Archive

Archive for the ‘Risk’ Category

Is it about managing risk?

October 14, 2017 6 comments

It seems to be Protiviti week! On my IIA blog, I am covering a piece by Jim DeLoach and Brian Christensen on internal audit. Here, I want to talk about another DeLoach piece, Transitioning Risk Management to the Digital Age.

Jim’s lead-in is excellent:

The risk management methodologies in play for most companies today were developed before the turn of the century. In effect, risk management is often an analog approach being applied in what is now a digital world. More importantly, if enterprise risk management (ERM) is a standalone process, it is suboptimal. More needs to be done to elevate risk management to help organizations face the dynamic realities of the 21st century and truly leverage the advances of digital, cloud, mobile and visualization technologies, exponential growth in computing power, and advanced analytics to embed deeper and more insightful risk information in strategy-setting, performance management and decision-making processes.

He continues with another excellent observation:

The business environment features rapid advances in and applications of digital technologies and rapidly changing business models. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. For most organizations, today’s risk reporting falls short of that objective.

But then he says something with which I strongly disagree.

To impact decision making, there are three questions risk reporting must address:

  • Am I riskier today than yesterday?
  • Am I going into a riskier time?
  • What are the underlying causes?

Jim, it’s not about risk.

It’s about achieving objectives.

Managing risk absent the context of your objectives leads you to manage what may be irrelevant and miss what may be crucial.

COSO ERM 2004 got it right when it said that risk management is “Geared to achievement of objectives in one or more separate but overlapping categories”.

Jim, IMHO the board should be asking these questions:

  • How likely are we to achieve our objectives?
  • If the likelihood is less than acceptable, why? What can we do about it?
  • If there is a possibility of exceeding our objective, what can and should we do?
  • What assurance do we have that management is taking the right risks, making intelligent and informed decisions?
  • Are there any risks that we should be concerned about, that merit our attention and possibly our action?

I don’t want the board to focus on risks in one meeting and then talk about performance and results in another.

They are or at least should be intertwined.

What do you think?

I welcome your comments.

Advertisements

Getting Risk Management Right

October 7, 2017 5 comments

I have to congratulate my good friend, Doug Anderson, for an excellent article in the latest edition of the IIA’s magazine.

While the title calls out the COSO ERM Framework update, the main part of his article is a useful discussion about what risk management is all about.

Here are some key excerpts (with my highlights) with my comments.

The problem is ERM is not a program. In fact, it is not a department nor a process, either. ERM — or more generically “risk management” — is an integral component of decision-making. It is a set of skills, approaches, competencies, tools, culture, and more that do not stand alone, but are part of all that an organization does.

Comment: This is critical. What I especially like is what he has to say about decision-making. Whether it is deciding which strategy to adopt, which plans and projects to pursue, or the day-to-day decisions on pricing, hiring, or purchasing, decision-making is where risk is taken.

Doug provided an example.

Acme Co. is implementing a new software package to support its core processes such as accounting, logistics, and customer management. As part of its planning, Acme lays out all the steps in the implementation process and then considers what may not go as planned. Some things could go wrong; some could go better than expected. Identifying these possibilities, assessing their importance to the project, taking preparatory actions, and watching how the project progresses are part of how Acme manages its software implementation. This is all done using various monitoring and reporting tools, within the culture of how Acme operates. Acme uses the fundamental aspects of good risk management, even though it may not recognize them as such. 

This is 100% consistent with my message, that risk management is all about understanding what might happen, considering whether that is desirable or acceptable, and then taking appropriate action.

As he says, people have been managing risk all their lives. The value of ‘risk management’ is in providing necessary discipline and process.

Doug continues with some excellent points.

Risk Is Not the Focus The approach to risk management should not focus on the risks in isolation. The focus should be on those events [situations, and decisions – ndm] that can affect the achievement of strategy and business objectives. When the focus is on the risks, and not the strategies and objectives, ERM becomes a program. To add value, ERM always must be about accomplishing strategies and objectives. Management does not think first about risk, but about delivering performance and what can impact that performance.

Comment: As Doug says, and Alex Sidorenko has explained in his video and posts, it’s not really about managing risks. It’s about managing the achievement of objectives. In fact, calling it risk management actually inhibits its effective practice.

Risk Is Not an Evil to Be Eliminated Every organization takes risks because the world is not perfectly predictable. Every time an organization takes an action, it takes the risk that its expectations are not correct. Sometimes the events that occur have a positive impact, and sometimes they are negative. [Sometimes, they have multiple effects! – ndm] Risk is a fundamental part of every organization, but it needs to be managed.

Risk Management Is More a Skill and Mindset Than a Process When risk management turns into a department, team, or process, it can easily become something separate from management decision-making. Doing risk management right improves decision-making.

Comment: Actually, effective decision-making is the goal and it requires the consideration of risk. If we focus our attention on ensuring informed and intelligent decision-making, we will not only have effective risk management but a more effective organization.

When he moves on to discuss the role of internal audit he says a few things with which I agree.

As internal audit strives to create and protect value for organizations, understanding the principles of risk management better and incorporating them into the practice of internal auditing can pay large dividends.

auditors can do themselves a favor if they talk less about the adequacy of internal controls and talk more about risk, managing risk, and reducing risk where advised. Management thinks of the world through the perspective of setting out objectives and accomplishing them — all with the goal of delivering performance. The more internal auditors talk about those objectives and the events that can impact delivering performance, the more management would understand how internal audit delivers value. Auditors are not here to be naysayers or add bureaucracy with more controls. They are here to help management deliver on its objectives. This requires auditors to think and talk in terms of risk [to specified objectives – ndm], potential impact, and response.

internal auditors should not focus blindly on always trying to reduce risk. Risk responses should be designed to improve performance. This involves not only ideas to reduce the impact from negative risk events, but also the cost of risk responses and the possibility of a risk that positively impacts performance. When internal auditors’ orientation is toward decision-making and how risks impact performance, they may conclude more risk is appropriate or the cost of current risk responses is not justified by the benefits.

Doug was an advisor, on behalf of the IIA, on the COSO ERM update project. I wish he had been the author. For my assessment of the ERM update, see this post.

I welcome your comments.

 

 

Should you adopt the updated COSO ERM Framework? My assessment

September 29, 2017 6 comments

I have been working on this for a while. I wanted to be fair to COSO and PwC; several of my friends were involved in the update project on the COSO Board and as advisers. I respect them all.

To perform a detailed assessment, I used the 12 questions I developed to assess the exposure draft with two additional questions at the end. Each is scored on a scale of 1-10, where 10 is best.

But first I need to step back and address whether my wishes and expectations for the update were the same as COSO’s. Then I can give my overall recommendation and then the detailed assessment.

I don’t think they were the same.

I started from the point of view that risk management today is far too often ineffective and needs a catalyst to spark a change.

As I said in my comment letter to COSO on the exposure draft, “surveys, notably by Deloitte[1], have found a huge disconnect between those leading risk management and the executives and directors who should be obtaining value from it. Only a small percentage said that risk management had made a significant contribution to their setting and execution of strategies.”

According to the surveys, executives see risk management as a compliance exercise. It is not seen as essential to running the business day-to-day – when in fact it can and should be critical to success, not just avoiding failure. In my comment letter, I set out a number of reasons.

Its 13 years since the original COSO ERM Framework, 8 years since ISO 31000:2009 was published. Who knows when the next COSO update will be, and the news from the teams working on the ISO update is discouraging.

This was an opportunity for COSO to “leap forward” and “transform how organizations are run, from the setting of the mission, objectives, strategies and plans to the daily operation of the business: how it performs in practice through intelligent and informed decision-making at levels of the extended enterprise”.

Enhancements to the COSO framework would be ‘nice’, but when risk management in practice is failing to be seen as vital to success, ‘nice’ is insufficient.

A leap change rather than incremental change is necessary – and something needs to be a catalyst for that change.

I hoped that would be the COSO ERM update.

It is not.

It is my opinion that COSO and PwC did not seek to incorporate leading thinking and practices. I made sure they had a copy of World-Class Risk Management and was assured that they had read it. I also suggested (in the comment letter and in calls with leaders of the update project) that they involve thought leaders.

They appear to be satisfied with modest improvements, incremental changes that, in my opinion, will not change practices to any great extent. This is their news release.

Leading risk management practitioners are already ahead of what COSO ERM 2017 suggests.

Yes, they have made progress:

  • Eliminated the cube
  • Stressed the need to consider risk (what might happen) when selecting strategies
  • Mentioned (without detail) the needs to enable decision-making and to address bias (more normally called cognitive bias) and culture
  • Said that risk management is more than the periodic review of a list of risks

They have also introduced diagrams that purport to show the relationships between strategy, performance, risk, risk capacity, and risk tolerance. Sorry, but I don’t think the diagrams are more than sound in theory. I doubt they work in practice and I question whether they are even theoretically sound as they suggest that you can aggregate all forms of risk and risk capacity, which you cannot in the real world.

So, bottom line, where am I?

The update is an interesting contribution to the world of risk management guidance. But…

  • It is insufficient to describe or support the effective management of risk.
  • It is also insufficient as a basis for the assessment of risk management.

However, it is worth buying, reading, and considering – along with ISO 31000:2009, my book (which is way ahead of COSO I am afraid), and other guidance.

Now for the 14 questions and my detailed assessment:

 

Question Assessment
1.      Does the update provide useful guidance that will help leaders of the organization define the mission, objectives, strategies, and plans that will deliver optimal value to stakeholders?

·        If the mission is not optimal, it is unlikely that the objectives will be

·        If the objectives are not optimal, it is unlikely that strategies to achieve them will be

·        …and so on

·        In order to set the optimal mission, objectives, strategies, and plans, leaders need to consider all the possibilities. They need to be able to obtain as clear a view as possible of potential opportunities and harms for all potential options. Their assessment of what might lie ahead, and how it might affect their journey, needs to be performed in a structured fashion – both opportunities and harms – and a reasonable judgment made that takes all of the potential effects of uncertainty into account

·        It is not sufficient to say that you have considered all the options (possibilities) for mission, objectives, strategies, and plans. The processes where those are selected have to involve the right people, consider all the available useful information (which is reliable, timely, and up-to-date), and more – in other words, the risk of setting a wrong or sub-optimal mission, objective, or strategy, has to be at acceptable levels.

·        Organizations need to periodically review their mission and change it as conditions change. Think of Intel, Microsoft, HP, Apple and more

Rating: 7/10

COSO has made a significant improvement in its discussion of the need to embed the consideration of risk into both strategy-setting and execution. I particularly like the reference to scenarios and the need to consider what might happen under each strategic option.

Principle 8 is The organization evaluates alternative strategies and potential impact on risk profile. It talks about evaluating strategies and making sure that they are aligned with the mission, vision, and values of the organization.

However, there is no discussion of the possibility that the mission or vision is sub-optimal, or that (for reasons such as poor information or not involving the appropriate people) the strategy is not the best.

Risks to setting strategy are important and this is a gap in the COSO update.

 The update mentions assumptions, but not the possibility that the assumptions are incorrect. Mature organizations should understand that and assess the likelihood of an error that would be significant to the achievement of the strategy or objective; actions should be taken where necessary.

I find the discussion of risk appetite, profile, and strategy somewhat confusing. Tt recognizes that some will set appetite before selecting strategy and others will do the reverse; this is a reasonable point to make. However, when discussing the setting or risk appetite and defining risk profile, it assumes strategies and objectives are defined. When selecting strategies, it assumes risk profiles and appetite are in place. I think this could have been written better and as a result I am unsure how people will be able to interpret and use the guidance.

What I find lacking is any discussion of the need to assess the likelihood and extent of all potential consequences in a disciplined and systematic fashion. In other words, use similar methods when considering the benefits of a strategy as when assessing potential harms.

Further, there is no discussion of the need to take all the potential effects, both good and bad, into account when selecting a strategy. On balance, do the potential benefits outweigh the potential harms? Instead, there is a focus on the list of harms (the risk profile) and risk appetite.

 

2.      Does the update provide useful guidance when it comes to executing against the defined mission, objectives, strategies, and plans? Is there sufficient guidance on effective decision-making, and will it move the practice of risk management away from only reviewing, periodically, a list of risks? Will it lead to organizations practicing risk management continuously?

·        The Executive Summary makes the points that risk management must be continuous, enable effective decision-making, and be more than the review of a list of risks

·        But, does the detail of the framework deliver on those promises?

·        As COSO says in their Executive Summary, execution and the optimization of performance rely on decisions that are made not only by leaders in establishing the goals and objectives of the organization, but by managers at every level of the organization every day

·        In order to make good decisions, people need to consider all the potential consequences of the choices they make. Those include not only the harms but also the rewards that may occur. The consideration needs to be structured and based on useful, timely, current, and reliable information

·        Also as COSO says, risk management needs to be an essential part of running the organization and delivering performance. It should not be separate. Does the guidance enable organizations to manage risk as part of the rhythm of the business? Does it help management entwine the consideration of risk into every business process?

Rating: 2/10

While the Executive Summary talks about decision-making, there is really no guidance on this. There are no principles and no practical guidance on how decisions should be made, considering all potential consequences.

This is critical, as this is where risk is taken in the real world.

The section on Performance is all about risks – potential harms.

In real life, as distinct from the world of standards and frameworks, people at all levels across the extended enterprise are taking or not taking risk every day. They do this through decisions.

 Every decision creates or modifies risk.

 The key to the effective management of risk is having decision-makers take the desired amount of the right risk.

This is simply not covered.

It is simplistic to think that you take risk only as the result of a risk assessment activity.

As a result, I have great concern as to whether the COSO update will influence risk-taking in practice, in the real world.

 

3.      Will the guidance still lead people to only identify, assess, and address potential harms? Will risk reporting still be focused on the level of risk rather than the likelihood of achieving each objective?

·        COSO says the consideration of both harms and rewards (in their language, ‘risks’ and ‘opportunities’) is essential if risk management is to be effective

·        While that is essentially what the prior version said, its language focused almost entirely on ‘risk’ and arguably this has led to most organizations only managing potential harms

·        Most organizations limit risk reporting to a list of risks and their level. But if it’s really about achieving objectives, shouldn’t reporting be about whether each objective is likely to be achieved, exceeded, or missed? It should not be limited to an assessment of potential harms

Rating: 2/10

COSO and I are on totally different pages.

They see events or situations (or decisions) having either a positive (opportunity) or negative (risk) opportunity.

In the real world, events or situations have not only multiple potential effects, but each is a range and not a point.

The framework asks that people identify opportunities as well as risks, but not the combination of good and bad that is likely to follow from an event or situation.

Even then, COSO insists on a risk profile (a list of potential harms) and assessing whether risks are within risk appetite, without any consideration of the positive that may accompany a negative.

Further, there is only a suggestion to include the effect on objectives as one of the bases for prioritizing risk.

If it is all about achieving objectives and fulfilling strategies, then the focus needs to be there and not on risk.

 The management of risk needs to be far more than maintaining a risk profile. It has to be about taking the right level of the right risks with every business decision.

 

4.      Does the guidance explain clearly and help decision-makers understand and then evaluate all the potential effects of uncertainty?

·        Some look at ‘opportunity’ as the positive side and ‘risk’ as the negative. But, most situations and certainly most decisions have multiple potential consequences. It’s not just reward or just harm, usually it’s both. For example, when you decide to overtake another car on the freeway, there is potential to go faster as well as the potential for a crash. Only by understanding and then weighing all the potential consequences can a good decision be made. As another example, when you purchase a hotel while playing Monopoly, you create the opportunity to obtain rent (and this requires considering the size of that gain and its likelihood) as well as increase the potential to go bankrupt if you land on another’s property and have to pay rent

·        Some assess the ‘level’ of risk as a point – a level of impact and the likelihood of that impact. However, there is almost always a range of potential impacts, each with its separate likelihood. For example, if the organization decides to reduce the price of its products, sales could (a) increase by 10%; (b) increase by 20%; (c) remain the same; (d) change by another percentage. All of these possibilities have different likelihoods. If you wanted to plot the ‘level of risk’, it would be a range or a curve on the chart and not a point

·        The actions and decisions of one affect many. Is the guidance sufficient on this point?

·        Many define the level of risk based on the amount of impact multiplied by its likelihood. But then a 5% likelihood of a $200 loss is the same as a 50% likelihood of a $20 loss. One may be acceptable but the other not. Does COSO discourage the assessment of risk based on this simplistic calculation?

 

Rating: 1/10

As discussed above, this is not covered and is a serious problem IMHO.

5.      Will the update provide decision-makers with the structure/process they need to decide whether to ‘take the risk’ because of the potential for reward?

·        In real life, people have to ‘balance’ risk and reward

·        Will the guidance provide a disciplined process for identifying and evaluating all the potential effects of each option and only then making an informed decision? Or does it only consider and provide guidance on assessing harms?

·        For example, if the potential for loss is assessed as between $50 (20% likelihood) and $100 (5% likelihood), should a manager ‘take the risk’ when the potential for gain is between $50 (20%) and $250 (5%)?

 

Rating: 1/10

As discussed above, the criteria for determining whether to take a risk does not include any reference to the potential for reward, only the appetite for risk.

6.      Will the update lead to providing decision-makers with the guidance they need if they are to make the decisions management and the board want them to make?

·        The great majority of organizations who have a ‘risk appetite statement’ at the entity level have not been able to cascade it down in a way that enables those making the decisions in real life to know what is necessary

·        Different conditions (e.g., whether there is huge public scrutiny, whether the organization is likely to exceed or miss its earnings targets) can lead to executives wanting to change the risk decisions that are made

·        Its one thing to say that you need to avoid exceeding defined risk limits, but when the reward is high it may be appropriate to take that risk. Does the guidance enable agile decision-making that considers changes in the environment?

 

Rating: 1/10

COSO says that risk appetite is cascaded down to decisions-makers but provides no practical guidance or examples.

7.      Does the update provide sufficient guidance on how to assess and then correct, as necessary, the culture of the organization?

·        It is encouraging that this is now included. Is it sufficient?

Rating: 4/10

While the update mentions risk culture and emphasizes its importance, there is no practical guidance.

 

8.      Does the update provide sufficient guidance on each stage of the risk management process, including identifying, assessing, evaluating, and treating risk and opportunity? Does it provide sufficient guidance on communications and monitoring, including continuous improvement?

·        There is more to assessing risk (good and bad) than impact and likelihood. Other considerations include duration, speed of onset, and more

·        Many use models. Is this covered sufficiently?

 

Rating: 5/10

This is thin, but so is ISO 31000:2009.

9.      Is the updated COSO guidance on risk appetite and risk tolerance useful? Does it mirror and enable effective decision-making in real life? Does the guidance help to establish not only the upper limit of ‘risk’ that should be taken, but the lower level as well?

·        If organizations don’t ‘take risk’ they will not survive. It is dangerous to be too risk averse

·        How does an organization establish the minimum level as well as the maximum?

·        Does COSO provide sufficient guidance on how to assess both the upside and the downside?

·        Does the updated guidance help people ‘balance’ risk and reward, knowing when to ‘take the risk’? Or does it lead people to evaluate whether the level of harm is acceptable without considering the level of benefit? Does COSO guide people to consider the potential effect on strategies and objectives, or only to assess risk based on some out-of-context measure?

·        The COSO definition of risk appetite in the current framework talks about an amount of risk. Sometimes risk appetite is expressed in terms like “we have no tolerance for this risk”

·        However, in real life people make decisions based not only on the ‘amount’ of risk (harm) but the likelihood of that amount of risk. For example, I might accept a 2% possibility of losing $100 but not a 20% possibility

·        A generic statement like “we have no tolerance for this risk” does not help real life decision-making. While no organization will state a level at which loss of life is acceptable, in many industries the only way to get to zero likelihood is to exit the business

·        What is an acceptable level of variation from objectives? If you set an objective of 10% growth but are willing to accept 5% growth, 5% is your true objective. Alternatively, your objective may remain 10% but you will accept a 7% chance that it will be reduced to 5%

·        Is the ISO 31000:2009 term ‘risk criteria’ better, especially as it can be applied to individual decisions?

Rating: 2/10

The update fails to address the points made in the question (1st column).

COSO has introduced new charts that purport to show the relationships between levels of performance and the level of risk that needs to be taken to achieve each level of performance, the risk capacity of the organization, the risk tolerance, and the level of variability in performance that is acceptable.

But are these charts more than simply interesting?

Are they reflective or real life? Are they practical guidance?

IMHO, they are flawed.

1.      The relationship between risk and objectives/strategy is many to many.

2.      You simply cannot aggregate all risks to a single strategy/objective.

3.      It is possible for all sources of risk to be individually acceptable but when considered together (using judgment rather than trying to convert risks like compliance or safety to numbers) are unacceptable.

4.      If risks are given values, then the aggregate may appear acceptable when an individual source of risk (e.g., compliance) is not.

Thought leaders have questioned the concept of risk appetite, and this section from the update is telling.

“Organizations may also choose to exceed the risk appetite if the effect of staying within the appetite is perceived to be greater than the potential exposure from exceeding it. For example, management may accept the risk associated with the expedited approval of a new product in favor of the opportunity and competitive advantage of bringing those products to market more quickly. Where an entity repeatedly accepts risks that approach or exceed appetite as part of its usual operations, a review and recalibration of the risk appetite may be warranted.”

In other words, use risk appetite except when judgment tells you not to – because the benefits outweigh the harms.

It would be a great deal more useful if guidance would recognize from the beginning that assessing and managing risk out of the context of objectives and potential rewards is less than useful.

 

10.   Will it be possible to assess the effectiveness of risk management in practice using the updated version?

·        Any assessment should be based on whether the management of risk helps people establish the optimal vision, objectives, strategies, and plans, make better decisions and, as a result, increase the likelihood of achieving objectives

·        Any assessment should identify the areas where the risk of failure in identifying, assessing, evaluating, or taking action to address risk is higher than desired

·        If the assessment is against principles, are those in the COSO draft as good as or better than those in ISO 31000:2009?

·        If all the COSO principles are present and functioning, does that mean that risk management is effective? If one or more are not present, does that mean that risk management is without doubt ineffective?

Rating: 1/10

The recommended approach by COSO is significantly flawed.

No guidance is provided on how to assess whether the principles are present and functioning. Compare this to the COSO Internal Control – Integrated Framework, where such guidance is provided: (a) internal control can be considered effective if there is reasonable assurance that risks to objectives are at acceptable levels, and (b) the principles are present and functioning if there are no “major” weaknesses – and the latter is where the weakness means that there is a lack of reasonable assurance that risks to objectives are at acceptable levels.

Further, there are no principles or practical guidance on decision-making – which is where risk is actually taken day-to-day.

Arguably, the principles can be assessed as present and functioning, yet executive management and the board still sees risk management as failing to make a significant contribution to both the setting and the execution of strategy.

 

11.   Will the guidance provide sufficient guidance to enable the board and/or a committee of the board to provide effective oversight?

·        Is the guidance as good as that in South Africa’s King IV Exposure Draft?

 

Rating: 1/10

See #10, above.

12.   Is the updated document consumable? Is it too long? Will it be read, understood, and acted on by all levels of the organization? Rating: 2/10

It appears long but the practical guidance is short.

While it may be read and understood, the valuable comments are terse and few.

Much is missing from the guidance in terms of what effective risk management really is – from strategy-setting through execution through decision-making.

 

13.   Will the updated product help the busy executive or board member understand what risk management is all about, that it is not simply a compliance exercise but can improve the likelihood of quality decisions and the achievement of the right objectives? Rating: 1/10

It is not persuasive that risk management will help an organization succeed. At best, it might avoid a level of failure.

I would not provide the busy executive or board member a copy of the Executive Summary.

 

14.   Is the 2017 product a sharp improvement on the 2004 version?

·        Are the changes and additions an improvement?

·        Does the updated Framework represent leading thinking?

·        Will it help move practices around the world to greater levels of maturity and effectiveness?

·        Is it better than the ISO 31000:2009 global risk management standard and other guidance that has been provided by regulators, national corporate governance codes, and so on?

·        Would you recommend an executive, board member, or practitioner buying the updated Framework? Or, should they buy my book J?

Rating: 3/10

There are improvements, as reflected in my comment letter. For example, there is language (even if the guidance is thin) on culture, decision-making, cognitive bias, and risk capacity.

It simply is well behind leading thinking on risk management and I would not recommend that any organization embrace it and believe that is sufficient.

ISO 31000:2009 is not perfect either. Is it better? Perhaps. It is also thin in a number of areas.

At minimum, everybody interested in COSO ERM should also read and consider ISO 31000:2009. In some respects, they complement each other.

But there is more to risk management, and I in all modesty I believe the guidance in my book is superior.

 

[1] Exploring Strategic Risk reported that “Only 13% of [C-level] respondents believe their risk management processes support, at a high level, the ability to develop and execute business strategies”

How well did COSO address comments on the ERM draft?

September 22, 2017 10 comments

Last July, I submitted written comments and suggestions to COSO on the draft of the ERM framework update.

In this post, I remind you of those comments and discuss (see Comment) how well they have been addressed in the final edition. (At the time, I discussed them with several people involved in the update, who all agreed they had merit. However, I got the impression they were reluctant to make the sort of major change I was asking for, saying that COSO might follow the updated framework with thought papers.)

The COSO update has an appendix where they talk about their response to comments. Unfortunately, most of my comments are not addressed in that section.

I will share in a later post my assessment of the final product based on a set of questions that I encourage you to consider. Please join the conversation and share your assessment of the value of the ERM framework update here.

===========================================================================

July, 2016

There’s a lot to like in the update, which in many respects I consider an upgrade.

In fact, I would describe this document as having the potential for a ‘leap forward’, not just a step. It’s more than an ‘upgrade’.

However, it is not yet there. I believe another significant leap forward is required, and this can be delivered through careful and thoughtful consideration of the comments COSO receives on the Exposure Draft (ED) – followed by action to address them.

I believe that while PwC and the COSO Board and its advisors have clearly stepped back and taking a big picture look at its ERM guidance, a second step back and another look at the essentials of risk management should be taken to consider whether the guidance is truly achieving its potential.

What is that potential? It is to transform how organizations are run, from the setting of the mission, objectives, strategies and plans to the daily operation of the business: how it performs in practice through intelligent and informed decision-making at levels of the extended enterprise.

As is said in the Introduction:

“The value of an entity is largely determined by the decisions that management makes—from overall strategy decisions through to day-to-day decisions. Those decisions can determine whether value is created, preserved, realized, or eroded.”

In its ideal state, the management of risk is part of the rhythm of the business[1], entwined[2] into every business process and decision at all levels across the extended enterprise. It is no longer a compliance activity, but an essential ingredient in the success of the organization. It is not limited to avoiding harms, but also encompasses determining when the ability to reap a reward justifies taking the risk of harm.

Comment: COSO has gone a long way to see risk management “entwined” into every business process. However, they have done little IMHO to explain how it is part of decision-making and they have not addressed decisions and actions in the extended enterprise.

They say that an ethical person does the right thing when nobody is watching. Effective risk management is present when there is reasonable assurance that every decision-maker, from the board down to the front-lines, will make the ‘right’ decision without a risk officer present.

Comment: This important concept appears to be missing – that we need reasonable assurance that decision-makers are taking the right risk. Risk appetite is a way to identify after the fact whether too much risk has been taken. It only works proactively when each decision-maker knows which risks to take and I don’t believe that is sufficiently covered in their discussions of risk appetite and tolerance.

In fact, in an ideal world, people don’t think about risk management – it’s simply effective management.

Although the Foreword says (more than implies) that the earlier version had been broadly accepted and should be considered a success, that comment is highly questionable.

Surveys have shown that the ISO 31000:2009 global risk management has been adopted more often in recent years than the COSO ERM Integrated Framework. Many have taken the best of both to develop their own framework, and many experienced risk practitioners and thought leaders have dismissed the COSO product entirely.

Other surveys, notably by Deloitte[3], have found a huge disconnect between those leading risk management and the executives and directors who should be obtaining value from it. Only a small percentage said that risk management had made a significant contribution to their setting and execution of strategies.

There are several reasons for this. They include:

  • Creating the perception that the consideration of risk is something separate from the activity of managing the organization; as the ED says, it should be an integral element in decision-making every day at all levels of the organization

Comment: COSO has made efforts to address this. But the lack of discussion on decision-making and the continuing focus on a risk profile (which they admit is simply a list of risks, a.k.a. a risk register) will likely inhibit meaningful progress. The key point here is that organizations have been managing risk for centuries, often with success, without a formal program or office. As Alex Sidorenko says, talking about ‘risk management’ instead of effective management can actually inhibit a constructive discussion, because the ‘r’ word has a negative connotation in the minds of executives and because it appears to be something different from effective management when in fact it is not. Good managers manage risk all the time; they anticipate what might happen and deal with it; effective boards insist on discussions of what might happen and related scenarios as part of their strategy-setting and performance review discussions.

  • A focus that is restricted to the potential negative effects of uncertainty, considered at intervals rather than continuously

Comment: The need for continuous risk discussions is included, but it is still focused on potential negative effects.

  • A disconnect with management who are looking to enhance performance and deliver value, not just avoid failure

Comment: The update talks about performance but not how to assess the likelihood of achieving strategies and objectives and therefore enable actions to increase the likelihood and extent of success.

  • Reporting risks rather than the likelihood and extent that objectives will be achieved

Comment: This is a major issue that is not effectively addressed.

  • Communicating in a language different from that of the business. This inhibits management’s ability to not only understand at an intellectual level that the management of risk can help them be more effective as managers and successful as business leaders, but actually believe it

Comment: See prior comments.

  • An expressed desire, fueled by regulators and the concept of risk appetite, to ‘manage’ or ‘mitigate’ risk when in real life risk needs to be taken

Comment: I do not see how the update will constructively influence regulators.

  • Failing to understand that events and situations (requiring decisions and choices) create the potential for not just one but multiple effects – both negative and positive effects are likely every time a decision is made or an event or situation presents itself. All potential effects of a decision need to be assessed, generally in the same way, to understand the potential rewards and harms, understand and evaluate options, and consider what should be done to improve the likelihood and extent of success

Comment: This is a major gap in the update.

First, I want to congratulate the Board, its advisors, and PwC for progress on a number of fronts. They include (not in any particular order):

  • Emphasizing that risk management is about addressing the uncertainty that lies between where we are and where we want to be (although not in that language)
  • Restating that risk management is about achieving objectives. This was also in the prior version, but is repeated and emphasized for the great majority that did not see it in the 2004 edition
  • Making the point (I see Jim DeLoach’s influence) that risk management is not about the periodic review of a list of risks (i.e., enterprise list management)
  • Talking about the need to consider what might happen in the future when setting strategies and objectives
  • Restating that decisions need to be made based on an evaluation of both the potentially positive and negative effects of uncertainty
  • Introducing a discussion of risk culture
  • Using the word “anticipate”, which I think is a highly descriptive way to explain what risk management is all about

These are points made in the Executive Summary.

Comment: We should not forget that the update is an improvement on the 2004 version.

I have developed a set of 12 questions to assist in the evaluation of the Exposure Draft and whether it will move the practice of effective management as far forward as it can and should.

Comment: I wonder whether PwC used the set of questions.

My comments are at this 50,000 foot level. They affect much of the detail and I hope the COSO Board and advisors, assisted by PwC, will consider them and then apply them to the detailed content.

 

Final thoughts and suggestions

As I said at the beginning of this response, the ED is an upgrade and has some valuable content. The ideas and aspirations laid out in the Executive Summary are, for the most part, excellent.

However, I have problems that I believe are significant.

  1. The ED continues the focus on harms. There is a huge difference between opportunities (such as the opportunity to take advantage of a competitor’s stumble) and recognizing that any situation, event, decision, or choice can have multiple effects on achieving objectives: some positive as well as some adverse. All have to be assessed and evaluated, not just the harms.

Comment: The executive summary may say that there are multiple potential effects, both positive and negative, but the body talks almost exclusively about harms. There is no discussion of the need to identify, assess, and evaluate all potential effects.

  1. The ED continues to focus on a list of risks. While it talks about decision-making and makes the point that risk management informs decision-making, it is more than that. Every decision is a risk decision. Every decision is about understanding the current situation, what is expected to happen, whether that is acceptable, what options are available, and then making informed choices. That is risk management as well as effective management. It is not just risk-informed decision-making. The best way to improve the management of risk is to improve the decision-making process and capability. If the framework could provide a structured process for decision-making, that would make it both practical and of immense value. Instead, it pays scant attention and continues to talk about generating and maintaining lists of risks.

Comment: The framework body focuses on a risk profile (the same thing as a list of risks, just different language), risk appetite, and so on. There is no discussion of how to weigh all the possibilities, the ranges of good and bad potential effects, to come to an intelligent decision. While the update talks about decision-making, this is absent from the principles and I see no related guidance.

  1. The idea that you can aggregate all risks into a risk profile is alarming. You simply cannot do that and expect to be successful. The potential for each objective to be achieved must be managed individually as well as collectively. Compliance risk should not be aggregated with reputation or financial risk. In fact, there is danger in aggregating different forms of compliance risk; compliance risk in aggregate may appear to be at an acceptable level while the company is significantly in breach of specific regulations or laws.

Comment: This misguided guidance remains prominent.

  1. Finally, and most important of all, risk management is really about anticipating what might happen that would affect your journey from where you are to where you want to be. The COSO Board needs to reconsider how it describes terms like uncertainty, risk, and risk management with this in mind. Good decisions come from understanding what might happen, all possible effects, then making informed, intelligent choices.

Comment: Unfortunately, I do not see sufficient progress. While talking about performance is progress, there is insufficient attention to assessing the likelihood of achieving objectives or on decision-making.

I have pointed out other areas for improvement, such as an expanded discussion and guidance on board oversight, and a major overhaul of the thinking around risk appetite and tolerance. But these are the most crucial issues.

A couple of closing suggestions:

  1. Expand the Advisory Board to include practitioners from around the world, especially from nations where the practice of risk management is more advanced than in the US. Grant Purdy, John Fraser, Richard Anderson, and Martin Davies would be excellent additions.

Comment: While some expert advisors were present (notably, Carol Fox), I wish COSO had brought more thought leaders into the process.

  1. Consider, where possible, the use of plain English instead of technical jargon. This would make the guidance clearer to executives and board members. Talk about optimizing outcomes, achieving success, and so on – the language of the business.

Comment: See prior comments.

There is an opportunity to make a huge leap forward, providing a beacon for world-class risk management, or should I say effective management.

That will require a further step back, a deep breath, a willingness to accept the need for change, the courage to make a huge departure from traditional thinking (which has proven to be failing us), and action.

It is better to take longer to think this through, make the changes thoughtfully, than to tinker with the ED. That, I suggest, will not be sufficient.

 

===========================================================================

Final comment: My impression is that COSO only tinkered with the draft. I understand that they are considering further work, thought papers or similar, that will build on the framework and address some of the points above.

But, have they made a “leap forward”? Have they done enough to move practices forward, in the right direction? Did they want to make that leap forward, or were they too risk averse?

Will this update change the percentage of executives answering the piercing question by Deloitte, “Does risk management support, at a high level, the ability to develop and execute business strategies”, up from 13% close to 80%?

What do you think?

 

[1] “Drive business results by harnessing uncertainty”, EY February, 2015

[2] A great word, far better than ‘integrated’ or ‘embedded’, used by PwC in Risk in review: Going the distance, 2016

[3] Exploring Strategic Risk reported that “Only 13% of [C-level] respondents believe their risk management processes support, at a high level, the ability to develop and execute business strategies”

Which are the best principles for effective risk management?

September 15, 2017 16 comments

As we get to know COSO’s updated risk management framework, a good place to start is by examining the 20 principles around which it is built.

While the executive summary talks in a principled manner about the management of risk, the framework is essentially a discussion of each of its 20 principles.

The COSO principles are:

  1. Exercises Board Risk Oversight—The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives.

  2. Establishes Operating Structures—The organization establishes operating structures in the pursuit of strategy and business objectives.

  3. Defines Desired Culture—The organization defines the desired behaviors that characterize the entity’s desired culture.

  4. Demonstrates Commitment to Core Values—The organization demonstrates a commitment to the entity’s core values.

  5. Attracts, Develops, and Retains Capable Individuals—The organization is committed to building human capital in alignment with the strategy and business objectives.

  6. Analyzes Business Context—The organization considers potential effects of business context on risk profile.

  7. Defines Risk Appetite—The organization defines risk appetite in the context of creating, preserving, and realizing value.

  8. Evaluates Alternative Strategies—The organization evaluates alternative strategies and potential impact on risk profile.

  9. Formulates Business Objectives—The organization considers risk while establishing the business objectives at various levels that align and support strategy.

  10. Identifies Risk—The organization identifies risk that impacts the performance of strategy and business objectives.

  11. Assesses Severity of Risk—The organization assesses the severity of risk.

  12. Prioritizes Risks—The organization prioritizes risks as a basis for selecting responses to risks.

  13. Implements Risk Responses—The organization identifies and selects risk responses.

  14. Develops Portfolio View—The organization develops and evaluates a portfolio view of risk.

  15. Assesses Substantial Change—The organization identifies and assesses changes that may substantially affect strategy and business objectives.

  16. Reviews Risk and Performance—The organization reviews entity performance and considers risk.

  17. Pursues Improvement in Enterprise Risk Management—The organization pursues improvement of enterprise risk management.

  18. Leverages Information Systems—The organization leverages the entity’s information and technology systems to support enterprise risk management.

  19. Communicates Risk Information—The organization uses communication channels to support enterprise risk management.

  20. Reports on Risk, Culture, and Performance—The organization reports on risk, culture, and performance at multiple levels and across the entity.

There is no doubt in my mind that all of these are good practices.

But:

  • Are they essential to effective risk management? Or are they simply essential to any organization that strives to achieve results? Are they simply attributes of any well-run organization? In fact, are they all the attributes of a well-run organization? Where are the principles relating to decision-making? Certainly, establishing objectives and an organizational structure, or hiring good people, do not seem attributes specific to risk management – although it is difficult to understand the risks to objectives if your objectives are not defined.
  • Does achieving these principles indicate that the risk management is effective? I will provide my assessment of the COSO update in a later post. However, these principles are not written in a way that sets the bar very high. It is possible to believe you have achieved these principles while the board and top management see little value being derived from their investment of time and resources into risk management.
  • Are these principles as useful as those from other guidance?

In World-Class Risk Management, I included the following table. It lists the 11 ISO 31000:2009 principles and my revised list of 6.

Principles in ISO 31000:2009 Norman’s Revised Principles
a.      Risk management creates and protects value. 1:     Risk management enables management to make intelligent decisions when setting strategy, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
b.      Risk management is an integral part of the organizational procedure. Not needed as I would include it in #1.
c.      Risk management is part of decision making. Not needed as I would include it in #1.
d.      Risk management explicitly addresses uncertainty. 2:     Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
e.      Risk management is systematic, structured and timely. 3:     Risk management is systematic and structured. (Timeliness is covered in my #2.)
f.       Risk management is based on the best available information. Not needed, covered by my #2
g.      Risk management is tailored. 4:     Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
h.      Risk management takes human and cultural factors into account. 5:     Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.
i.       Risk management is transparent and inclusive. I would not include this as a principle.
j.       Risk management is dynamic, iterative and responsive to change. 6:     Risk management is dynamic, iterative and responsive to change.
k.      Risk management facilitates continual improvement and enhancement of the organization. I would not include this as a principle. It is covered by my #4 and management should always be looking to continually improve, so this is not a distinguishing feature of risk management.

 

I will let you decide which is the best set of principles: which is clearer in setting expectations for the effective management of risk and which is better as a basis for assessing the maturity of risk management. (Hint: I think my list is not only better but more succinct, relevant, and acctionable.)

Comments welcome!

Is the COSO ERM Update a success or failure?

September 9, 2017 9 comments

A few days ago, COSO published an update to their 2004 ERM Framework. The product, retitled Enterprise Risk Management: Integrating with Strategy and Performance, is available from the AICPA or IIA – see here for the links.

This is their news release, dated September 6. It asserts that:

“The updated edition is designed to help organizations create, preserve, and realize value while improving their approach to managing risk.”

Has it achieved that goal? Or has it failed?

Will it advance practices or has it fallen short of leading thinking?

I am in the process of a careful review of the product and will share the results later.

But I encourage all of you to not only review it but answer my question (is it a success or failure) using a set of questions I shared in June 2016 on this site – upgraded with a few clarifications and couple of additions (at the end).

Even if you don’t provide your own assessment (for whatever reason), consider subscribing or returning to see how others have commented on the product.

My ask is that you assess the updated Framework by rating each of these 14 questions on a scale of 1-10 (10 being perfect). When you rate, consider whether the COSO discussion provides practical guidance or just makes a theoretical point. Will the guidance help organizations actually achieve the principle or point being made?

Then provide your overall pass/fail.

Here are the assessment questions.

  1. Does the draft provide useful guidance that will help leaders of the organization define the mission, objectives, strategies, and plans that will deliver optimal value to stakeholders?
    • If the mission is not optimal, it is unlikely that the objectives will be
    • If the objectives are not optimal, it is unlikely that strategies to achieve them will be
    • …and so on
    • In order to set the optimal mission, objectives, strategies, and plans, leaders need to consider all the possibilities. They need to be able to obtain as clear a view as possible of potential opportunities and harms for all potential options. Their assessment of what might lie ahead, and how it might affect their journey, needs to be performed in a structured fashion – both opportunities and harms – and a reasonable judgment made that takes all of the potential effects of uncertainty into account
    • It is not sufficient to say that you have considered all the options (possibilities) for mission, objectives, strategies, and plans. The processes where those are selected have to involve the right people, consider all the available useful information (which is reliable, timely, and up-to-date), and more – in other words, the risk of setting a wrong or sub-optimal mission, objective, or strategy, has to be at acceptable levels.
    • Organizations need to periodically review their mission and change it as conditions change. Think of Intel, Microsoft, HP, Apple and more
  2. Does the draft provide useful guidance when it comes to executing against the defined mission, objectives, strategies, and plans? Is there sufficient guidance on effective decision-making, and will it move the practice of risk management away from only reviewing, periodically, a list of risks? Will it lead to organizations practicing risk management continuously?
    • The Executive Summary makes the points that risk management must be continuous, enable effective decision-making, and be more than the review of a list of risks
    • But, does the detail of the framework deliver on those promises?
    • As COSO says in their Executive Summary, execution and the optimization of performance rely on decisions that are made not only by leaders in establishing the goals and objectives of the organization, but by managers at every level of the organization every day
    • In order to make good decisions, people need to consider all the potential consequences of the choices they make. Those include not only the harms but also the rewards that may occur. The consideration needs to be structured and based on useful, timely, current, and reliable information
    • Also as COSO says, risk management needs to be an essential part of running the organization and delivering performance. It should not be separate. Does the guidance enable organizations to manage risk as part of the rhythm of the business? Does it help management entwine the consideration of risk into every business process?
  3. Will the guidance still lead people to only identify, assess, and address potential harms? Will risk reporting still be focused on the level of risk rather than the likelihood of achieving each objective?
    • COSO says the consideration of both harms and rewards (in their language, ‘risks’ and ‘opportunities’) is essential if risk management is to be effective
    • While that is essentially what the prior version said, its language focused almost entirely on ‘risk’ and arguably this has led to most organizations only managing potential harms
    • Most organizations limit risk reporting to a list of risks and their level. But if it’s really about achieving objectives, shouldn’t reporting be about whether each objective is likely to be achieved, exceeded, or missed? It should not be limited to an assessment of potential harms
  4. Does the guidance explain clearly and help decision-makers understand and then evaluate all the potential effects of uncertainty?
    • Some look at ‘opportunity’ as the positive side and ‘risk’ as the negative. But, most situations and certainly most decisions have multiple potential consequences. It’s not just reward or just harm, usually it’s both. For example, when you decide to overtake another car on the freeway, there is potential to go faster as well as the potential for a crash. Only by understanding and then weighing all the potential consequences can a good decision be made. As another example, when you purchase a hotel while playing Monopoly, you create the opportunity to obtain rent (and this requires considering the size of that gain and its likelihood) as well as increase the potential to go bankrupt if you land on another’s property and have to pay rent
    • Some assess the ‘level’ of risk as a point – a level of impact and the likelihood of that impact. However, there is almost always a range of potential impacts, each with its separate likelihood. For example, if the organization decides to reduce the price of its products, sales could (a) increase by 10%; (b) increase by 20%; (c) remain the same; (d) change by another percentage. All of these possibilities have different likelihoods. If you wanted to plot the ‘level of risk’, it would be a range or a curve on the chart and not a point
    • The actions and decisions of one affect many. Is the guidance sufficient on this point?
    • Many define the level of risk based on the amount of impact multiplied by its likelihood. But then a 5% likelihood of a $200 loss is the same as a 50% likelihood of a $20 loss. One may be acceptable but the other not. Does COSO discourage the assessment of risk based on this simplistic calculation?
  5. Will the update provide decision-makers with the structure/process they need to decide whether to ‘take the risk’ because of the potential for reward?
    • In real life, people have to ‘balance’ risk and reward
    • Will the guidance provide a disciplined process for identifying and evaluating all the potential effects of each option and only then making an informed decision? Or does it only consider and provide guidance on assessing harms?
    • For example, if the potential for loss is assessed as between $50 (20% likelihood) and $100 (5% likelihood), should a manager ‘take the risk’ when the potential for gain is between $50 (20%) and $250 (5%)?
  6. Will the update lead to providing decision-makers with the guidance they need if they are to make the decisions management and the board want them to make?
    • The great majority of organizations who have a ‘risk appetite statement’ at the entity level have not been able to cascade it down in a way that enables those making the decisions in real life to know what is necessary
    • Different conditions (e.g., whether there is huge public scrutiny, whether the organization is likely to exceed or miss its earnings targets) can lead to executives wanting to change the risk decisions that are made
    • It’s one thing to say that you need to avoid exceeding defined risk limits, but when the reward is high it may be appropriate to take that risk. Does the guidance enable agile decision-making that considers changes in the environment?
  7. Does the update provide sufficient guidance on how to assess and then correct, as necessary, the culture of the organization?
    • It is encouraging that this is now included. Is it sufficient?
  8. Does the update provide sufficient guidance on each stage of the risk management process, including identifying, assessing, evaluating, and treating risk and opportunity? Does it provide sufficient guidance on communications and monitoring, including continuous improvement?
    • There is more to assessing risk (good and bad) than impact and likelihood. Other considerations include duration, speed of onset, and more
    • Many use models. Is this covered sufficiently?
  9. Is the updated COSO guidance on risk appetite and risk tolerance useful? Does it mirror and enable effective decision-making in real life? Does the guidance help to establish not only the upper limit of ‘risk’ that should be taken, but the lower level as well?
    • If organizations don’t ‘take risk’ they will not survive. It is dangerous to be too risk averse
    • How does an organization establish the minimum level as well as the maximum?
    • Does COSO provide sufficient guidance on how to assess both the upside and the downside?
    • Does the updated guidance help people ‘balance’ risk and reward, knowing when to ‘take the risk’? Or does it lead people to evaluate whether the level of harm is acceptable without considering the level of benefit? Does COSO guide people to consider the potential effect on strategies and objectives, or only to assess risk based on some out-of-context measure?
    • The COSO definition of risk appetite in the current framework talks about an amount of risk. Sometimes risk appetite is expressed in terms like “we have no tolerance for this risk”
    • However, in real life people make decisions based not only on the ‘amount’ of risk (harm) but the likelihood of that amount of risk. For example, I might accept a 2% possibility of losing $100 but not a 20% possibility
    • A generic statement like “we have no tolerance for this risk” does not help real life decision-making. While no organization will state a level at which loss of life is acceptable, in many industries the only way to get to zero likelihood is to exit the business
    • What is an acceptable level of variation from objectives? If you set an objective of 10% growth but are willing to accept 5% growth, 5% is your true objective. Alternatively, your objective may remain 10% but you will accept a 7% chance that it will be reduced to 5%
    • Is the ISO 31000:2009 term ‘risk criteria’ better, especially as it can be applied to individual decisions?
  10. Will it be possible to assess the effectiveness of risk management in practice using the updated version?
    • Any assessment should be based on whether the management of risk helps people establish the optimal vision, objectives, strategies, and plans, make better decisions and, as a result, increase the likelihood of achieving objectives
    • Any assessment should identify the areas where the risk of failure in identifying, assessing, evaluating, or taking action to address risk is higher than desired
    • If the assessment is against principles, are those in the COSO draft as good or better than those in ISO 31000:2009?
    • Is all the COSO principles are present and functioning, does that mean that risk management is effective? If one or more are not present, does that mean that risk management is without doubt ineffective?
  11. Will the guidance provide sufficient guidance to enable the board and/or a committee of the board to provide effective oversight?
    • Is the guidance as good as that in South Africa’s King IV Exposure Draft?
  12. Is the updated document consumable? Is it too long? Will it be read, understood, and acted on by all levels of the organization?
  13. Will the updated product help the busy executive or board member understand what risk management is all about, that it is not simply a compliance exercise but can improve the likelihood of quality decisions and the achievement of the right objectives?
  14. Is the 2017 product a sharp improvement on the 2004 version?
    • Are the changes and additions an improvement?
    • Does the updated Framework represent leading thinking?
    • Will it help move practices around the world to greater levels of maturity and effectiveness?
    • Is it better than the ISO 31000:2009 global risk management standard and other guidance that has been provided by regulators, national corporate governance codes, and so on?
    • Would you recommend an executive, board member, or practitioner buying the updated Framework? Or, should they buy my book?

How good is your chief risk officer?

September 2, 2017 5 comments

My best-selling book, World-Class Risk Management, describes how risk management can enable better decision-making, from strategy-setting to execution, and make a significant contribution to the success of any organization.

But how do you assess the leader of risk management within your organization?

Here are some attributes I consider critical. They tend to overlap but offer different ways of thinking about the individual and their team. They are not necessarily in order of importance; I leave the prioritization to you.

  1. Dedicated to helping the organization to succeed rather than simply avoid failures. (This should be the perception of others, not just the risk officer.)
  2. Has a deep understanding of the business, how it delivers value, is organized, makes decisions, and is run
  3. Seen as a trusted and valuable partner (not police) by the management team at all levels
  4. Listens, especially before speaking
  5. Looks to enable management to identify, assess, and evaluate risk rather than being the authority themselves
  6. Constructive and has good ideas
  7. Willing to recommend taking more ‘risk’ where appropriate for the business
  8. Helps everybody consider all the things that might happen, the multiple effects (positive and negative) that might flow from an event or situation, so they can make the best decisions for the organization
  9. Communicates effectively and is persuasive when appropriate and necessary
  10. Speaks well with and to authority
  11. An effective facilitator of discussions, especially across multiple groups
  12. Helps everybody understand how to identify, assess, evaluate, and respond to what might happen (risk)
  13. Seen as helping each executive, manager, and team succeed through informed and intelligent decision-making
  14. Enables an effective discussion around strategy, the setting of objectives, the management of major projects, and other key matters – either in person or by ensuring effective processes and methods are in place for managing the effects of uncertainty: what might happen (risk)
  15. Avoids enterprise list management and provides actionable, useful information to leaders of the organization that helps them understand the likelihood of achieving each of their objectives – in other words, not simply managing the so-called ‘top risks’ out of context
  16. Ensures that decision-makers have useful guidance on which risks to take
  17. A leader
  18. Works effectively with internal audit
  19. A potential leader of a business operation
  20. Objective and able to speak out as an independent voice when necessary and appropriate

Technical risk management expertise is not one of my top 20 attributes. Certainly it is valuable, but should it rate higher than any of the above?

What have I missed?

With which items do you disagree?

I welcome your comments.

 

PS – This is a review of my book from an experienced CRO:

Norman Marks’ latest book “World-Class Risk Management” (2015) is a must read for anyone interested in this evolving topic. It will appeal to the beginner as it leads one from the basics through the various concepts and techniques, while it challenges the most serious practitioner to re-evaluate what they do and why. The academic will also benefit from using this book because of the exhaustive references to some of the best source material on this topic. Norman challenges many stereotypical and clichéd views on risk management, but keeps coming back to simple, easy to understand concepts. He captures the essence of his thinking in “The management of risk is an essential element in successful management.” (page 13). This book makes you think, yet it is written in a lucid and friendly style. His thinking on ‘risk appetite’ challenges some ‘sacred cows’ held by many, but will help those who have struggled with this concept to find better ways of approaching this controversial subject. I wish he had written more on risk workshops but that may be another book someday. Well done, Norman, and thank you for sharing your experience, research and thinking.