How will risk management change as we emerge from this crisis?
People, especially consultants, are not only telling us how to address the pandemic but also what we should look for when it’s all over.
In his latest post, my good friend Michael Rasmussen makes some good points. He is always worth listening to and today is no exception.
Keep Calm & GRC On! reminds us, first, what GRC is all about. I like the OCEG definition that he quotes as it makes sense.
GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”
He spells out his vision, what he sees in his crystal ball, of what risk management (in particular, although he also touches on contingency planning and policy management) will look like once we are done with COVID-19.
But I have a different perspective.
It’s a tough line, but we need to face reality.
Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure – which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations.
These same leaders should now be asking whether the risk management program they had in place prepared them for the crisis – and whether it is helping them navigate through it now.
If risk practitioners (and internal auditors) are setting their prior practices, frameworks, and standards aside and doing what the organization needs right now, they will earn recognition and respect from the board and management.
But if they insist on doing what they always have done, sharing heat maps and performing audits of what used to be risks, they are going to be seen as getting in the way of the management team. They are not helping in a time of crisis, when people need to make rapid and critical decisions.
Now is the time to prove our worth. Find out how we can help and then do it.
Later, we should change from what I call (in Lean terminology) a ‘push’ approach to one that is more of a ‘pull’ approach. What I mean is that we should figure out what the organization needs from us if they are to be successful, and then deliver it (pull) – instead of doing what we think is right (based on industry or professional standards) and hoping that once we push it at them they will see some value.
I explain this and more in a video call I did on Wednesday with Alex Sidorenko. (I come onto the call a few minutes after it starts.)
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman,
Crises like that we all face now, just expose the total folly of the ‘risk management’ edifices organisation’s have built. Leaders are making decisions that in some cases, and often quickly in retrospect, either prove inspired or, mostly, highly defective. But the overall impression is that, despite the claims of the risk management fraternity (or whatever three letter acronym you like to label yourself particular brand of belief system with), its all very ‘hit or miss’!
Form what I can see, no one is reaching for their ‘risk register’ or ‘risk appetite statement’ or ‘risk matrix’ (etc. etc.) to help them make a decision. Some decision-makers are clearly listening to others, thinking out assumptions and choosing between options so that they end up with a decision which they are sufficiently certain will lead to the outcomes they desire. However many, including some of the most important ‘leaders’ in the world, are making decisions based simply on gut feel, ignoring the advice of others or the experiences elsewhere. They seem to lurch from crisis to crisis, with precious little monitoring taking place to see if decisions lead to the outcomes desired or whether the original basis for a particular decision still remains valid.
Some misguided politicians are still bandying around nonsense words like ‘risk’ and ‘risk management’ as though just uttering those phrases as part of their ‘spin’ will solve problems and pacify people. Fat chance!
In my real world, practical experience over the last few weeks I’ve seen clear evidence that the distraction of ‘risk management’ has in some case led to poor decisions or, mostly, just impeded the process of making a decision with sufficient certainty of outcomes. Similarly, most organisation’s Business Continuity Plans (another three letter acronym) have proved useless because they focused on specific events and not generally the organisation’s vulnerability and how that can be reduced, and how decision making can be enhanced when a disruption occurs. Mostly, they’ve been cast aside by decision makers as totally irrelevant!
At this time, mankind needs leaders (not politicians worried about getting elected) who are capable of making the best possible decisions – for the sake of us all. Even if people say this is ‘risk management’ they are simply deluding themselves.
If anything, this awful crisis just proves we have wasted years and $billions building ‘risk management’ edifices that have ended up like the Maginot Line in WW2: they have created a false sense of security, and exposed us all to the perils of inflexible strategies, poorly defined assumptions, insularity and blindness to wider context and ineffective monitoring.
Now we are facing our biggest challenge in a generation, our various ‘risk management ‘frameworks’, ‘systems’ and ‘programs’ and all the paraphernalia that comes with them, manifestly are not only failing to respond but are actually impeding good decision making.
When we get through this, we must remember all this and never fall for a similar ‘con job’ again.
I think you are agreeing with me… 🙂
Norman,
I think you are agreeing with me, now!
Totally agree with you, Grant. When I joined IRM as their CEO 18 years ago, I couldn’t believe the size and scale of the risk management edifice that existed, nor the extent of its segregation from ‘normal leadership’.I still remember the day their then Chairman told me that a risk management plan should be totally segregated from their business plan.Poppycock!
It’s now five years since I left that role and I’m even more convinced now that ‘risk management’ is simply one approach to leadership – a useful set of tools, if you like – but by no means an end in itself.
And please, please, please, let’s not overcomplicate things with GRC – now that is ‘goals, risk and culture’ surely…………….. (it should be)
Risk Management is DYNAMIC in nature but many take it as static and review it periodically. In the current crisis ample notice was given to the ALL parties or countries, did the BOD called for a meeting to ask the question IF it reaches a scale of having to lockdown, how would it impact all the stakeholders. If yes, these companies are prepared for it. The Chairman has the final say after hearing from the BOD views. The after effect is something everyone can talk about it with great insight.
I am not as accomplished as Norman or the many others that comment on these blog posts, but I would just like to offer an alternate view. First, we shouldn’t talk like risk management has already failed – if we are all true proponents of using risk information to make better decisions, we should be shouting from the roof tops the risk information to persuade business and government leaders. The articles by Tomas Pueyo have been excellent, and I have seen them influence business leaders to make different (better) decisions. I have included a link to his most recent; I would encourage everyone that follows this blog to share as well.
View at Medium.com
Kelly, if it is recognized by leaders as helping them make better decisions and not just avoid harm, I commend whomever is leading that program. Unfortunately, that is rarely the case. Surveys continually show that 80% or more of leaders see risk management as a compliance exercise.
BTW, I agree that articles that say what Tomas Pueyo says in this piece are valuable.
We have in the UK an on-line grocery retailer called Ocado. Well established, with warehouses all over the country and a good delivery service – until Covid-19. Fantastic opportunity, people don’t want to go to stores they want to shop on-line. Not only that, Ocado now consider themselves a technology company, selling their software throughout the world. Covid-19 strikes and their site crashes and is still out of action , well not quite, ‘You are position 7523 of 9009. Your wait time will be about two hours’. Yet look at their accounts and the ‘How we manage our risks page’ not a mention of a pandemic being a risk, or any circumstances where their site might be overwhelmed. It’s not as if a pandemic was not a possibility, we’ve had several near misses in the past decade.
I could cite other examples, prior to Covid-19, where risk management has failed completely despite warm assurances in company accounts.
How should risk management change? It could abolish itself and hand responsibility for risks back to where it belongs – the managers.
Bravo dmgriff.
“ hand responsibility for risks back to where it belongs – the managers” – that’s where it has always been. With the decision makers.
Of course, it would help if we could all agree what the terms ‘risks’, ‘risk’ or risks management’ mean. However, that genie is out the bottle and won’t ever go back again.
There will be a lot of changes to the world after Coronavirus. Let’s hope one of them is the toppling of all the useless ‘risk management’ edifices that impede rather than assist decision making.
Great dmgriff. “..It’s not as if a pandemic was not a possibility…” my guess Ocado BODs do not believe that it would reach this stage of pandemic hence there was no immediate actions to apply WHAT IF…on the entire operations. Did the Risk Manager monitor the happenings in China and report DAILY to the BODs? There was so much to learn and then prepare for it when applying WHAT IF scenario.
Now it is just talking with hind sight SHOULD HAVE…
Risks are nasty things which happen when you are least expecting them https://youtu.be/T8XeDvKqI4E
An interesting perspective here Norman and a very good point that at the moment RM professionals need to adapt their approach fast. Personally I think they have a choice to either play a role in helping their organisations to manage the risks that strategy adaptations are forcing or to become obsolete through inaction.
Changes in risk management affect the fact that RM specialists will focus more on developing different response scenarios for each significant acne for the existence of the enterprise.
RM now need to be more reactive after COVID-19