Home > Risk > Is it about managing risk?

Is it about managing risk?

October 14, 2017 Leave a comment Go to comments

It seems to be Protiviti week! On my IIA blog, I am covering a piece by Jim DeLoach and Brian Christensen on internal audit. Here, I want to talk about another DeLoach piece, Transitioning Risk Management to the Digital Age.

Jim’s lead-in is excellent:

The risk management methodologies in play for most companies today were developed before the turn of the century. In effect, risk management is often an analog approach being applied in what is now a digital world. More importantly, if enterprise risk management (ERM) is a standalone process, it is suboptimal. More needs to be done to elevate risk management to help organizations face the dynamic realities of the 21st century and truly leverage the advances of digital, cloud, mobile and visualization technologies, exponential growth in computing power, and advanced analytics to embed deeper and more insightful risk information in strategy-setting, performance management and decision-making processes.

He continues with another excellent observation:

The business environment features rapid advances in and applications of digital technologies and rapidly changing business models. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. For most organizations, today’s risk reporting falls short of that objective.

But then he says something with which I strongly disagree.

To impact decision making, there are three questions risk reporting must address:

  • Am I riskier today than yesterday?
  • Am I going into a riskier time?
  • What are the underlying causes?

Jim, it’s not about risk.

It’s about achieving objectives.

Managing risk absent the context of your objectives leads you to manage what may be irrelevant and miss what may be crucial.

COSO ERM 2004 got it right when it said that risk management is “Geared to achievement of objectives in one or more separate but overlapping categories”.

Jim, IMHO the board should be asking these questions:

  • How likely are we to achieve our objectives?
  • If the likelihood is less than acceptable, why? What can we do about it?
  • If there is a possibility of exceeding our objective, what can and should we do?
  • What assurance do we have that management is taking the right risks, making intelligent and informed decisions?
  • Are there any risks that we should be concerned about, that merit our attention and possibly our action?

I don’t want the board to focus on risks in one meeting and then talk about performance and results in another.

They are or at least should be intertwined.

What do you think?

I welcome your comments.

  1. Sidney F Gale
    October 14, 2017 at 6:28 PM

    I would substitute two questions for the ones provided:
    1. How am I measuring that I am moving toward my objectives…or going off the rails?
    2. How am I monitoring my operating environment for changes that alter the assumptions, and therefore the potential risks, to my objectives.
    These questions ask for specific responses that determine whether objectives are mere pious platitudes, as too often happens, or are accountable to clearly designed tools to unflinchingly measure reality. These questions were always relevant, but the digital environment greatly enhances their relevance and power.

    We can’t manage what we can’t measure. If we can’t make our objectives clearly measurable, measuring risk is the least of our worries.

  2. Jomathan blackmore
    October 14, 2017 at 6:56 PM

    Fully agree risk is always in the context of the organisations strategic objectives. When would with boards I tryltypical focus on 3 questions. Are we taking the right risks i.e. Those risk that enable the achievement of our objectives. Are we taking the right amount of risk is too little or to much and do we have the right risk mitigation strategies in place place

    • October 16, 2017 at 9:15 AM

      I like your 3 questions.
      If I may, I suggest a change in the third one: … the right risk treatment (or management) strategies…rather than “risk mitigation”; this gives room for more actions like risk exploitation and risk sharing, risk enhancement.

  3. GSosbee
    October 16, 2017 at 7:31 AM

    First of all any notion that risk is “analog” is totally incorrect. Next to the IT operation itself, managing risk is about as digital as it gets as the manipulation and analysis of the volume of data to produce a current risk profile in real time can only be managed through intelligent systems.

    The Board should consider risk as parameter only when establishing or altering risk parameters. Otherwise Norman’s questions are proper.

  1. October 15, 2017 at 10:48 PM
  2. October 17, 2017 at 4:26 AM
  3. October 24, 2017 at 2:44 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: