A number of people have asked me about the future of risk management.
I can tell you that I am seeing progress!
You won’t necessarily see this in surveys, for example those of the ERM Institute – which show no improvement, even possible degradation in the maturity of risk management programs.
But I am seeing it in a couple of areas:
- Practitioners who, based on their comments to my blogs, have not only embraced the need for change, but are on that journey. They are moving (or have moved) from the periodic review of a list of risks to a form of risk management that is more continuous, enables effective decision-making, and is focused on helping the organization succeed. This is what I talk about in Risk Management for Success.
- Software vendors are starting to see the light as well. Some have been in touch with me to tell me how they are moving their products in the direction indicated in my book. They are emphasizing the need to be objective-focused and help organizations understand the likelihood of achieving those objectives.
This latter is reinforced by my good friend Michael Rasmussen in his post from early November: Rethinking Risk Management RFP Requirements.
Here are some excerpts with my comments.
- Organizations need to get beyond the marketing hype of buzzwords and misleading analyst rankings to really understand if the technology can deliver on the requirements of their risk management maturity journey.
I agree, but let’s also agree that a ‘risk management maturity journey’ is not about identifying and reviewing a list of risks every so often.
- This involves a clear understanding of where you are now with risk management and where you want to be.
Yes, find a solution that meets your needs for now and also for your future. It’s less about ‘risk management’ needs and more about the need for insight and information to fuel effective decisions.
- There are basic risk management solutions that do ease the pain of human capital efficiency (e.g., time) in not having to manage documents, spreadsheets, and emails. But these are basic and typically aimed at tick-box exercise for risk management that is more of a qualitative compliance exercise and not true risk management. Mature and valuable risk management is more than forms, surveys, workflow, and tasks and requires risk quantification, modeling, analytics, and reporting that is aligned with business objectives and in the context of business objectives. It requires seeing the complex interrelationships and interdependencies of risk.
The key here is that it is all about ensuring people have the information they need about what might happen to make the informed and intelligent decisions necessary for success.
- ISO 31000 states that ‘risk is the effect of uncertainty on OBJECTIVES.’ So good risk management STARTS with performance and objective management. These can be entity-level, division, department, process, project, or even asset level objectives. Risk needs to be understood in the context of objective.
Yes, although it would be interesting and beneficial to turn that on its head.
Objectives need to be understood in the context of risk (which includes opportunities).
- Risks cannot be understood and managed in isolation.
Yet, everybody does that over and over again.
- RISK VISUALIZATION IS MUCH MORE THAN HEATMAPS!!!
1000% correct.
My question is this:
Are you evaluating software based on how it will help people get the information they need for informed and intelligent decisions, or are you limiting your sights to what is needed for compliance purposes?
I welcome your thoughts.
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024
- Internal audit wastes so much time on policies, documentation, and more! - January 17, 2024