Home > Risk > How effective is risk management today?

How effective is risk management today?

November 2, 2019 Leave a comment Go to comments

That is a question that State of Enterprise Risk Management 2020, from ISACA®, CMMI Institute® and Infosecurity Group, attempted to answer. They “surveyed a global population of over 4,500 professionals involved in risk decisions for large and small enterprises, across six continents and all industries, from manufacturing to government and financial services, and every industry in between”.

My opinion is that if you want to know how effective risk management is, you should ask the customer and not the provider.

Pretty much every survey of top executives and board members has, for years, told us that they do not see risk management as much more than a compliance exercise, something you do because you have to: a requirement of governance codes and boards urged on by consultants. World-class, effective risk management helps people make the informed and intelligent decisions necessary for success. It helps the management of success rather than failure.

But the report does have some interesting comments, including (with my highlights):

  • …practitioners who make risk decisions on behalf of their enterprises (e.g., risk managers, cybersecurity specialists, auditors, and governance and compliance practitioners) can be directed to advocate so strenuously and so often in favor of risk reduction that they can sometimes forget that risk management is about optimizing risk rather than removing it entirely.
  • They may focus on unexpected or unplanned events that may impact profitability, competitiveness or reputation but ignore the fact that failure to incur the right risk can likewise be potentially problematic, by causing enterprises to stagnate, lose competitiveness/market share or otherwise underperform their competition.
  • …enterprises question if they are too risk averse or not risk averse enough, if they invested the right amount in risk management processes to bring about the correct maturity level to accomplish their goals, and if they implemented the correct steps to ensure optimization.
    • Comment: the question of how much to invest in risk management is a critical one, one that should be based on an assessment of its value. Value is created when risk management helps people make the informed and intelligent decisions necessary for success, taking the right risks.
  • The survey data show that respondents—particularly those who are at a more senior level in the organizational hierarchy—understand well the most critical risk that challenges their enterprises. They understand both what the risk is—as well as the consequences—should undesirable outcomes occur. Sixty-seven percent of those surveyed indicate that they are either extremely or very familiar with the current business and technology risk facing their enterprise.
    • Comment: I doubt that this is true, because most develop a list of risks that are rated high, medium, or low without considering how they might affect the business and its objectives. If we are to run the business wisely, we need to know which business objectives might be affected and by how much – and I see this done very rarely.
  • What is interesting is that risk awareness correlates to seniority. As the respondent seniority level increases, the more aware they are of the risk that their enterprise faces. Eighty-six percent of respondents at an executive-level job, 80 percent of respondents at a director-level job, 66 percent of respondents at a manager-level job and 55 percent of respondents at a staff-level job are either extremely or very familiar with the business and technology risk.
    • Comment: consider me a skeptic. The recent IIA report (which I wrote about last month) talks about a disconnect between those in senior positions and those in the trenches. It could easily be the case that the executive practitioners (such as the CRO, CAE, and CISO) think they understand the risks but are mistaken. The people closer to business operations may have a better understanding. In any case, I doubt any of them have analyzed the likelihood of achieving objectives, taking into account everything that might happen, both good and bad.
  • Although over 80 percent of respondent enterprises undertake basic risk management steps, the maturity of the risk management process is, on the whole, less than expected given the relatively high adoption of these steps. Only 38 percent of respondents indicate that their enterprises have processes at either the managed or optimized level of the maturity spectrum for risk identification, which is one of the highest adopted risk management steps. Only 63 percent of respondents report having defined processes for risk identification. Results for risk assessment maturity were similar—42 percent at the managed or optimized level and 64 percent having defined processes.
    • Comment: it would be much more useful to see how many look at the big picture rather than trying to manage one risk at a time. Consider the view from the top (achievement of objectives) instead of from the weeds. Are decision-makers getting and then using the information they need to take the right risks for success?
  • When asked about cybersecurity risk tolerances, only 35 percent of respondents report that their enterprise has a defined (either completely defined or very defined) view of the risk tolerances for their organization.
    • Comment: why is it that so few perform a business impact analysis? How would a breach affect the business and its objectives? How likely is a breach of that magnitude? How much should we spend to mitigate that effect or reduce its likelihood? What is the best business decision?
  • Most risk managers intuitively understand that cybersecurity is a significant area of risk for their enterprises. Survey respondents report information/cybersecurity risk as the most critical risk category facing their enterprises; it is cited as the single most critical risk, with almost double the percentage of the next closest critical risk type (29 percent, compared to a distant second-place reputational risk at 15 percent). Moreover, reputational risk, the second highest type of risk cited, can be a consequence of a cybersecurity risk.
    • Comment: they may understand it intuitively because that’s what the consultants keep saying. But is it? Have they done any form of business impact analysis? Actual breaches have, on average, had minimal effect on business success.
  • The goal of effective risk management is not always to completely remove risk. Risk, when judiciously and strategically undertaken, can lead to competitive advantage, opportunities to better achieve the enterprise mission, entering new markets and numerous other advantages. Instead, the goal should be to ensure that the right risk is being taken in a manner that is judicious and alert to the possibility of potential failure, while ensuring that unnecessary risk—or risk that is out of conformance with the enterprise risk appetite—is avoided.
    • Comment: Absolutely, although I am not in sync with the last part – unless you define risk appetite as the desired level of certainty that you will achieve or exceed your objectives.

I welcome your comments.

  1. Grant Purdy
    November 2, 2019 at 5:04 PM

    If you ask a stupid question, you get a stupid answer! How can anyone answer this question when no one agrees what ‘risk management’ or its root, ‘risk’ means.

    What are ‘risk decisions’ anyway Norman? Surely all decisions involve the consideration of outcome and whether they are certain enough?

    This seems to be another worthless survey asking dumb questions about a meaningless concept. Guess how much the conclusions are worth!

  2. Harshit Baxi
    November 2, 2019 at 9:52 PM

    Few pointers
    1. The key is to look at “Portfolio View of Risks” and interconnectivity.
    2. CRO to play effective role in shifting paradigm from “Hindsight – to – Insight – to – Foresight”.
    3. “Risk Appetite” more useful as common guiding factor to generate uniform understanding and response across organisation. But focus should be in opportunity side – to be effectively used to identify and take more risks which are worthy and presents better trade-off.
    4. Most importantly, for any survey.. outcome depends on “What is asked” .. Garbege- in .. Garbege-out.. Criteria cal to focus on design of survey itself.

  3. November 3, 2019 at 3:23 AM

    Norman, one department which has always needed to understand risk in a business context is Credit Control. Because it has been around for so long (in companies selling on credit) Credit Control tends to be taken for granted but it encapsulates the issues around risk. A failure to properly assess risk will result in bad debts but too much aversion to risk will result in potential credit sales customers being turned down, with a consequent reduction in sales. Guidance on ‘risk appetites’ is also useful for staff, for example no sales over $10,000 to new customers until they have proved their ability to pay promptly.
    A practical example from my own experience concerned a customer with a monthly order of about $100,000 whose trading indicated they would eventually go broke. We could have refused them any new orders but that would have reduced profits so, with senior management approval, we agreed to process a new order when we had received payment for the last, limiting our exposure to $100,000 (our risk appetite in this instance). After several years, the customer went broke, leaving us with a bad debt but there were no recriminations because all interested parties had agreed to the risk.
    I think this example perfectly illustrates the points you have highlighted in red.
    David Griffiths (www.internalaudit.biz)

  4. November 4, 2019 at 1:46 AM

    Norman, Yo are so right. Many risk manager suffer from what psychiatrists call the “Kruger-Dunning” syndrome, which covers that they are so incompetent, they cannot see their own incompetence.

    They have been told (by regulators, auditors and consultants) that the more risks they identify, assess (no matter how) and define some treatment for (effective or not) the better they are doing. After decades of this, they now believe that.

    It would be more fun to analyse companies achievement of objectives, and see how different events/risks affected the performance – rating those, who met their objectives despite significant events with a higher score. This is, alas, a complex study to perform – but I gather a very good base for a risk management PhD to dive into.

  1. November 3, 2019 at 4:36 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: