• First Reference
  • About us
  • Contact us
  • Blog Signup 📨
  • 22nd Annual Ontario Employment Law Conference 📢

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
You are here: Home / Business / The current state of risk oversight: Useful or useless?

By Norman D. Marks, CPA, CRMA | 2 Minutes Read May 24, 2017

The current state of risk oversight: Useful or useless?

risk“When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?”
For quite a few years, the people at the Enterprise Risk Management Initiative have researched and provided reports on The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.
In February, they published the 8th edition of their report.
I have covered their reports in the past, highlighting:

  • According to the authors, very few organizations have what they consider to be “mature” or “robust” risk management processes.
  • They don’t provide detail on what they consider constitute “mature” or “robust” risk management processes. My educated guess is that they leave it to the respondents to form their own definition.
  • It seems that their idea of risk management is maintaining an “inventory” of risks (i.e., a risk register), updating it every so often, and reviewing it at board and executive management meetings.

There is some useful information in the report.
But does it add value to continue to focus on practices that don’t work?
All the surveys, including this one, report that executives do not believe risk management practices at their organization are making a significant contribution to the development and execution of their strategies.
Here, they found that “Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations.”
When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?
When you think that risk management needs to be “integrated” with strategic planning instead of acknowledging that strategic planning already includes the consideration of what might happen and what we should do about it, I think you are wrong.
Effective strategic planning is not a separate activity from strategic risk management!
So, is this report useful or useless?
Is the traditional practice of risk management, where a risk register is maintained and discussed, useful or useless?
Is it just a compliance exercise (the view of most executives) that ‘ticks the box’?
Rather than track and monitor the maturity of practices that don’t work, let’s figure out what will work.
We need practices that will:

  • Inform and enable more intelligent decisions
  • Increase the likelihood and extent of success

Right or wrong?
I welcome your thoughts.

  • About
  • Latest Posts

Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Latest posts by Norman D. Marks, CPA, CRMA (see all)

  • Death of the audit report - February 17, 2021
  • Identifying the risks for 2021 - January 20, 2021
  • Are you hungry for a better approach to risk appetite? - December 16, 2020

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting, Information Technology, Privacy / Enterprise Risk Management Initiative, risk, risk management, risk management processes, risk oversight, risk register, strategic planning, strategic risk management

Share with a friend or colleague

Learn the 10 essential HR policies in the time of COVID-19

Get the Latest Posts in your Inbox for Free!

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference Inc. (known as La Référence in Quebec) provides Canadian organizations of any size with practical and authoritative resources to help ensure compliance.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2021 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy