Six principles for effective risk management

August 5, 2017 6 comments

In World-Class Risk Management, I review the eleven principles in the ISO 31000:2009 global risk management standard and condense them to just six. (Later in the book, I discuss a possible risk management maturity model as well as what it takes to go beyond simply effective to deliver world-class value.)

  1. Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
  2. Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
  3. Risk management is dynamic, iterative and responsive to change.
  4. Risk management is systematic and structured.
  5. Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
  6. Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.

I believe it is useful to assess your risk management activity against these principles.

As my friend Alex Sidorenko says in a recent video (which I recommend), risk management is not about managing risks: it’s about enabling informed decisions.

Informed and intelligent decisions are how we achieve objectives. Those decisions need to consider what might happen (harms, opportunities, and combinations of the two) as we strive to succeed.

With that in mind, I suggest a different definition of risk management in the book:

The effective management of risk enables risk-aware decision-making, from decisions about the direction of the organization, to its core strategies, to the decisions made every day across the extended enterprise.

The processes and related policies, structures, and systems for identifying, analyzing, evaluating, and responding to risks are established by management with oversight by the board to ensure that the effects of uncertainty (both positive and negative) on the achievement of objectives are understood and managed to support the realization of the organization’s mission and commitment to stakeholders.

My understanding is that COSO will publish its update of the ERM Framework very soon. It will be interesting to see the principles they have come up with and how they compare with mine.

In the meantime, I welcome your thoughts on the above – and any other comments you may have on this best-selling book.


Two words to transform discussions of risk management

July 29, 2017 20 comments

I have written extensively about the disconnect between risk practitioners and executives when it comes to risk management.

I have urged practitioners to:

  1. Use the language of the business instead of risk techno-babble;
  2. Try to stop using the R word entirely! Try to talk instead about what might happen, is that OK, and what are we going to do about it?; and
  3. Focus on enabling intelligent and informed decision-making rather than a periodic list of risks (enterprise list management)

Now I have a new suggestion.

If you have to use the R word, add two more.

Instead of talking about risk, talk about risk to objectives.

Review of a list of risks to objectives and consider how much risk to objectives you are willing to take.

If you have to talk about risk appetite, talk instead about the appetite for risk to objectives.

Those simple two words make you focus, not on risk for its own sake, but how enterprise objectives might be affected.

Which objectives are “at risk”? Be specific if you want to drive the necessary actions.

Are you more or less likely to achieve them? Is that OK?

It’s not about managing risk – it’s about achieving objectives.

What do you think?

Would this improve the discussion?

It’s a simple thought but I think it can make a huge difference.

Do you agree?

Positioning risk management to succeed

July 22, 2017 12 comments

Jim DeLoach of Protiviti is an old friend. We enjoy discussing risk management over a meal, finding that we agree on far more than we disagree. Where we do disagree, it may be more by way of expressing ourselves, or due to our different positions and perspectives (he is a consultant and external advisor to boards and executives whereas I was an executive practitioner, now retired)

His work always, in my experience, merits our careful attention and reflection.

Jim recently wrote Positioning Independent Risk Management to Succeed: 6 Ways to Support the CRO. Here are some excerpts and my comments:

DeLoach: If the board, senior management and operating personnel believe that the CRO is the only person within the organization who is concerned with risk, the game is over before it begins. In these situations, there is a major source of dysfunction lying in the weeds, and it is merely a matter of time before the organization falls victim to it.

Marks: Absolutely correct and a good observation. Decision-makers need to understand and consider everything that might happen and make an intelligent and informed decision. Such a decision leads to taking the right levels of the right risks, that in turn leads to achieving objectives and success.

DeLoach: Effective CROs are concerned with what the institution’s leaders may not know and, therefore, must occasionally offer a contrarian point of view; otherwise, the decision-making process may end up flawed with “group think.” In today’s environment, decision-making processes should be driven by objective assessments of the risk/reward balance, rather than by the emotional investment, management bias and short-termism that underlie dangerous organizational blind spots.

Marks: If the leaders don’t know, why is that? The CRO should help all decision-makers think about all the things that might happen, and do so in a disciplined manner. Teach them to fish rather than giving them fish. In addition, the CRO should question the analysis of the potential for reward – not to tear it down but to ensure it has the same rigor as exercised on the potential for harms. Finally, it’s not about “balance”. Any decision will have multiple ramifications and the CRO can help facilitate the consideration of all of them, not singly but as a combination.

DeLoach: In many organizations, board risk oversight is enhanced when the board and executive management are supported by an effective independent risk management function.

Marks: In many organizations, setting up an independent risk management function creates an atmosphere of mistrust and impairs success. The CRO and his team must consider themselves as aides to management rather than the police function that prevents them taking too much risk.

DeLoach: Tension within an institution between its market-making and control-related activities is inevitable and should be encouraged. Striking the appropriate balance between the two is fundamental to what a CRO attempts to achieve.

Marks: A system of internal control enables success, not just prevents harms. Thinking of the risk function as limited to preventing harm prevents it from achieving its potential.

DeLoach: The Champion” CRO advances and enables the organization’s risk management framework and plays the roles of coordinator and integrator (to ensure consistency across operating units and functions), educator (as a provider of insights), facilitator (of risk assessments and formalization of risk mitigation plans), consultant (regarding application and execution of the risk management framework), communicator and reporter. Champion CROs often establish, communicate and facilitate the use of appropriate risk management methodologies, tools and techniques; facilitate risk-related meetings; and work with risk owners to provide transparency into the capabilities around managing the priority risks across the institution.

Marks: Agree, but let’s add the role of mentor, helping decision-makers understand how to identify, assess, and respond to all the things that might happen as they make decisions.

DeLoach: the CRO establishes and communicates the organization’s risk management vision.

Marks: It’s not about managing risk for its own sake, but knowing when and how to take the right levels of the right risk. Risk management vision is a myopic view that focuses solely on limits to harms. Sometimes, it is right to go all in!

DeLoach: To serve as a second line of defense, a CRO must have sufficient stature with business line leaders and across the organization. Stature comes from the authority, compensation and direct reporting lines that command respect.

Marks: Stature comes from consistently producing results, to the extent that leaders across the enterprise recognize the CRO and his team as helping them and the organization succeed.

DeLoach: the CRO role should not be perceived as a check-the-box compliance function that forces the business to follow rules imposed on it.

Marks: Agree, and this is achieved by acting as a partner in and to the business, helping them succeed rather than policing them.

DeLoach: The CRO should have open and free access to the board (or a board subcommittee).

Marks: Yes, but this should be seen as required only in an emergency. If the CRO cannot work constructively with management, he is failing.

DeLoach: If there isn’t a CRO (or equivalent executive) and/or an independent risk management function, executive management and the board of directors may want to inquire why, in the context of the nature of the entity’s risks inherent in its operations.

Marks: Sorry, Jim, but that’s the wrong question. Let’s get the board to ask the CEO whether and how he has confidence that the right risks are being taken and that decisions across the extended enterprise are intelligent and informed. Further, ask whether the reporting of performance against strategies and objectives includes the likelihood of their success and what might happen to limit or extend success. The CRO doesn’t have to be totally independent to be effective!

Please contrast this article and comments with my other blog on From Risk Management to Risk Leadership.

I welcome your comments.

Internal audit and ERM accused of failing to hit the mark

July 15, 2017 8 comments

The consulting firm CEB (now part of Gartner) published a piece in 2014, Executive Guidance: Reducing Risk Management’s Organizational Drag.

It has been used recently to support an argument by a critic that both internal audit and ERM are failing. This was said in the last few weeks on Twitter:

  • “CEB survey focuses on some key failings of traditional internal audit and ERM.”
  • “CEB survey report does a good job describing problems with IA/ERM but not as good with its prescription to fix the problem.”
  • “CEB/Gartner report puts the spotlight on assurance silo overload.”

Leaving aside the fact that it is a 2014 product based on 2012 and 2014 analysis (and therefore should not have been used to discuss the current situation), how good is the CEB piece and what does it say about (a) internal audit, and (b) risk management? How accurate and relevant are its observations today?

Unfortunately, the critic mistakenly conflates internal audit and risk management. Both have their challenges, but they are different – different challenges for different organizations.

One is part of management and the other is independent.

Lumping to them together confuses and distracts from addressing their individual challenges.

The CEB piece gets off to an awful start with this sentence:

In the present day, when those types of risks [financial and hazard risks such as the effects of a typhoon] can be transferred through hedging and insurance, they have taken a backseat to strategic, operational, and reputational risks that assurance functions and business leaders must identify and manage themselves.

First, practitioners know that you cannot really “transfer” a risk. That is dated thinking (sorry, insurers). Instead, you are sharing it more often than not. For example, there is always a possibility that the insurance claim will be denied, the insurer will fail, or not all the effects will be fully compensated.

Secondly, assurance providers do not “identify and manage” risks – that is the responsibility of operating and executive management with oversight from the board.

CEB recovers somewhat when they talk about how the increasingly extended enterprise and the growing volume of data captured by any enterprise has changed at least part of the risk landscape.

But then they start to categorize risks, saying:

With shareholder value as the barometer, the most potentially damaging types of business risks are the strategic ones, such as competitive incursions or declining demand for a core product. CEB’s analysis of significant market capitalization declines in the past decade shows that 86% of them were caused by risks that were strategic in nature—with operational risks as a distant second place.

Risk is the effect of uncertainty on objectives. That means that to properly assess any source of risk you have to consider how it could affect the achievement of specific objectives.

So, the only risks that rate as “high” would be those with a significant potential effect on the achievement of objectives.

Operational miscues can have a dramatic effect on objectives, leading to customer dissatisfaction and loss, product failure, and so on. Just think of Deepwater Horizon.

Compliance failures can similarly impact objectives when they are so severe that operations are constrained or even closed. Consider the Novartis problem in Japan.

CEB’s analysis by categorization is fallacious and misleads more than it helps.

If you say that strategic risks are those that might have a significant effect on objectives, which can include operational and compliance risks, then it is only to be expected that these are the ones that result in failures to execute and deliver on strategies.

Then there is the paragraph that has drawn the attention of the critic:

At most companies, however, assurance departments with the formal responsibility of identifying (and sometimes managing) risks—such as with Internal Audit in the following graphic—consider strategic risks to be out of their scope and instead see them as business owners’ responsibility.

This is simply a misreading of the situation.

While it is true, based on other surveys and my own observations (the CEB offers no evidence to their observation) that many internal audit functions do not include all significant risks to enterprise objectives in their audit plans, it is not because they consider them “out of scope”.

All risks are potentially auditable. CEB gets that 100% wrong.

Further, all risks are business owners’ responsibility, so the statement about strategic risks being business owners’ responsibility carries no weight.

IMHO, it’s true that many internal audit functions don’t include all significant sources of risk to strategies and objectives in the audit plan. But the reasons lie elsewhere.

It may be because:

  • They don’t have the resources or ability to address them and are unwilling to ask for those resources.
  • They simply didn’t think of them.
  • The audit committee doesn’t support their auditing these issues.

That’s all that is said by CEB about internal audit. The rest is about risk management.

The following CEB assertion may be true (again, no evidence is offered but I believe it to be often true):

Operational executives know risk and strategy go hand in hand, but they struggle to address them together. Similar to how enterprise risk management (ERM) efforts rarely link cohesively into corporate strategy, typical strategic planning processes run by line executives do not do enough to incorporate and address risks.

I entirely agree with these excerpts:

  • Too much focus on risk versus reward can encourage “risk aversion,” resulting in lost growth opportunities.
  • The risk prevention activities (i.e., eliminating any chance of risk) that are appropriate for other kinds of risks can lead to avoidance or aversion of strategic risks that companies would be better off taking. When companies overemphasize the risk (not reward) of strategic decisions such as developing new products, entering new markets, or selecting merger and acquisition targets, they can inadvertently foster indecision or inaction among executives and frontline staff by making them too cautious.
  • Leading companies view every decision they make as a risk decision; they explicitly link risk to overall corporate strategy and deliberately choose their risks with great calculation.
  • In short, leading companies win because they empower their employees to take and manage risks, not because they do a better job preventing them
  • Incorporating multiple perspectives on both risk and opportunity removes biases in the planning process and improves confidence in strategic decisions.
  • Scenario planning is a common approach that incorporates strategy and risk. Leading companies are increasingly conducting scenario analyses on hypothetical strategies to identify potential outcomes, associated risks, and alignment with corporate risk thresholds.
  • Embedding risk in strategic planning, and vice versa, is most effective during planning months and for a short time afterward. But during the rest of the year, risk-comfortable executives who lack clear understanding and guidance on what is, and what is not, an acceptable level of risk will expose the company to greater risks through their day-to-day decisions.
  • From our experience, leading companies that ensure a risk-based context for strategic decisions improve decision quality by as much as 42%, and companies that effectively reduce risk aversion can accelerate executive action by 34%.
  • Companies’ greatest risks are their people. Instead of focusing disproportionately on risk processes, leading management teams and assurance groups anticipate and manage the root cause of most risks: human behavior and judgment.

So overall, the CEB has some good stuff. I really like much of their language, especially in the points above about risk aversion and indecision. There is more in their document that has merit, especially about human bias and how it affects judgement and risk-taking.

But does it capture all or even the more significant problems with either internal audit or ERM practices? Does it offer the right solutions?

I am not persuaded that it does on either count.

I am not going to conflate the two separate activities. Let’s take them one by one, starting with internal auditing.

First, I have to say that while there has been significant progress in internal audit practices over the last several years, problems remain. As I have written before, the majority of board members and executives report that they do not believe internal audit addresses the risks that matter to them, the more significant risks to enterprise objectives.

This is critical!

In addition, many internal audit functions:

  • Only update their audit plans annually. They should instead, as recommended by Richard Chambers and me, be updated continuously – at the speed of risk.
  • Do not provide assurance on the management of risks to objectives. Instead, they assess and rate controls without indicating which objectives might be affected and by how much.
  • Do not provide actionable information, helping leaders know not only what might be wrong but whether strategies and even objectives might need to be changed.
  • Limit the insight they provide to what is written in the audit report. It’s so much better to have a conversation.
  • Make it difficult for leaders to find the nuggets of valuable information in their audit communications by burying them in a mountain of trivia in their audit report. Auditors need to communicate what leaders need to know, not what they themselves want to say, and do it clearly, concisely, and promptly. Leaders need actionable information now.

If CAEs and their teams focus on these six points, they are on the way to success.

Turning next to risk management, the CEB identifies some important points.

But there is a huge disconnect between practitioners and leaders at many if not most organizations.

Here are some of the problems, all of which I have written about before. Too many risk management functions:

  • Focus on the possibility of failure instead of how to succeed.
  • Think that the periodic review of a list of risks is risk management. It is not. It is enterprise list management (DeLoach). Risk needs to be managed continuously.
  • Focus on risks out of context instead of the possibility and degree that an enterprise objective might or might not be achieved.
  • Do not set as a goal helping decision-makers make the informed and intelligent decisions necessary for success.
  • Apply their discipline only to the possibility and magnitude of potential bad things, not to both good and bad.
  • Fail to recognize that an event or situation can have multiple effects, some of which are good and some not so much.
  • Talk in their own technobabble (i.e., risk) instead of the language of the business. It is better by far to talk about what might happen and is that ok.
  • Do not understand that risk is taken or modified with every decision. Relying on a corporate-level risk appetite statement doesn’t guide every decision and taking of risk.

There is more, but if risk managers address these eight points, they should be on the way to success.

I discuss both issues, internal audit and risk management effectiveness, in separate books: Auditing that matters and World-Class Risk Management. There is more to be said and done on this topic and hopefully both practitioners and their critics would see value in reading them.

What would you add?

I welcome your comments and perspectives.

What does your risk management activity seek to achieve?

July 8, 2017 4 comments

From time to time, I am asked to help an organization take its risk management to the “next level”.

I strongly believe that, as ISO 31000:2009 says in one of its principles, risk management needs to be customized to meet the needs of the organization (and changed iteratively as the business and its needs change).

An organization that is relatively constant in its business and doesn’t face rapidly changing, even turbulent, risks doesn’t need the same design, structure, tools, and staffing for risk management as a trading company.

An organization where decision-making is centralized doesn’t need the same risk management activity as one that is highly decentralized.

It is essential to understand what the organization needs and how critical the management of risk is before settling on a design, let alone trying to implement or upgrade risk management.

That is why I like a feature in Enterprise Risk (the official magazine of the Institute of Risk Management) where Iain wright was interviewed. In Living on the Ceiling, Iain describes how he defined a vision for his risk management function at Old Mutual Wealth.

First, it needed to provide the business with consistent insight and challenge. Second, effectively advise and support the business and strategic decision making. Third, give assurance that customer and shareholder interests are protected. Finally, build trust with internal and external stakeholders through consistent delivery and high performance.

It is simply stated, meaningful, and sets the bar high.

If achieved, Iain’s team should be seen by the board and top management as having great value, helping them make informed and intelligent decisions that drive the successful achievement of objectives.

Before you can determine whether your risk management activity is effective, you have to know what the organization needs from it. Then you set objectives and strategies to achieve them before executing on them, monitoring performance, and adjusting as needed.“

It’s just like managing any other part of the business or the organization as a whole.

Is it clear what risk management needs to deliver at your organization for it to be successful?

I still like the question Deloitte asked of board members and executives: does risk management help you set and then execute your business strategies?

I welcome your comments.

What do audit committees think about risk and audit?

June 29, 2017 4 comments

I am encouraged by the latest KPMG report, their 2017 Global Audit Committee Pulse Survey.

I am encouraged because KPMG appears to be asking the right questions and getting intelligent answers.

Here are some interesting excerpts, with emphasis added:

  • …nearly 4 in 10 said the [audit] committee’s effectiveness would be most improved by having a “better understanding of the business and key risks”
  • The effectiveness of risk management programs generally, as well as legal/regulatory compliance, cyber security risk, and the company’s controls around risks, topped the list of issues that survey participants view as posing the greatest challenges to their companies. It’s hardly surprising that risk is top of mind for audit committees— and very likely, the full board—given the volatility, uncertainty, and rapid pace of change in the business and risk environment. More than 40 percent of audit committee members think their risk management program and processes “require substantial work,” and a similar percentage say that it is increasingly difficult to oversee those major risks.
  • Internal audit can maximize its value to the organization by focusing on key areas of risk and the adequacy of the company’s risk management processes generally. The survey results show that audit committees are looking to internal audit to focus on the critical risks to the business, including key operational risks (e.g., cyber security and technology risks) and related controls—and not just compliance and financial reporting risks. They also want the audit plan to be flexible and adjust to changing business and risk conditions.
  • Tone at the top, culture, and short-termism are major challenges—and may need more attention. A significant number of audit committee members—roughly one in four—ranked tone at the top and culture as a top challenge, and nearly one in five cited short-term pressures and aligning the company’s short- and long-term priorities as a top challenge. Meanwhile, nearly the same percentage of audit committee members said they are not satisfied that their committee agenda is properly focused on those issues.

Whether you are on a board, an executive, a risk or internal audit practitioner, each of these areas merits attention.

Does this survey reflect the situation at your organization? If so, what is being done about it?

I welcome your views.

The future of risk management

June 24, 2017 Leave a comment

The Institute of Risk Management has a great feature where they have asked people around the world, including a number of luminaries, about the future of risk management.

I was honored to be asked to contribute a video, which you can find on their web page, Risk Agenda 2025: Hear from the experts.

It is intentionally provocative and I hope it will provoke you to join the debate.