Home > Risk > Strategy or Objective driven risk management

Strategy or Objective driven risk management

November 26, 2017 Leave a comment Go to comments

My thanks to Ryan Miller for sharing an interesting post by Mark McNamee of Grant Thornton.

Taking Risk Management by StORM has echoes of what both Tim Leech and I have been saying, namely that rather than managing risks we need to be managing the achievement of objectives (by managing risks to enterprise objectives).

I am starting to think we are all making this more complicated than it needs to be.

Yes, there is a need to inform those who rely on out SEC filings how “risky” the business is.

But, that is not how we need to run the business.

How about this?

  1. Set the right objectives to deliver value to stakeholders
  2. Establish what is needed from each executive, business unit, team, and so on to achieve those objectives
  3. Hold leaders of each area responsible and accountable for achievement of those sub-objectives
  4. Hold them accountable for understanding what might happen (risk) and making intelligent decisions as they run the business to achieve the sub-objectives
  5. Monitor performance and the likelihood of achieving enterprise objectives as a whole and sub-objectives at lower levels
  6. Periodically review those continuing risks and opportunities that may have a significant effect on enterprise objectives – but recognize that this periodic review is a relatively minor part of risk management

This is founded on the principle that we not only hire a CEO and other top executives to run the business as a whole, but leaders and managers at lower levels to run each part of the organization.

If we can get them managing the individual parts with the shared goal of achieving enterprise objectives, then that is a recipe for success.

You can only be an effective manager if you understand what might happen and factor that into your decision-making.

What do you think?

  1. November 26, 2017 at 10:41 AM

    It is a “recipe” and there are “recipes” for everything, but evidence overwhelmingly reveals the real problem… just having the best “cake recipe” does not get you the “cake”. To make the “cake recipe” you need the right tools. The right tools to ensure ongoing awareness and ongoing accountability with measurability and auditability to get the “cake right”. http://awareity.com/2017/11/09/recipes-recipes-recipes-wheres-cake-safer-environments/

    • Norman Marks
      November 26, 2017 at 10:44 AM

      Are you agreeing or disagreeing? I have identified accountability and responsibility in my list. Please clarify

      • November 26, 2017 at 2:44 PM

        I agree it is a good “recipe”, however lots of organizations have good “recipes”…. unfortunately most organizations do not have the right tools to “make the recipe”. Most are using silo systems, spreadsheets, general training on LMSs, paper, meetings, e-mails, and other conventional tools that are not keeping up with today’s obligations. Those who don’t know history are doomed to repeat it… too many examples of organizations using the same conventional tools because they do not know the history of other failures with their conventional tools. I see it again and again.

  2. Mike Corcoran
    November 26, 2017 at 11:02 AM

    Market based management is a proven formula. From $21 million to $100 billlion. Don’t exclusively focus on objectives and risk, focus on value management (creation and preservation), governance and performance.

    Here is one large company’s long term successful receipe. http://www.kochind.com/philosophy/

    • Norman Marks
      November 26, 2017 at 11:13 AM

      How about establishing enterprise objectives and strategies to deliver value to stakeholders? If individual managers go after everything of value they see, the enterprise won’t deliver the most value as a whole.

      • Michael Corcoran
        November 27, 2017 at 6:54 AM

        You do not get to $100 billion in revenue without strong corporate governance, strategy filters and portfolio company objective setting and challenge. So certainly.

  3. Sidney F. Gale
    November 26, 2017 at 11:03 AM

    I’d like to spin it a different way. It is the height of arrogance for any executive, or risk manager, to presume that they can identify all the risks that they may face, particularly in the ‘disruptive’ enterprises that are now the rage. But if you know your objectives and have measurable performance standards that define their attainment, then you at least have a baseline of expectation and accountability against which you can measure the knowable risks, and more importantly identify the unknown risks that may emerge as deviations from plan.

  4. Daniel Kalwiji
    November 26, 2017 at 1:37 PM

    Being younger in the profession I dont want to say I agree with you I prefer to say that You are explaining some difficulties we faced as internal auditors. To bridge the gap between auditors and managers we encouraged adoption of COSO. Just like the external auditors recommended as well.
    We promoted ERM as well.
    Boards rely on management and its team to craft strategy, execute and report.
    However, the gaps are showing leading to suboptimum performance. Sometimes, I feel that more guidance be given to accountants in those entities that do not have separate strategic units, to help management execute good corporate governance by adoption of risk or internal control frameworks especially that internal auditors are compelled by quality controls to adopt best practice.

  5. Larry Brown
    November 26, 2017 at 6:48 PM

    Sounds like COSO to me. Follow Ron Ross’ NIST special pubs approach, as well. Everything else is a derivative thereof.

    • Norman Marks
      November 27, 2017 at 12:35 AM

      It may be what COSO wants to say but doesn’t. There are no principles or guidance around decision-making, Larry

  6. Jerry
    November 26, 2017 at 11:56 PM

    Excellent reading. I thought objective driven risk management should be encouraged going forward. It is simple and straight forward way of managing the more relevant risks in modern business.

  7. November 27, 2017 at 2:36 AM

    Norman, where does internal audit fit in? I would add, ‘7. Management to establish processes which ensure risks are managed down to levels acceptable to the board’; ‘8. Internal audit to provide an opinion to the board as to whether steps 1 to 7 are operating properly and comply with regulatory requirements’. (My books at http://www.internalaudit.biz give some ideas as to how to practically achieve step 8).

    • Norman Marks
      November 27, 2017 at 5:00 AM

      David, risks need to be managed up or down to desired levels. We should not defend against risk (as in 3LoD) but embrace it informed and intelligently.

      When managers make decisions, they are taking new or modified risk. That is where risk is managed, not in some overall capability. Better to know which risk to take as you make decisions than monitor and adjust after the fact.

      The role of IA is to provide an opinion on both the effectiveness and efficiency of all of the above. Compliance is a part of that.


    • November 27, 2017 at 9:36 AM

      Norman. Agreed, point 7 should read,’ 7. Management to establish processes which ensure risks and opportunities are managed to levels acceptable to the board.’

      On your second paragraph, I have argued in a past blog that decisions give rise to one sort of risk. The other sort arise from the day-to-day processes of the organisation. It is these risks (among others) that are listed as principal risks in the accounts of UK companies, together with the response to those risks. It is the responses to these risks which can be monitored and where internal audit should provide an overall opinion. (Unfortunately the UK regulations do not require a statement of the objectives which the risks are threatening). Internal audit can also provide an opinion as to the training and supervision that managers receive to improve their decision making.

      I’m wary of the phrase ‘effectiveness and efficiency’, since it can often give rise to the audit opinion that ‘controls are operating efficiently and effectively’ which only implies that objectives will be achieved. I prefer something like, ‘Based on the above findings, our overall opinion is that a the risks to the organization’s objectives are not being managed to acceptable levels and that urgent action is required to ensure the objective will be achieved.’ I take your point that compliance with regulations is a risk and is therefore included in the overall opinion.

      • Norman Marks
        November 27, 2017 at 10:55 AM

        David, we are close to agreement. I added “efficiency” because you can be effective and wasteful.

        • November 27, 2017 at 11:36 AM

          Norman, agreed. I’ve found that after a fraud many inefficient controls can be added.

  8. Marie Holland
    November 27, 2017 at 9:19 AM

    I agree that ERM should focus on the achievement of objectives. ERM can enhance a company’s ability to deliver on its strategy by neutralizing inherent management biases.

  9. Barbara Peter
    November 27, 2017 at 10:33 AM

    While StORM is most certainly not a new concept to ERM practitioners, the article is a well written and easy to understand way of presenting it; I can see using it a tool for coaching senior/ executive management on ERM practices.

  10. Francesco De Cicco
    November 27, 2017 at 1:41 PM

    Can we say that these approaches could be summarized as: MBO + BSC + RM?

    See this article for example: http://bit.ly/2jqRZ6W . The novelty here would be to add uncertainty, risk and their management?…

    • Norman Marks
      November 27, 2017 at 1:56 PM

      You need to set the right objective and add decision science to your list

  11. John Fraser
    November 28, 2017 at 10:34 AM

    Francesco, I believe you have captured it. Professor Bob Kaplan of Harvard, creator of the balanced scorecard approach, is now an advocate of ERM as the ‘third leg of the stool’ to successful execution of strategy.

  12. John Fraser
    November 28, 2017 at 10:38 AM

    The article referenced works well when there is a limited number of sources of risks per objective. In practice, a single source of risk will usually potentially impact several objectives, setting in place a complex web of probabilities and it becomes important to really understand each source of risk and its potential effect – Monte Carlo simulations anyone?

    • Francesco De Cicco
      November 28, 2017 at 1:33 PM

      Yes, John. That’s why I think it’s critical to make a correct description of risk, making clear which objectives are being referred to and identifying the particular source of uncertainty and how it could lead to consequences.
      Words alone as descriptors of consequences or their likelihood are prone to divergent interpretation, suggesting the need to quantify some characteristics of risk. This has been reinforced by research into intelligence analyses in the USA that showed considerable misunderstandings of text-based analyses by decision makers (Tetlock P., 2006, ref. by Peace C., 2015).

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: