Home > Risk > A better discussion from the IIA about risk management

A better discussion from the IIA about risk management

November 30, 2021 Leave a comment Go to comments

It is not surprising that the Australian affiliate (IIA-A) of the Institute of Internal Auditors is far ahead of the global headquarters in their expressed understanding of risk management. In general, risk management practices and guidance in Australia are among the best.

The IIA-A has just released a new White Paper, Agile Risk Management. While it mentions the Agile methodology, it is really focused far more on agility, which I commend.

The IIA-A has a lot of good thinking to share. Are they all the way there? Not yet, but this is clearly good progress, and I will come back to this later. But first, the good stuff.

I like the contrast they draw between traditional and agile risk management:

Traditional risk management – built from the risk management common body of knowledge using traditional methods but over-engineered, slow to react and not dynamic.

Agile risk management – adopting new ways of working for risk management practitioners to foster stakeholder engagement and collaboration through use of dynamic methods.

They explain that:

Getting people interested in the concept of risk management is difficult, partly because it is not seen as core business and so does not get the attention it should. And also because in most cases it is:

  • Not dynamic.
  • Slow to adapt.
  • Not showing the up to the minute risk situation.
  • Not horizon focused.
  • Using outdated methods.

While risk management should be a dynamic activity that can quickly pivot to changing circumstances, in practice it seldom is.

After reminding us of the history of risk management frameworks (ignoring the work by COSO[1] in favor of the Australian/New Zealand standard of 2004 and the ISO standard of 2009) and the definition of risk management, they share ten reasons why risk management fails so often.

As they explain:

Some risk management characteristics do not have the desired effect of encouraging or embedding risk management practice within organisations and often run counter to this objective.

A nimble risk management response and approach to the changing dynamics in the organisation’s risk management landscape to provide a timely risk management service to the board (or equivalent governing body), audit committee and senior management.

I don’t know why they limit the customers to senior management and the board. They should have included every manager and decision-maker across the extended enterprise. That is a major mistake.

The balance of the IIA-A paper discusses techniques that may be useful in achieving agility in risk management. I recommend a thoughtful review of this section.

What did they miss?

  • It’s all about achieving objectives, yet that is hardly mentioned. Instead, they continue the practice of a risk register, albeit simplified.
  • As a result, they are not helping decision-makers see the “big picture”, where they can anticipate all the things that might happen and weigh the pros and cons before making an informed and intelligent business decision.
  • As mentioned above, risk management helps every decision-maker have the quality information they need to make the quality business decisions necessary to achieve enterprise objectives.
  • I am not on board with the idea in the paper that “Risk management governance sits in the 2nd line of the ‘3 lines model’. Its job is to make sure 1st line business activities are effectively risk managed.” That sounds like an oversight, policing function. However, I agree with the contradictory comment in the very same paragraph: “The ‘3 lines model’ defines the job of the 1st line is to manage risk, with the 2nd line an enabler and adviser.”

Setting those important issues aside, the IIA-A paper represents progress and a thoughtful contribution to the discussion of effective risk management.

What do you think?

[1] It is referenced in the Bibliography at the end.

  1. Andrey Sogolaev
    November 30, 2021 at 8:38 AM

    Norman, thank you for sharing your thoughts and useful links. However, Agile Risk Management link doesn’t work (Access denied
    Error 16, iia.org.au).

    • Norman Marks
      November 30, 2021 at 8:46 AM

      Thanks, Andrev. I have updated the link and hope it works for you now.

  2. John Fraser
    November 30, 2021 at 8:56 AM

    I guess we were doing ‘agile risk management’ but didn’t realize or call it that…now I know what to call it….

  3. November 30, 2021 at 9:53 AM

    I found the paper too naive and RM1 to be any useful. Their idea of agile risk management is just quicker RM1, which is just a waste.

  4. Anonymous
    November 30, 2021 at 4:36 PM

    I thought that defining agile risk management using the words “risk” and “management” three times was bad but throwing in “nimble” was pretty much unforgivable.

    • Norman Marks
      November 30, 2021 at 4:46 PM

      OK, how would you define it? I am curious.

      • Anonymous
        November 30, 2021 at 8:46 PM

        To be honest, I wouldn’t. We still can’t agree on what the term risk means, why on earth do we now need to throw “agile” into the mix. More consultant speak for zero value. I’m glad that we are progressing the discussion away from ‘traditional’ risk management. But that doesn’t mean that we need to re-title it. In the paragraph below the one using ‘nimble’, they talk about leveraging agile project management techniques and chunking up risk management service.

        There is some brilliant thought leadership out there about how we can fix the problems with risk management, yours included. But I don’t think having organisations like the IIA just perpetuating the problems with ‘traditional’ risk management by trying to rebadge what is essentially (as Alex put it), the current way done faster.

        Industry bodies are still having the wrong conversation… but I suppose that isn’t going to change since there will always remain a lot of money in selling traditional risk management.

        • Norman Marks
          November 30, 2021 at 9:08 PM

          That makes sense, although I don’t think we are going to be able to dispense with the term given regulatory attention. I have tried to draw a picture of effective risk management that is about taking the right risks. I am hopeful that the IIA can be pushed in the right direction.

          I do like the focus on agility though. Decisions are being made every day and they need to be informed with quality insight into what might happen.

  5. Mike
    December 5, 2021 at 8:33 PM

    The integration of agile concepts into the running of a risk management team has some useful ideas. Not sure would use the term agile for dynamic assessments but understand why they used it in reading the paper. This is already happening to some extent in well functioning risk teams, where they swiftly working with management advising on assessing and managing key risks. Norman agree that should not be limited to the board and lacks comment on links to objectives. I also question the comments that it is less of a focus for operational risks. From experience a lot value with risk management team involvement has been added in the operational space in responding to the pandemic.

  1. November 30, 2021 at 8:03 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: