Home > Risk > Assessing the effectiveness of your risk management program

Assessing the effectiveness of your risk management program

The IIA has published a new Practice Guide, Assessing the Risk Management Process. In IIA-speak, this is recommended but not mandatory guidance for its members.

A previous December 2010 Practice Guide, Assessing the Adequacy of Risk Management Using ISO 31000 is still available.

I much prefer the earlier version, especially as it talks about meeting the needs of the organization (which is critical) and how management needs to know what risks to pursue, not just avoid or mitigate, so that it can achieve its objectives. It also includes the famous “fan”, indicating which risk management roles are appropriate for internal auditors.


The new PG has some good content, including (my highlights):

  • Risk management is driven by more than regulations and external forces. Implementing efficient and effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value and sustainability, ultimately better safeguarding their stakeholders.
  • Benchmarking the current state of the organization’s risk management against a risk management maturity model is a good place to start this type of assessment. Benchmarking may help the internal audit activity communicate with senior management and the board about the organization’s level of risk management maturity and about aspiring to improve the process and advance in maturity.
  • A mature risk management process typically demonstrates benefits, such as: enabling risk-based decision-making and strategy-setting [and] increasing the likelihood the organization will meet its strategic objectives.
  • If management believes that the risk management process is a bureaucratic exercise that is not worth the resources needed to execute it, then recommending large-scale improvements may be premature and received with skepticism or rejected completely.

I also like the fact that the PG recommends identifying and considering risks to the risk management process itself, a concept I invented in World-Class Risk Management (unfortunately not referenced in the PG).

But both PGs fail to focus on whether the risk management program helps organizations achieve their objectives. They only consider the potential for harm.


Consider this.

In 2008, when so many financial institutions were in trouble, the UK banks decided to stop making loans. They brought their ‘risk appetite’ down to very low levels.

If their risk management program had been assessed using either of these PGs (or, frankly, any of the major frameworks, standards, or guides), it would have been rated highly.

Their level of risk was within their desired range, their risk appetite.

But what happened from a business point of view?

They had next to no revenue and cash flow was severely impacted.

It was not sustainable.

What they should have been doing (and I assume they turned to this) was taking an appropriate level of risk that gave them an acceptable likelihood of achieving their short and longer-term objectives.

To repeat what the PG correctly says: “effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value”.

In order to achieve your objectives, you have to take risks. The question is whether you are taking the right level of the right risks, with quality information about what might happen!


Avoiding failure is a recipe for failure.


So how should you assess the effectiveness of risk management?

You do it by assessing whether it meets the needs of the organization. Those needs include:

  • Enabling intelligent and informed decisions, both strategic and tactical, anticipating what might happen
  • Being confident that the right level of the right risks are being taken to achieve enterprise objectives, balancing the potential for both harm and reward
  • Having an acceptable likelihood of achieving (or surpassing) enterprise objectives

When your executives say that the management of risk helps them set and then execute on strategies (paraphrasing a Deloitte survey and report, where less than 20% said it did), then you probably have effective risk management.

There are multiple approaches to assessing the effectiveness of risk management. They include determining whether management is in compliance with its policies and standards, and its risk register is complete and assessments are ‘correct’; this has some but little value. Another approach is to see whether the principles in ISO 31000 (I prefer those in the 2009 version) are achieved; this has more value. But I like what I suggested above more: seeing whether the executives believe it is essential to their and the organization’s success.

I like the maturity model approach and included a few (all of which I prefer to the one in the 2019 PG) in my book, World Class Risk Management.

But any maturity model has to avoid a focus that is limited to identifying, assessing, and managing the potential for harm. It has to include whether both potential harms and rewards are considered (in a disciplined and reliable manner) in decision-making.

Building on the discussion in the new PG about risk to the risk management process, in an effective program the likelihood that the information provided being significantly wrong is low (acceptable level).

What do you think?

  1. Gregory Sosbee
    March 25, 2019 at 9:02 AM

    Very good analysis Norman. It is critical that the Board and senior management understand the construction, application and what is to be expected of their risk management program. This is why the first step in the development of an effective risk management program (the Program) has to be a Board resolution that lays out at least initial Risk Threshold Parameters (RTP’s) and expectations. After the Program has been implemented IA will have a blueprint to work from. If IA wants the Program tied to one of the standardized processes, the risk manager will provide a correlation to the selected process.

    • Norman Marks
      March 26, 2019 at 9:28 AM

      Gregory, that sounds like a compliance audit rather than one that assesses whether the program meets the needs of the organization, helping them make informed and intelligent decisions, take the right risks, and achieve objectives.

  2. March 26, 2019 at 8:51 AM

    Good article Norman. I suppose one problem with risk management is that it shouldn’t be just ‘risk management’. It should be ‘achievement of objectives management’. This management involves the establishment of objectives, determination of opportunities and threats, and the balancing of these to maximise the probability of achieving the objectives. Every level of staff, not just senior management, should be trained in decision making and it is this that IA should be verifying.
    David Griffiths (www.internalaudit.biz)

    • Norman Marks
      March 26, 2019 at 9:27 AM

      Yes, David. I call it ‘success management’

  3. March 29, 2019 at 10:07 AM

    Just finished reading the document. I think you are very very generous in your feedback. The content of the document is borderline negligent.

  1. March 24, 2019 at 1:00 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: