I have said many times that it’s not about managing risks: it’s about managing the achievement of objectives.
It’s about being successful.
Success is measured through the achievement of specified objectives.
We improve the likelihood and extent of success if we understand what might happen, both good and bad, as we strive to achieve our objectives.
The “what might happen” is risk, but the focus should not be on managing them individually but on being successful – taking the right level of the right risks.
The CRO (or equivalent) should be concerned with helping leadership run the organization and achieve its objectives, rather than helping them manage a list of risks.
Let me explain what I mean with a hypothetical story.
The executive team has come to the point in their monthly meeting where they review the report of the Chief Risk Officer.
The CEO invites the CRO to join them.
CRO: “Here is my monthly risk report. As you can see, every risk, whether strategic, operational, technology, or other, remains within our defined risk appetite. While the level of a few individual risk areas has increased, they have not escalated to merit a ‘high’ risk rating. We are continuing to monitor them.”
CEO: “Thank you. Do any of you have any comments or questions?”
CIO: “Yes, I do. I see that you are reporting that cyber risk has increased, although it remains at a yellow rating, which I believe indicates that it needs to be monitored but no additional actions are required. Can you tell me why you see the risk level increasing?”
CRO: “Certainly. The Chief Information Officer’s assessment is that opening our new office in Poland increases the risk level. It’s not only that we now have additional network points that may be vulnerable, but as I understand it crime groups from the region may choose us as a target.”
CIO: “Thank you. The CISO had discussed that with me and we had come to that same conclusion. But you also show IT systems risk as increasing. Is that because we are adapting our systems so they can support additional languages such as Polish and currencies such as the zloty?”
CRO: “That is correct. I think that is what you and I agreed last week.”
CIO: “It is.”
He is interrupted just as he was about to ask another question.
COO: “You show supply chain risk as increasing. I agree with that assessment. Is it because there may be disruption in our supply of products to the new market in Poland?”
CRO: “That is correct. The VP of Supply and Logistics is concerned about transportation during winter as well as the possibility of rail strikes.”
EVP Sales: “You know, I am also concerned about Poland. You show revenue-related risks, including credit risk, as within tolerance. But I only see the likelihood of hitting our first year targets for Poland as 85%. I don’t that’s as OK as your report indicates.”
CRO: “But when we met, you said that the overall risk to revenue was not high yet and the CFO said the same about credit risk.”
CEO: “Am I missing something here? It sounds like your risk report tells us about enterprise-level risk in a number of categories, but doesn’t help us with specific programs and projects. Is that right?
CRO: “Well I am following the global risk framework and what our consultants told us when we set the program up. This is their recommended report format, with a heat map on the second page. I would be happy to give you a separate report on Poland-related risks.”
The CEO is clearly disturbed and asks the CRO to step out. He then continues.
CEO: “Clearly the Poland project is increasing our risk in a number of areas. Do we need to have the CRO run a separate report or should we talk about it now, without him?”
COO: “Poland is my project. I would like everybody involved to stay after the meeting. Let’s talk about whether the prospects for Poland justify taking these risks. If we are going to potentially miss our revenue targets and, at the same time, increase risks around credit, cyber, and so on, perhaps we should reconsider.”
CEO: “Good idea. But I want to be part of this discussion as we have made this a key part of our strategy, with Poland being just the first step into Eastern Europe, in our discussions with the analysts and investors. In fact, it is possible that after considering what we now know we may want to delay or move into Croatia first. Let’s finish the rest of the agenda and then continue. Can everybody stay a little longer?”
The meeting continues without the CRO.
My point: it’s not about managing risks, even at the enterprise level.
It’s about managing the organization to deliver success: making informed decisions.
The most effective risk management involves quality risk-informed decisions when the CRO is not present.
How would you advise the executive team? What would you suggest to the CRO?
I welcome your comments and observations.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- The future of internal auditing - December 20, 2021
- Do you hire people who can think? - November 17, 2021
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021