In this commentary on a recent article by Doug Anderson, an advisor on behalf of the IIA on the COSO ERM update project, examples are provided on getting risk management right.
I have to congratulate my good friend, Doug Anderson, for an excellent article in the latest edition of the IIA’s magazine.
While the title calls out the COSO ERM Framework update, the main part of his article is a useful discussion about what risk management is all about.
Here are some key excerpts (with my highlights) with my comments.
The problem is ERM is not a program. In fact, it is not a department nor a process, either. ERM — or more generically “risk management” — is an integral component of decision-making. It is a set of skills, approaches, competencies, tools, culture, and more that do not stand alone, but are part of all that an organization does.
Comment: This is critical. What I especially like is what he has to say about decision-making. Whether it is deciding which strategy to adopt, which plans and projects to pursue, or the day-to-day decisions on pricing, hiring, or purchasing, decision-making is where risk is taken.
Doug provided an example.
Acme Co. is implementing a new software package to support its core processes such as accounting, logistics, and customer management. As part of its planning, Acme lays out all the steps in the implementation process and then considers what may not go as planned. Some things could go wrong; some could go better than expected. Identifying these possibilities, assessing their importance to the project, taking preparatory actions, and watching how the project progresses are part of how Acme manages its software implementation. This is all done using various monitoring and reporting tools, within the culture of how Acme operates. Acme uses the fundamental aspects of good risk management, even though it may not recognize them as such.
This is 100% consistent with my message, that risk management is all about understanding what might happen, considering whether that is desirable or acceptable, and then taking appropriate action.
As he says, people have been managing risk all their lives. The value of ‘risk management’ is in providing necessary discipline and process.
Doug continues with some excellent points.
Risk Is Not the Focus. The approach to risk management should not focus on the risks in isolation. The focus should be on those events [situations, and decisions – ndm] that can affect the achievement of strategy and business objectives. When the focus is on the risks, and not the strategies and objectives, ERM becomes a program. To add value, ERM always must be about accomplishing strategies and objectives. Management does not think first about risk, but about delivering performance and what can impact that performance.
Comment: As Doug says, and Alex Sidorenko has explained in his video and posts, it’s not really about managing risks. It’s about managing the achievement of objectives. In fact, calling it risk management actually inhibits its effective practice.
Risk Is Not an Evil to Be Eliminated. Every organization takes risks because the world is not perfectly predictable. Every time an organization takes an action, it takes the risk that its expectations are not correct. Sometimes the events that occur have a positive impact, and sometimes they are negative. [Sometimes, they have multiple effects! – ndm] Risk is a fundamental part of every organization, but it needs to be managed.
Risk Management Is More a Skill and Mindset Than a Process When risk management turns into a department, team, or process, it can easily become something separate from management decision-making. Doing risk management right improves decision-making.
Comment: Actually, effective decision-making is the goal and it requires the consideration of risk. If we focus our attention on ensuring informed and intelligent decision-making, we will not only have effective risk management but a more effective organization.
When he moves on to discuss the role of internal audit he says a few things with which I agree.
As internal audit strives to create and protect value for organizations, understanding the principles of risk management better and incorporating them into the practice of internal auditing can pay large dividends.
…auditors can do themselves a favor if they talk less about the adequacy of internal controls and talk more about risk, managing risk, and reducing risk where advised. Management thinks of the world through the perspective of setting out objectives and accomplishing them — all with the goal of delivering performance. The more internal auditors talk about those objectives and the events that can impact delivering performance, the more management would understand how internal audit delivers value. Auditors are not here to be naysayers or add bureaucracy with more controls. They are here to help management deliver on its objectives. This requires auditors to think and talk in terms of risk [to specified objectives – ndm], potential impact, and response.
…internal auditors should not focus blindly on always trying to reduce risk. Risk responses should be designed to improve performance. This involves not only ideas to reduce the impact from negative risk events, but also the cost of risk responses and the possibility of a risk that positively impacts performance. When internal auditors’ orientation is toward decision-making and how risks impact performance, they may conclude more risk is appropriate or the cost of current risk responses is not justified by the benefits.
Doug was an advisor, on behalf of the IIA, on the COSO ERM update project. I wish he had been the author. For my assessment of the ERM update, see this post.
I welcome your comments.