Home > Risk > More thoughts on risk management

More thoughts on risk management

Today, I am going to review some recent articles on risk management. Each has some good notes, which I will highlight, without hitting what I believe to be all the right ones for success.

AuditBoard is a software vendor and they have shared a whitepaper Strengthening ERM: A Key to Success in a Volatile Environment in a blog entitled Getting Risk Management Right: Making the Case for Risk Maturity. (You can download the whitepaper using a link, with registration, in the blog.)

The blog makes some points I have made before:

  • …effective business leaders understand that organizations must take risks in order to be successful in a competitive business landscape.
  • …higher risk maturity ratings are linked to better stock price performance, lower market volatility (and reduced insurance premiums), higher market valuation, and greater organizational resilience in response to key market events.

The question is whether AuditBoard’s idea of risk maturity is a good one. I doubt it, especially when they use artificial distinctions between strategic and other risks. If something is not a “risk” to enterprise strategies, its unlikely to merit executive and board attention. They have included Earnings Shortfall as an Operational rather than a Strategic risk, so they have lost me.

However, using a maturity model for assessing ‘risk management’ is an excellent idea and included my own (as well as a few others) in World-Class Risk Management.

The whitepaper also hits some good notes (my comments are in square brackets):

  • Enterprise risk management (ERM) is an activity whose overall objective is to enhance organizational performance.
  • 83% of institutions in Deloitte’s latest Global Risk Management Survey, 11th edition, have an ERM program in place, up from 73% in the prior year’s survey. [But very few are ‘mature’ according to the ERM Initiative’s study.]
  • Now more than ever, it is important to have mature risk management practices in place to respond as efficiently and adequately as possible to unprecedented risk events, such as the Coronavirus (COVID-19) pandemic.
  • Adopting a strategy-centric position toward ERM—as opposed to overly focusing on risk prevention—empowers leaders to take the right risks and realize significant strategic advantages, while strengthening organizational resiliency and agility during times of crisis.
  • “[ERM] is not a separate activity with its own objectives but an integral part of the organization’sstrategy setting and performance processes.” — COSO, Creating and Protecting Value, January, 2020
  • …a 2018 study found that only 22% of organizations with ERM programs in place described their risk management programs as “mature.” Such stark numbers [which are higher than I believe are justified] illuminate the greater overarching issue of risk maturity and its effects on organizational success.

The paper relies heavily on the COSO ERM Framework. One problem is that while it says you should focus on risks from a strategic perspective instead of a risk perspective, it is a static approach.

Risk (if you want to use that term) is not static. A periodic process in the midst of a dynamic environment simply doesn’t cut it for me.

It also omits any mention of the fact that we take and modify ‘risk’ with every decision. Those decisions are made every day across the extended enterprise.

Finally, while it talks about a strategic purpose, there is no measurement of the likelihood of achieving your objectives and strategies. Is that likelihood sufficient?

I think any maturity model has to consider the ability of the organization to:

  • anticipate what might happen,
  • in a dynamic environment,
  • and make the decisions that lead to taking the right ‘risks’ with an acceptable likelihood of achieving enterprise objectives.

My good friend Michael Rasmussen has been cogitating and then writing about risk management this month as well. His first article was The Pandemic & the Dominos of Risk Interconnectedness.

Michael’s a smart guy and when he writes it’s always thoughtful, so I give it my attention. Again, there are some nuggets:

  • Risk, according to ISO 31000, is “the effect of uncertainty on objectives.” Uncertainty is all around us in 2020. Organizations go through a lot of effort to try to put a label on specific risks, but the reality is risk is too complex to put into a container and label it. An organization cannot look at risk in silos of labels as it fails to see the interconnectedness of risk.
  • As the pandemic unfolded all organizations had a specific impact on their business objectives. Adapting to the crisis, businesses had to modify their objectives. Entity, divisional, department, process, project, and asset level objectives have been modified and risk exposure in the uncertainty of hitting both original and modified objectives is in a state of volatility with the pandemic.
  • With reduced staff, employees are wearing multiple hats and there is greater exposure from segregation of duty conflicts. Employees themselves are concerned about the economy and their (and their loved ones) well-being and security. Working from home offices and not in the corporate buildings means further insecurity for many.
  • Today’s organization is a complex web of nested relationships spanning suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, and intermediaries. We have seen significant issues where service providers and outsourcers have completely shut down because of lockdowns and are unable to support organizations and deliver services. We have seen constrained supply chains and the inability to deliver goods.
  • Constrained supply chains and pressure to meet objectives increases the risk of bribery and corruption. With customs, import and export, coming to a crawl in some countries there is greater risk and exposure that someone may pay a foreign government official a bribe to expedite their goods over others, or to get specific contracts or permits at a time when not much is being done.
  • …risk is interconnected. Organizations need to map and understand the interconnectedness of risk. Risk management requires scenario planning as well as table talk exercises to creatively walk through how risk unfolds, where uncertainty and other risks can develop, and how objectives are impacted.
  • Organizations cannot be managing risk in isolation. They need an enterprise view of risk that sees the interconnections and impact of uncertainty on objectives. They need a top-down approach to risk management that looks at objectives and risk and uncertainty to those objectives. They also need a bottoms-up approach that looks at the details of risk down in the weeds of business processes and transactions.
  • Enterprise risk management also needs to be balanced and not held captive by one department, like IT security, as the risks the organization and world face are complex and interconnected and risk management needs to be balanced.

I can understand how Michael thinks of a “risk event” having a domino effect. I don’t ascribe to that way of thinking. I prefer to think of a typical event as having multiple possible (ranges of) effects on multiple objectives.

What is critical, in my view, is that organizations strive less to manage risks, let alone risks in isolation, and more to manage the achievement of enterprise objectives. They need to obtain assurance that there’s an acceptable likelihood of achieving objectives, and that requires understanding what might happen and how it might affect one or more objectives – then acting where that is not acceptable.

Michael’s second article is Managing Risk Creatively & Structurally.

This is a thought-provoking piece and I encourage everybody to read and reflect on his point.

Let me just pick one section and build a different point than Michael’s:

If we use the ISO 31000 definition of risk: risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. My objective could be to cross the street, it is from there that I analyze and look at the uncertainty in crossing the street. Is the light red or green? Is there oncoming traffic or other moving threats? How fast are the threats coming? Does it look like they see the light? What are the conditions of the road? Is it slippery or dry? We analyze risk in the context of the objectives.

I agree 100% with everything he has written – but it is incomplete.

1.       He is only considering threats, not the benefits of crossing the street.

2.       The level of benefit affects the decision of whether and when to cross the street. Do you want to cross because there’s a shop window that’s interesting, or is it because your 5-year old daughter is lying on the sidewalk with a head injury?

3.       The decision also should consider the options. Is your spouse or a police officer close to your daughter so you can rely on him or her? How far would you have to walk before you can get to a safe crossing place?

Quality decision-making depends on the use of both sides of your brain, as Michael says. My brain tells me that you need to consider and then weigh all the things that might happen (aka risk), understanding and taking the right level of the right ‘risks’.

I keep coming back to this:

If the CRO only addresses potential threats, executives and the board will learn all the reasons NOT to cross the road, and none of the reasons you should.

Does this make sense?

  1. John Fraser
    June 18, 2020 at 3:22 AM

    Yes

  2. June 18, 2020 at 12:18 PM

    If the CRO only addresses potential threats, they have not understood their need to achieve the organisation’s objectives. Either their job hasn’t been properly specified or they aren’t doing a proper job.

  1. June 17, 2020 at 5:20 PM
  2. June 25, 2020 at 6:00 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: