In this piece, the debate between whether it is about managing risk or achieving objectives continues.
It seems to be Protiviti week! On my IIA blog, I am covering a piece by Jim DeLoach and Brian Christensen on internal audit. Here, I want to talk about another DeLoach piece, Transitioning Risk Management to the Digital Age.
Jim’s lead-in is excellent:
The risk management methodologies in play for most companies today were developed before the turn of the century. In effect, risk management is often an analog approach being applied in what is now a digital world. More importantly, if enterprise risk management (ERM) is a standalone process, it is suboptimal. More needs to be done to elevate risk management to help organizations face the dynamic realities of the 21st century and truly leverage the advances of digital, cloud, mobile and visualization technologies, exponential growth in computing power, and advanced analytics to embed deeper and more insightful risk information in strategy-setting, performance management and decision-making processes.
He continues with another excellent observation:
The business environment features rapid advances in and applications of digital technologies and rapidly changing business models. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. For most organizations, today’s risk reporting falls short of that objective.
But then he says something with which I strongly disagree.
To impact decision making, there are three questions risk reporting must address:
- Am I riskier today than yesterday?
- Am I going into a riskier time?
- What are the underlying causes?
Jim, it’s not about risk.
It’s about achieving objectives.
Managing risk absent the context of your objectives leads you to manage what may be irrelevant and miss what may be crucial.
COSO ERM 2004 got it right when it said that risk management is “Geared to achievement of objectives in one or more separate but overlapping categories”.
Jim, IMHO the board should be asking these questions:
- How likely are we to achieve our objectives?
- If the likelihood is less than acceptable, why? What can we do about it?
- If there is a possibility of exceeding our objective, what can and should we do?
- What assurance do we have that management is taking the right risks, making intelligent and informed decisions?
- Are there any risks that we should be concerned about, that merit our attention and possibly our action?
I don’t want the board to focus on risks in one meeting and then talk about performance and results in another.
They are or at least should be intertwined.
What do you think?
I welcome your comments.