat maps. We have an in-depth and recently published guide for our Members that addresses this topic. If you’d like to receive a copy, please opt-in at http://grcsphere.pwcstores.com/select-role so that we can use your e-mail address to send it to you or any other requested materials. We’d love to get all your individual ideas, comments, etc. to improve what we have so far! Best Regards, Phil

  9. August 14, 2017 at 3:38 PM

    Norman, doesn’t it come to down to the objectives of the company/organization being focused on gaining value – either monetarily or intangibly? If the company achieves its objectives, then value is gained. So while risk management is focused on helping the organization achieve its objectives (not providing reasonable assurance – that sounds like internal audit to me), the risk management process should also be providing value to the leadership and decision-makers. Which is why I wrote this post a while back: http://erminsightsbycarol.com/erm-strategic-tool-companies/.

    • Norman Marks
      August 15, 2017 at 6:55 AM

      Carol, I believe the value is in the eyes of the decision-makers. Are they able to make better decisions as the result of ERM?

  10. August 15, 2017 at 7:30 AM

    ‘It does make sense to analyze why failures occur and whether the root causes should have been, but were not, foreseen.

    The value that is created by an effective risk management is the confidence of the board and decision-makers in the information they use to make decisions.’

    Norman, isn’t this what internal audit is all about? Having checked that risk management procedures should have been implemented in the processes under audit, the next step is to check that the procedures (controls) are working. As a result of internal audit testing, any failures, and their cause, should have been identified. IA is then in a position to report to the board on the confidence they can place in the information being generated by the processes audited.

    • Norman Marks
      August 15, 2017 at 7:33 AM

      Makes sense, David

  11. Ian Clegg
    August 16, 2017 at 2:01 AM

    “So does it make sense to evaluate the effectiveness of risk management by looking at the frequency of safety incidents or compliance failures, or the gross margin achieved?

    No.”

    This is an interesting perspective and very much depends on the perceived scope of risk management activities.

    I understand risk management to be a tool that is applied to identify and define potential risks or opportunities, define and assess control strategies and then embed the execution, monitoring and performance management of the control strategies into normal business processes (decision making, performance reporting etc). In other words, to translate an uncertainty into something that can be more tangibly measured and managed as part of normal business.

    In my mind, event materialisation, control failures and any consequences which are experienced are very much a measure of the extent to which a risk has been understood and an adequate control strategy defined i.e. the effectiveness of the risk management process.

    “(Risk management) will only help you assess that the likelihood of a particular benefit or harm is x%” – Agreed, but the x% likelihood is determined based on a control strategy that is assumed to be operating effectively. If the control strategy is inadequate or not effective, the x% likelihood may be wrong – events, control failures, consequences are indicators of this.

  12. August 16, 2017 at 7:05 AM

    COSO 2004 was limited in Scope and Application, it is not as robust as the revised 2017. Risk Management is supposed to be a Culture and a Compass. While it is a key driver in Goals Setting, Strategy, Policy and Decision Making Process, it is not a Guaranty that Results will be achieved as there are other key drivers of Results. However, Risk Management Culture Applying COSO 2017 Framework enhances quality of results and clearer strategic direction.

  13. August 16, 2017 at 7:09 AM

    Without an integrated Risk Management Culture, a Company faces Reputational and Integrity Risk. In addition Governance structure is weakened with high costs of Regulatory non-compliance.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: