• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Risk management guidance: Time for a leap change

By Occasional Contributors | 2 Minutes Read November 30, 2016

Risk management guidance: Time for a leap change

riskEven though both COSO ERM and ISO 31000:2009 are evolving, moving to a greater emphasis on decision-–making and the setting and execution of strategy, the practice of managing risk continues to lag.
I have written in my blogs and spoken in person to thought leaders involved in both COSO ERM and ISO 31000 updates about the need to take a huge leap forward.
When the practice is seen as failing to contribute to success, and limited to a compliance function, something dramatic has to happen.
Nothing recent exemplifies the scale of the problem as A Practical Approach to Institutional Risk Management.
This paper was developed through over 100,000 interviews by the staff of the Education Advisory Board and insights and advice from around 120 practitioners and consultants. (I recognize a number of names in the list of advisors. This may reflect their 2012 rather than 2016 thinking, and it is possible that their advice and insight was not heard.)
So does this paper reflect existing practice?
If so, it is clear why risk management is seen as incidental at best to organizational success.
The authors are focused entirely on risk registers—a list of risks. A list of things that might go wrong.
The issues they discuss are making the list of risks manageable and being able to “treat” those risks.
You will not find a single reference to decision–making.
The only reference to decisions is when the authors point out that the consequences of decisions, risks that are created or modified, are frequently not considered.
As EY points out, using a term I love, the management of risk has to be part of the rhythm of the business.
It has to be integral to how we make decisions, every hour of the day, at all levels across the extended enterprise.
Enterprise list management (to quote Jim DeLoach) is scratching the surface. While those scratches may be sufficient to fool some that risk management is in place, a periodic review of a limited list of risks is like driving down the freeway at speed and only looking at the traffic around you every 15 minutes.
COSO and ISO: it is time for a dramatic move in guidance and standards. You have to lead the way out of the pit of enterprise list management towards the goal of effective enterprise management.
Yes, enterprise management, because the management of risk is not a separate activity. You only succeed if you can anticipate (my new favorite word) what might happen as you journey towards your objectives, and make informed and intelligent decisions as you run the business.
COSO and ISO, are you listening?
Practitioners, please join me in demanding a leap forward.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • New qualifying disbursement rules add directed donations anti-avoidance provisions complicate charity regulation - February 6, 2023
  • Ontario Court decision is first donor advised fund case and provides some certainty about DAFs - January 31, 2023
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Privacy / enterprise list management, enterprise management, management of risk, managing risk, risk, risk management

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy