The IIA has published a new Practice Guide, Assessing the Risk Management Process. In IIA-speak, this is recommended but not mandatory guidance for its members.
A previous December 2010 Practice Guide, Assessing the Adequacy of Risk Management Using ISO 31000 is still available.
I much prefer the earlier version, especially as it talks about meeting the needs of the organization (which is critical) and how management needs to know what risks to pursue, not just avoid or mitigate, so that it can achieve its objectives. It also includes the famous “fan”, indicating which risk management roles are appropriate for internal auditors.
The new PG has some good content, including (my highlights):
- Risk management is driven by more than regulations and external forces. Implementing efficient and effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value and sustainability, ultimately better safeguarding their stakeholders.
- Benchmarking the current state of the organization’s risk management against a risk management maturity model is a good place to start this type of assessment. Benchmarking may help the internal audit activity communicate with senior management and the board about the organization’s level of risk management maturity and about aspiring to improve the process and advance in maturity.
- A mature risk management process typically demonstrates benefits, such as: enabling risk-based decision-making and strategy-setting [and] increasing the likelihood the organization will meet its strategic objectives.
- If management believes that the risk management process is a bureaucratic exercise that is not worth the resources needed to execute it, then recommending large-scale improvements may be premature and received with skepticism or rejected completely.
I also like the fact that the PG recommends identifying and considering risks to the risk management process itself, a concept I invented in World-Class Risk Management (unfortunately not referenced in the PG).
But both PGs fail to focus on whether the risk management program helps organizations achieve their objectives. They only consider the potential for harm.
In 2008, when so many financial institutions were in trouble, the UK banks decided to stop making loans. They brought their ‘risk appetite’ down to very low levels.
If their risk management program had been assessed using either of these PGs (or, frankly, any of the major frameworks, standards, or guides), it would have been rated highly.
Their level of risk was within their desired range, their risk appetite.
But what happened from a business point of view?
They had next to no revenue and cash flow was severely impacted.
It was not sustainable.
What they should have been doing (and I assume they turned to this) was taking an appropriate level of risk that gave them an acceptable likelihood of achieving their short and longer-term objectives.
To repeat what the PG correctly says: “effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value”.
In order to achieve your objectives, you have to take risks. The question is whether you are taking the right level of the right risks, with quality information about what might happen!
Avoiding failure is a recipe for failure.
So how should you assess the effectiveness of risk management?
You do it by assessing whether it meets the needs of the organization. Those needs include:
- Enabling intelligent and informed decisions, both strategic and tactical, anticipating what might happen
- Being confident that the right level of the right risks are being taken to achieve enterprise objectives, balancing the potential for both harm and reward
- Having an acceptable likelihood of achieving (or surpassing) enterprise objectives
When your executives say that the management of risk helps them set and then execute on strategies (paraphrasing a Deloitte survey and report, where less than 20% said it did), then you probably have effective risk management.
There are multiple approaches to assessing the effectiveness of risk management. They include determining whether management is in compliance with its policies and standards, and its risk register is complete and assessments are ‘correct’; this has some but little value. Another approach is to see whether the principles in ISO 31000 (I prefer those in the 2009 version) are achieved; this has more value. But I like what I suggested above more: seeing whether the executives believe it is essential to their and the organization’s success.
I like the maturity model approach and included a few (all of which I prefer to the one in the 2019 PG) in my book, World Class Risk Management.
But any maturity model has to avoid a focus that is limited to identifying, assessing, and managing the potential for harm. It has to include whether both potential harms and rewards are considered (in a disciplined and reliable manner) in decision-making.
Building on the discussion in the new PG about risk to the risk management process, in an effective program the likelihood that the information provided being significantly wrong is low (acceptable level).
What do you think?