First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Business / The current state of risk oversight: Useful or useless?

By | 2 Minutes Read

The current state of risk oversight: Useful or useless?

risk“When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?”
For quite a few years, the people at the Enterprise Risk Management Initiative have researched and provided reports on The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.
In February, they published the 8th edition of their report.
I have covered their reports in the past, highlighting:

  • According to the authors, very few organizations have what they consider to be “mature” or “robust” risk management processes.
  • They don’t provide detail on what they consider constitute “mature” or “robust” risk management processes. My educated guess is that they leave it to the respondents to form their own definition.
  • It seems that their idea of risk management is maintaining an “inventory” of risks (i.e., a risk register), updating it every so often, and reviewing it at board and executive management meetings.

There is some useful information in the report.
But does it add value to continue to focus on practices that don’t work?
All the surveys, including this one, report that executives do not believe risk management practices at their organization are making a significant contribution to the development and execution of their strategies.
Here, they found that “Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations.”
When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?
When you think that risk management needs to be “integrated” with strategic planning instead of acknowledging that strategic planning already includes the consideration of what might happen and what we should do about it, I think you are wrong.
Effective strategic planning is not a separate activity from strategic risk management!
So, is this report useful or useless?
Is the traditional practice of risk management, where a risk register is maintained and discussed, useful or useless?
Is it just a compliance exercise (the view of most executives) that ‘ticks the box’?
Rather than track and monitor the maturity of practices that don’t work, let’s figure out what will work.
We need practices that will:

  • Inform and enable more intelligent decisions
  • Increase the likelihood and extent of success

Right or wrong?
I welcome your thoughts.

Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference Inc. (known as La Référence in Quebec) provides Canadian organizations of any size with practical and authoritative resources to help ensure compliance.

Main Menu

Stay Connected