Getting Risk Management Right
I have to congratulate my good friend, Doug Anderson, for an excellent article in the latest edition of the IIA’s magazine.
While the title calls out the COSO ERM Framework update, the main part of his article is a useful discussion about what risk management is all about.
Here are some key excerpts (with my highlights) with my comments.
The problem is ERM is not a program. In fact, it is not a department nor a process, either. ERM — or more generically “risk management” — is an integral component of decision-making. It is a set of skills, approaches, competencies, tools, culture, and more that do not stand alone, but are part of all that an organization does.
Comment: This is critical. What I especially like is what he has to say about decision-making. Whether it is deciding which strategy to adopt, which plans and projects to pursue, or the day-to-day decisions on pricing, hiring, or purchasing, decision-making is where risk is taken.
Doug provided an example.
Acme Co. is implementing a new software package to support its core processes such as accounting, logistics, and customer management. As part of its planning, Acme lays out all the steps in the implementation process and then considers what may not go as planned. Some things could go wrong; some could go better than expected. Identifying these possibilities, assessing their importance to the project, taking preparatory actions, and watching how the project progresses are part of how Acme manages its software implementation. This is all done using various monitoring and reporting tools, within the culture of how Acme operates. Acme uses the fundamental aspects of good risk management, even though it may not recognize them as such.
This is 100% consistent with my message, that risk management is all about understanding what might happen, considering whether that is desirable or acceptable, and then taking appropriate action.
As he says, people have been managing risk all their lives. The value of ‘risk management’ is in providing necessary discipline and process.
Doug continues with some excellent points.
Risk Is Not the Focus The approach to risk management should not focus on the risks in isolation. The focus should be on those events [situations, and decisions – ndm] that can affect the achievement of strategy and business objectives. When the focus is on the risks, and not the strategies and objectives, ERM becomes a program. To add value, ERM always must be about accomplishing strategies and objectives. Management does not think first about risk, but about delivering performance and what can impact that performance.
Comment: As Doug says, and Alex Sidorenko has explained in his video and posts, it’s not really about managing risks. It’s about managing the achievement of objectives. In fact, calling it risk management actually inhibits its effective practice.
Risk Is Not an Evil to Be Eliminated Every organization takes risks because the world is not perfectly predictable. Every time an organization takes an action, it takes the risk that its expectations are not correct. Sometimes the events that occur have a positive impact, and sometimes they are negative. [Sometimes, they have multiple effects! – ndm] Risk is a fundamental part of every organization, but it needs to be managed.
Risk Management Is More a Skill and Mindset Than a Process When risk management turns into a department, team, or process, it can easily become something separate from management decision-making. Doing risk management right improves decision-making.
Comment: Actually, effective decision-making is the goal and it requires the consideration of risk. If we focus our attention on ensuring informed and intelligent decision-making, we will not only have effective risk management but a more effective organization.
When he moves on to discuss the role of internal audit he says a few things with which I agree.
As internal audit strives to create and protect value for organizations, understanding the principles of risk management better and incorporating them into the practice of internal auditing can pay large dividends.
…auditors can do themselves a favor if they talk less about the adequacy of internal controls and talk more about risk, managing risk, and reducing risk where advised. Management thinks of the world through the perspective of setting out objectives and accomplishing them — all with the goal of delivering performance. The more internal auditors talk about those objectives and the events that can impact delivering performance, the more management would understand how internal audit delivers value. Auditors are not here to be naysayers or add bureaucracy with more controls. They are here to help management deliver on its objectives. This requires auditors to think and talk in terms of risk [to specified objectives – ndm], potential impact, and response.
…internal auditors should not focus blindly on always trying to reduce risk. Risk responses should be designed to improve performance. This involves not only ideas to reduce the impact from negative risk events, but also the cost of risk responses and the possibility of a risk that positively impacts performance. When internal auditors’ orientation is toward decision-making and how risks impact performance, they may conclude more risk is appropriate or the cost of current risk responses is not justified by the benefits.
Doug was an advisor, on behalf of the IIA, on the COSO ERM update project. I wish he had been the author. For my assessment of the ERM update, see this post.
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman, looking at risks from the internal audit point of view (as mentioned above), I’m wondering whether there aren’t two types of risk. Let me take an example:
Objective: to maintain company profits
Risk: Loss of profit due to customers not paying
Risk management (control): credit control department checks new customers to credit reference agency information.
This is a traditional internal audit view of risks where the control can be verified. Let’s call them ‘static’ or ‘process’ risks.
Within this control there are other risks: the credit controller has decisions to make; ‘Looking at the credit information do I risk accepting this new customer?’ These risks might be called ‘dynamic’ or ‘decision’ risks. They are much more difficult to audit as they cannot be directly verified. The auditor can look at overdue and bad debts to check on the competence of the Credit Control department and their success at decision making. Suppose overdue debts are very low? Does it mean that the Credit Control department is very good, or that they are turning down new customers unless they are rock solid? If it’s the latter they are probably failing to match opportunities with risks to the detriment of company profitability. In other words, Credit Control are not taking risks, perhaps because they are being targeted on the percentage of overdue debts.
So the auditor has to look at dynamic risks and their controls in a different way to static risks. They need to look at training, supervision, targets, the desire to take risks and other soft skills. They need to ask the question (relating to your blog), ‘Is the right level of risk/opportunity being taking to maximize profits?’ This is quite a change to internal auditing methodology. I must get round to changing my website (www.internalaudit.biz) to reflect this!
David, there are all sorts of risks. For example, is the credit information accurate and complete? Is it up-to-date? Do I have reliable information on our current condition and the amount of credit risk I should take?
I think the answer is in considering “what could go wrong” such that we grant the right amount of credit to the right customers, and “what needs to go right”.
I’m not sure about dynamic and static – what that means. They are all sources of risk for me.
BTW, why do you say that this is an internal audit point of view? Surely, we should be taking a business perspective?
Norman, I agree that we should be taking a business perspective in determining risks but internal audit, just like any other function, has to then take a point of view based on its responsibilities. In the case of internal audit this is to provide an opinion as to whether the risks threatening the achievement of the business’s objectives are being managed to within acceptable limits. This management is done by internal controls set up by management. Internal audit’s usual approach is to verify (‘tick’) that these controls are present and operating properly.
You have mentioned other risks (‘Do I have reliable information?’) and all these are verifiable – can be ticked as being properly managed. You also say that the answer is in considering ‘What could go wrong?’ and ‘what needs to go right?’ It’s management’s responsibility to answer these questions and implement controls to manage the risks and opportunities. Currently IA methodology deals with providing an opinion on the adequacy of risk management but not opportunity management, which is the point that Doug makes when he discusses the role of internal audit.
IA methodology therefore needs to change to take account of decision-making (noted by Doug). It currently does this by judging the quality of decision-making from the audit verification results. For example if overdue debts are reasonable then the assumption is made that the decision-making process to accept new customers is adequate. My point is that this verification process is not sufficient to judge decisions made to manage opportunities and that implies a major shift in IA thinking. For example, how many internal auditors ask the question, ‘are overdue debts too low?’
IA needs to consider how the points you and Doug make can be translated into the methodology used by internal auditors who traditionally tick.
Well said. I agree, although I don’t separate risk and opportunity management.
Dear Norman,
Thank you for this. It is, in fact, important to read through the comments which you’ve highlighted (from Doug Anderson’s original article), which combined with your relevant comments, can be eye-opening for many working in the Risk Management arena. Important to note how much ERM (or RM) must be tied with Strategic Planning whereas, like you mentioned, consideration of Risk is key for effective decision making.
Thanks again,
Antonio