From time to time, I am asked to help an organization take its risk management activity to the “next level”.
I strongly believe that, as ISO 31000:2009 says in one of its principles, risk management needs to be customized to meet the needs of the organization (and changed iteratively as the business and its needs change).
An organization that is relatively constant in its business and doesn’t face rapidly changing, even turbulent, risks doesn’t need the same design, structure, tools, and staffing for risk management as a trading company.
An organization where decision-making is centralized doesn’t need the same risk management activity as one that is highly decentralized.
It is essential to understand what the organization needs and how critical the management of risk is before settling on a design, let alone trying to implement or upgrade risk management.
That is why I like a feature in Enterprise Risk (the official magazine of the Institute of Risk Management) where Iain Wright was interviewed. In Living on the Ceiling, Iain describes how he defined a vision for his risk management function at Old Mutual Wealth.
First, it needed to provide the business with consistent insight and challenge. Second, effectively advise and support the business and strategic decision making. Third, give assurance that customer and shareholder interests are protected. Finally, build trust with internal and external stakeholders through consistent delivery and high performance.
It is simply stated, meaningful, and sets the bar high.
If achieved, Iain’s team should be seen by the board and top management as having great value, helping them make informed and intelligent decisions that drive the successful achievement of objectives.
Before you can determine whether your risk management activity is effective, you have to know what the organization needs from it. Then you set objectives and strategies to achieve them before executing on them, monitoring performance, and adjusting as needed.“
It’s just like managing any other part of the business or the organization as a whole.
Is it clear what risk management needs to deliver at your organization for it to be successful?
I still like the question Deloitte asked of board members and executives: does risk management help you set and then execute your business strategies?
I welcome your comments.