This article discusses linking risk management to results and what makes sense in terms of effective risk management planning.
COSO ERM 2004 defined risk management:
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Taking out the middle part, you get:
Enterprise risk management is a process…… designed to….. provide reasonable assurance regarding the achievement of entity objectives.
This is mistaken and I am glad that the exposure draft of COSO ERM 2017 has removed this assertion. It redefines enterprise risk management as:
The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.
The draft also says:
Integrating enterprise risk management throughout an organization improves decision-making in governance, strategy, objective-setting, and day-to-day operations. It helps to enhance performance by more closely linking strategy and business objectives to both risk and opportunity. The diligence required to integrate enterprise risk management provides an entity with a clear path to creating, preserving, and realizing value.
The ISO 31000:2009 global risk management standard has a set of principles (IMHO, better than those in the draft of COSO ERM 2017). The first three are:
1: Risk management creates and protects value.
2: Risk management is an integral part of all organizational processes.
3: Risk management is part of decision making.
How does risk management create and protect value?
- By improving the quality of decisions by making them ‘risk-aware’, ensuring that decision-makers consider all the potential consequences of their decisions
- Helping to identify what might go wrong so it can be addressed if unacceptable
- Helping identify opportunities for things to go better than planned so they can be evaluated and pursued if justified
Some have decided that you can measure the effectiveness of risk management by examining the success of the organization.
If it were true that risk management provided reasonable assurance that objectives would be achieved (i.e., if COSO ERM 2004 was correct), then fine.
But risk management only provides reasonable assurance that decisions can be made on reliable information about what might happen. It provides reasonable assurance that risks to the achievement of objectives are at desired levels.
It doesn’t provide reasonable assurance that those things will actually happen. It will only help you assess that the likelihood of a particular benefit or harm is x%.
History has proven time and again that companies that take more risk than stakeholders might desire can be highly successful, even for an extended period. At the same time, organizations that have gone to great lengths to understand, analyze, and treat their risks have still failed. Just think of NASA and its few disasters.
Every organization is at the mercy of actors beyond their control, such as the weather, the economy, the health of their customers, the vagaries of regulators, and so on. A quality risk management program may make you aware of potential events and situations that might arise and cause you grief, but it won’t keep them at bay.
So does it make sense to evaluate the effectiveness of risk management by looking at the frequency of safety incidents or compliance failures, or the gross margin achieved?
It does make sense to analyze why failures occur and whether the root causes should have been, but were not, foreseen.
The value that is created by an effective risk management is the confidence of the board and decision-makers in the information they use to make decisions.
Do you agree?
I welcome your thoughts.