I have been talking (and writing) for a long time about the sad reality that leaders of organizations around the world see risk management as something they have to do rather than want to do.
Surveys say that:
- Around 80% see risk management as a compliance activity.
- According to Deloitte, only 13% see it as making a significant difference in setting the right strategies and objectives and then executing against them.
- Only a very small number of board members and executives are willing to dedicate the time and resources necessary to bring risk management up to what people (such as the ERM Initiative at North Carolina State University) believe is fully mature. Just 3% told the ERM Initiative that their risk management program is “robust” – and the level of effectiveness is decreasing over time, not improving.
- 3% told the ERM Initiative that risk management has “strategic value”.
How do we turn that around?
How can we make risk management into something that leaders want to do?
How can we help them see it as something that helps them succeed: what I call success management?
We need them to see it as something that helps them lead the organization to success: the achievement of objectives.
It needs to help them individually as well as the organization as a whole.
If they don’t see it as adding value, why should they do more than the minimum required to satisfy their compliance obligations?
Why should they spend time away from ‘making money’ for the organization to discuss a list of things that might be a problem?
How do we do that? How do we make them believe risk management is worth the investment of their time and resources?
We need to upgrade or transform risk management into something that helps them make the informed and intelligent decisions that lead to their taking the risk risks (and opportunities) necessary to achieve objectives.
It is not enough to avoid risk – that leads to being risk averse and passing up opportunities for success.
I am far from the only person to talk about the need for risk management to:
- Help set the best strategies and objectives for success. Some call this the integration of risk and strategy-setting.
- Enable effective decision-making.
- Help both create and protect value.
For example, COSO ERM 2017 says:
An organization needs to identify [the] challenges that lie ahead and adapt to meet those challenges. It must engage in decision-making with an awareness of both the opportunities for creating value and the risks that challenge the organization in creating value.
The ISO 31000:2009 global risk management standard (which I prefer to the updated version) has these principles:
- Creates and protects value
- An integral part of organizational processes
- Part of decision-making
- Dynamic, iterative, responsive to change
- Tailored
People talk about the need.
It is time to talk about the how.
I have shared three books until now on risk management:
- World-Class Risk Management [1] (2015)
- Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking (2018)
- Making Business Sense of Technology Risk (2019)
World Class Risk Management has been very well received and I am grateful for the compliments people have shared. It remains my go-to book that explains not only the primary frameworks and standards but also why there is so much more to risk management than the periodic review of a list of risks.
Risk Management in Plain English was targeted at executives and board members, explaining in a more concise way that we are better off if we can find a way to talk about managing what might happen for success instead of using the 4-letter word, risk, that automatically makes people think it is just about avoiding failure.
I am proud of the further thought leadership (in my humble opinion) in Making Business Sense of Technology Risk. The book explains that most top executives and boards don’t understand technology-related risks and cyber risk in particular – because it is not explained in terms of the impact on the business. Therefore, there is a chasm between those responsible for cyber and those holding the purse strings.
The book talks about how to bridge the divide. In the process it expands on the thinking in the two earlier books and takes on, in more detail, the need to consider the potential effect of an event or situation as a range rather than a point. It also takes on the primary frameworks for assessing cyber risk and explains how they don’t meet the needs of business leaders. It suggests a better way, based on assessing the likelihood of achieving objectives.
Unfortunately, Making Business Sense of Technology Risk has not been picked up as often as my other books. It may be because it is seen as limited to technology risk specialists. In fact, it is for all practitioners, not just those who specialize in technology. After all, technology is a major source of both business risk and opportunity.
I continue to recommend it highly.
But now I have a new addition to my (and I hope your) bookshelf!
Risk Management for Success takes everything to the next level, building on (rather than replacing) what I have shared in the three previous books.
It explains how risk management should be about understanding and addressing what might happen.
It talks about how this relates to the Purpose or Mission of the organization and helps set the best strategies and objectives for achieving them.
In the process, it details how many organizations have failed to do that well, especially when they don’t cascade those objectives down and across the organization so everybody is working towards the same enterprise goals.
Then it addresses how risk management is an integral part of decision-making. It talks about the attributes of effective decision-making and how and why it so often fails.
One area that the book covers that never seems to be addressed is the level of confidence those performing a risk or opportunity assessment have in their assessment. I believe this is important information that should be considered in making use of assessments in business decision-making.
A major part of the book is a discussion of how to assess the effectiveness of risk management. It includes a detailed maturity model that addresses points from strategy and objective-setting through decision-making to risk oversight and more. I have also provided two forms for surveying management to get their views of the value and effectiveness of risk management.
Rather than list the other topics in the book, here is the Table of Contents:
Contents
We have a problem. 5
Chapter 1: Introduction. 7
Who is this book for?. 7
Why this book?. 10
What is risk management?. 13
Risk management is constantly moving. 21
Risk management for success. 22
Your definition of risk management 25
Language. 26
Perfect risk management 29
Chapter 2: Strategies and objectives. 31
The Mission or Purpose statement 31
Strategic plans. 34
Objectives, strategies, plans, projects, and goals. 38
Risks to objectives. 42
Success is a team effort 44
The likelihood of achieving objectives. 47
Risk, opportunities, and objectives. 53
Comparable. 54
Aggregate. 56
Reporting to management and the board. 58
Agile, dynamic and flexible. 61
Lower level objectives and their management 62
Chapter 3: Informed and Intelligent Decisions. 65
Chapter 4: Understanding and assessing what might happen. 81
What to assess. 85
How to assess: the goal 89
How to assess: the methods. 99
Confidence in the assessment 100
Risk assessment failures. 108
Monitoring. 109
Chapter 5: The risk office. 115
Chapter 6: Risk governance. 123
Is risk management effective?. 123
When the board takes risk. 124
Risk and the board’s agenda. 125
Chapter 7: Risk culture. 127
Assessing risk culture. 131
Chapter 8: Assessing risk management 135
The value of a maturity model 138
Tailoring the model 141
Capturing the results. 143
Using the model 144
The Maturity Model 146
Surveys. 175
Management’s Assessment of the Risk Office. 176
Management’s Assessment of the Risk Management Program.. 178
Acknowledgments. 180
Additional reading. 181
About the Author. 182
The book is now available on Amazon. It is only in paperback form as the e-reader version doesn’t support the landscaped maturity model. (Let me know if you have a problem with Amazon and want a PDF version).
I hope you will enjoy it and look forward to hearing your thoughts.
By the way, I want to publicly thank my esteemed reviewers[2]:
Brian Barnier
Martin Davies
Jim DeLoach
Peadar Duffy
John Fraser
Brian Hagen
Hans Læssøe
Tim Leech
Grant Purdy
Alexei Sidorenko
Paul Sobel
Rick Steinberg
[1] There’s a special version of the book, World-Class Risk Management for Nonprofits, with co-author Melanie Herman, published in 2017
[2] The fact that they made an important contribution to the book does not mean that they agree with everything I say in it.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024