Home > Risk > Selecting a framework for managing risk

Selecting a framework for managing risk

Carol Williams has a web site, ERM Insights, where she writes about risk management (I prefer to talk about the management of risk, rather than risk management, to ensure we are talking about how the organization addresses what might happen, i.e., risk, rather than talking about a function or team).

Recently, she shared her advice on frameworks and standards in ISO 31000 VS. COSO – Comparing And Contrasting The World’s Leading Risk Management Standards.

I like what she has to say (maybe because she quotes me) and recommend that you read and consider it.

Let me add to her discussion.

As Carol says, “the overarching goal of your risk-related activities should be to support decision-making by helping identify and properly assess both risks and opportunities to achieving strategic objectives”.

So the first step should be to understand how your organization makes decisions. Is decision-making centralized or distributed? Are employees empowered or limited?

You should also consider:

  • At what speed and frequency does the path ahead seem to change (i.e., how volatile is risk both from internal and external sources)?
  • The business you are in and what the sources of risk are. For example, I would consider different processes for managing a loan portfolio, customer credit, major projects, derivatives trading, and cyber.
  • How do your decision-makers consume information about what might happen? In fact, what do they need to make intelligent and informed decisions?

The last point is the most important: what information do people need to make intelligent and informed decisions?

The point before that is also important, as you may need different guidelines and processes in different areas of the business.

While the management of risk should be both continuous and dynamic (as risk is created or changed with every decision), on a periodic basis it is wise to take stock and see whether you are on track. Are you still likely to achieve enterprise objectives, taking everything (within reason) into account?

So another question that needs to be answered is how to collect all the information you have about sources of risk around the extended enterprise to provide a big picture view to top management and the board.

Carol correctly points out that the selection of a risk management standard or framework should not be like going to a clothing store and finding a suit (off the rack) that fits perfectly. Some, maybe a lot of customization is going to be required. Tuck in the sleeve around the cyber joint, but extend the hem of the leg that carries the weight of personnel-related sources of risk.

I welcome your thoughts.

  1. Christopher Hayes
    April 14, 2019 at 12:53 AM

    Every once in a while you read something and think “Oh my, this is too good to ignore”. And now I’m going to have to think through how I can make use of it. Damn, I had plans for the weekend!

  2. April 14, 2019 at 4:00 AM

    Norman, you ask, ‘what information do people need to make intelligent and informed decisions?’ I wrote a website (www.managing-information.org.uk) some years ago looking at the question from the aspect of information overload. I asked the question, ‘What information do we require?’ and proposed the answer, ‘the information we require is that needed to make decisions’. If we don’t make decision as a result of receiving information, we don’t need that information.

    From the point of view of internal audit, I don’t think that ‘decision risks’ are the only risks. I believe ‘process’ risks need to be considered. Let me give an example:
    Objective: to increase profits
    Risk: Customers may not pay for goods delivered
    Internal control: establish a Credit Control department to vet orders

    I consider the above risk as one arising from the business we are in – a process risk. The internal control to manage the risk is a tangible one – we can ‘tick’ it.

    But Credit Control staff need to make decisions which involve risks, ‘Should we accept an order from this customer whose account is overdue?’ The internal controls covering this ‘decision’ risk are: good information and training as to how to use this information. Internal audit can’t easily ‘tick’ these internal controls because they are intangible but have to examine the range of information available, staff training in decision making and recruitment of capable employees. Not ‘traditional’ audit topics when considering credit control.

    This example also goes some way to answer your questions, ‘Is decision-making centralized or distributed? Are employees empowered or limited?’ Virtually every employee should be a decision maker. If they are not, their abilities are not being fully utilised. Are supermarket shelf-stackers given the opportunity to fill the empty spaces first or are they told exactly what to stack and when?

    • April 15, 2019 at 1:24 AM

      dmgriff – you surely have a point – one which is also used extensively by Douglas Hubbard (how to measure anything / the failure of risk management).

      For one – information you do not need/use for anything doe snot have value for you, albeit, it may be still nice to have , and you may still want to collect this.

      Secondly – risk management is all about decisions. It is however, not only about supporting decisions you are planning to make. It can also be driving/invoking decisions you did not consider making before you got this information. Examples in point
      – Your competitor is about to launch a new product, which is likely to hamper your sales
      – A new duty trade and trade restriction is imposed on your key market
      – The cost of your key raw material is skyrocketing due to … whatever

      Mature risk management covers both execution based risks (such as your credit risk example, currency hedging, EHS programs etc.) as well as decision focused risk management. However, it is not either/or. There is decision making embedded in execution based risk management as well as there is execution in decision focused risk management.

  3. Scott Tashlik
    April 15, 2019 at 12:41 PM

    Can you please provide some insight on the difference between risk management and the management of risk?

    • Norman Marks
      April 15, 2019 at 1:11 PM

      Risk management in many cases is a department or team, The management of risk is clearly not about that department but how the organization as a whole addresses what might happen

  4. April 16, 2019 at 7:11 AM

    Hi, Norman. Thanks for using my article as a springboard for this fantastic write-up. Love your questions, as always.

  5. April 16, 2019 at 7:53 PM

    Norman, in the Latin languages, it is impossible to distinguish between “risk management” and “management of risk”. That is why in ISO 31000 only the term “risk management” is used.

    David (dmgriff), you know your risk description is incomplete, isn’t it? The way you described the risk, you can not assess it, right?

    • April 17, 2019 at 12:11 PM

      Francesco, in my book ‘Introduction to risk based internal auditing’ (free from www,internalaudit.biz) I define a risk as, ‘a set of circumstances that hinder the
      achievement of objectives’ (other definitions are available). If I understand you correctly, this set of circumstances can be assessed (measured) just as with any other definition by considering the impact and likelihood of the hindrance (threat).

      • April 17, 2019 at 3:29 PM

        David, what I meant is that the description of the risk (“Customers may not pay for goods delivered”) is very generic. I believe that, in addition to the event or set of circumstances, the causes and consequences should also be described.

        • April 18, 2019 at 1:05 AM

          Francesco, sorry for the misunderstanding. I was trying to be brief and I should have written, ‘A customer is short of funds, fails to pay their invoice and the organization incurs a bed debt which could be up to $10,000’.

  1. April 17, 2019 at 1:13 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: