Home > Risk > Are you managing risk or are you managing the organization?

Are you managing risk or are you managing the organization?

There’s a huge difference between the perspectives advanced by the National Association of Corporate Directors (NACD), a US organization of and for board members, and those of some of the leading thought leaders.

As explained in this article, “in January 2017, the National Association of Corporate Directors (NACD) released an updated edition of its Director’s Handbook on Cyber-Risk Oversight. In light of increasing pressures from regulators and ongoing cyberattacks, board directors have a key role to play to ensure proper oversight of cyber risks for their organizations”.

The NACD guidance sets out five principles for board members:

1. Understand and Approach Cybersecurity as an Enterprisewide Risk Management Issue, Not Just an IT Issue

At first glance, this makes good sense. But enterprisewide risk management should be about helping people make intelligent and informed decisions. It should not be the end itself.

I would prefer to say that cyber-related risk should be considered in business decision-making. It is just one of typically many sources of risk (what might happen) that can affect the ability of the organization to achieve its objectives.

“2. Understand the Legal Implications of Cyber Risks as They Relate to the Company’s Specific Circumstances”

Certainly, a cyber breach can have legal implications, including potentially implications for the board and each of its members. I worry that directors might be so consumed by CYA that they hamper proper risk-taking by management.

“3. Have Adequate Access to Cybersecurity Expertise and Give Cyber Risk Management Regular and Adequate Time on Board Meeting Agendas”

Manage the business rather than manage any single source of risk! Obtain assurance that management has the capability to understand cyber and how it might affect each of its strategies and objectives.

If cyber is a major source of risk, then go ahead and have a discussion – but ensure you understand how it might affect the enterprise strategies and objectives.

But don’t spend time on cyber when it is a relatively low source of risk compared to, say, cash flow, price and product pressure from competitors, and an uncertain economy.

“4. Set the Expectation That Management Will Establish an Enterprisewide Risk Management Framework With Adequate Staffing and Budget”

I prefer to set the expectation that every significant decision will be informed and intelligent, with reliable information (as best we can) on what might happen.

If we focus on what it takes to have quality decision-making, we will achieve effective management of risk.

“5. Management Discussions Should Include Identification of Which Risks to Avoid, Which to Accept and Which to Mitigate or Transfer Through Insurance”

Stop managing risk – manage the business. Stop talking about accepting or managing risk and start talking about taking the right risks through informed and intelligent decisions.

Now for the contrast.

Two of my friends recently met (presumably in Melbourne). Alex Sidorenko interviewed the incomparable Grant Purdy.

This is how Alex describes Grant:

Grant Purdy has specialised in the practical application of risk management to support decision making for nearly 42 years, working across a wide range of industries and in over 25 countries. He has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for over 14 years and was its chair for seven. He is co-author of the 2004 version of AS/NZS 4360 and has authored many other risk management handbooks, guides and books. He was also the nominated expert for Australia on the Working Group that wrote ISO 31000 and Guide 73 and later Head of Delegation for Australia on ISO PC 262 that revised ISO 31000.

The interview is available on Alex’s Risk Academy blog.

I strongly encourage everybody to either listen to the interview (it is long, at 50 minutes) or read the transcript.

Here are some key points.

  1. If we can’t agree on what the word ‘risk’ and the phrase ‘risk management’ mean, how can we expect to have a constructive discussion using them. I agree and have suggested that we use plain English (thus the title of my latest book, Risk Management in Plain English); we should talk about ‘what might happen’ rather than ‘risk’ as we need to consider everything that might happen as we strive to achieve our objectives. ‘Risk’ is a word that limits discussion due to its common usage as either something bad that might happen or the likelihood of something bad happening.
  2. Risk registers, heat maps, and such (including COSO’s risk profile) don’t help us make decisions. They can help you decide on whether to act to address a risk, but not whether you should choose this vendor, go ahead with a new ERP implementation at this time, or even cross the road here or over there.
  3. Grant talks about achieving an acceptable level of certainty that you will achieve your aims (i.e., your objectives). I know what he is talking about, but disagree with this characterization. You can never be certain and this may lead people to choose an option where they are most ‘certain’ of the results. In a LinkedIn discussion, I asked:

 Alex, would you choose an option where you have a 70% level of confidence in your assessment that you are 80% likely to gain $500, or one where you have 90% confidence in your assessment that you are 60% likely to gain $450? Is it about being sufficiently certain? What about where there are multiple potential consequences and you have differing levels of confidence?

If your aim is to earn $300, which option do you choose? One where you are highly confident of achieving your goal or one where you are a little less confident but might surpass that goal substantially?

I much prefer to focus on making the informed and intelligent decisions necessary for success.

Grant and I have discussed this and remain apart – but I expect that in time we will, as we have before, come to a meeting of the minds.

  1. Grant focuses on assumptions. This is a great point! Whenever we make decisions, we have assumptions. Frequently, we fail to recognize that we are making those assumptions. Instead, we should be clear about what they are, how they affect the decision, and how we will monitor them. If they are critical to the decision, then should things turn out differently than anticipated we should be ready to change or a least modify the decision.

For example, when the CFO presents his forecast for the next quarter, it is based on assumptions. The executive team should make sure they understand those assumptions, challenge them as needed, and then adapt as conditions change.

  1. Towards the end, Grant captures the essence of what we should all be striving for.

…it’s actually very, very simple. And actually, I’ve gone back to the very beginning. It’s what I used to do years and years and years ago, which is I don’t have to worry about definitions. Just make better decisions by exploring scenarios, looking at certain uncertainties. It’s as simple as that. And particularly the assumptions.

What are the key points for you?

Are you a believer in the traditional methods apparent in the NACD guidance or the ideas and philosophies expressed by Grant, Alex, (and me)?

I welcome your thoughts.

  1. John Fraser
    May 12, 2018 at 5:43 PM

    I agree with all you wrote and would add that the use of the word ‘risk’ is even more useless when limited only to ‘events’ as some organizations have defined it.

    • Norman Marks
      May 13, 2018 at 6:07 AM

      Thanks, John

  2. Jesus Levy
    May 12, 2018 at 7:38 PM

    Totally agree. Semantics is the source of many of our discussions in each and eery forum. Everything starts with the term “Risk Management”. It pushes you towards a silo approach with “Risk” being the main task and “Management” a secondary task, when it should be the other way around. We should not be “managing risks”. We have to manage our companies with risks in mind.

    • Norman Marks
      May 13, 2018 at 6:07 AM

      Good point

    • rngong (@ngong)
      May 15, 2018 at 12:55 PM

      Excellent point. I love it

  3. Carl Golightly
    May 13, 2018 at 2:04 PM

    I have to agree. We spend time on risk registers and heat maps and believe that these tools alone help us “manage” risk. Somehow managing risk has become more important than managing the business in light of the risks present.

  4. May 14, 2018 at 1:04 AM

    Thanks for the link to the interview and for your summary. Many of the points in the interview (and the summary here) need to be made loudly and often. I also think it is important to respect the risk management community, which contains many more innocent victims than willful nonsense peddlers. I appreciate the way this blog and your books show that respect, and show a constructive way forward.

    • Norman Marks
      May 14, 2018 at 6:15 AM

      Thank you, Roger

  5. Steven D
    May 14, 2018 at 6:19 AM

    Thanks for the article Norman. In my opinion you are correct, ‘risk management’ should be part of an organisations decision making, not something that is seperate. We should understand the options available to us, the benefits and constraints with each of them, as well as our own internal biases/assumptions.

  6. Richard Fowler
    May 14, 2018 at 9:00 AM

    While I agree with your comments, they miss the point that the NACD was trying to address. They wanted to correct an oversight in understanding that they have seen among their members. Far too many Boards appear to have limited knowledge of the true risks of improper cybersecurity to the business and, as we know all too well from years of risk management experience, knowledge increases both impact and likelihood of a risk. (yes, I know it shouldn’t, but the reality is that it does.) The NACD was addressing some steps that could be taken to better inform the Boards so they can make informed decisions.

  7. Norman Marks
    May 14, 2018 at 9:14 AM

    Richard, I understand, but the way to understand the risk is to think about how cyber – together with other sources of risk – might affect objectives, not by maintaining a list of risks. I think it is past time for the NACD to recognize that. I worked with them at several events they held in 2016 on the topic but they have not moved forward.

  8. July 25, 2018 at 1:12 AM

    I agree with the shared ideas of Norman.


  1. May 12, 2018 at 11:41 AM
  2. May 21, 2018 at 11:55 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: