- Who takes risk?
- Who decides whether the risk should be taken?
- How do they know what the desired level of risk is?
- How do senior management and the board obtain assurance that the right risks, at the right level, are and will be taken?
These are important questions and every risk (and audit) practitioner should understand the answers.
Richard Anderson and I will be taking these on in April and May, and you are invited to join us. Details are at riskreimagined.com.
Taking the first one first: Who takes risk? The correct answer is ‘everybody’; everybody who makes a decision and everybody who acts. Every decision and action creates or modifies risk and has the potential to influence the achievement of objectives. Whether it is deciding to go through with an acquisition or to hire this candidate instead of an alternative, risk is being taken.
In general, the organization’s structure and delegation of authorities dictates who should be making which decision, who should review and approve that decision, and any limitations on the ‘value’ or magnitude of that decision.
In other words, the normal approval hierarchy established in any organization typically determines who makes which decision – and therefore who takes which risk.
Some people consider risk as static, the possibility of an event or situation that could affect an objective or two. But, our world is anything but static; the environment in which we operate changes all the time, as regulators, markets, customers, vendors, and other factors change – dynamically. Our own organization also changes, as employees leave or join, get promoted, change their minds or intentions, feel differently about their or the company’s prospects, develop new products, retire old products, change pricing, and so on.
So, risks are being taken all the time in an environment that is changing all the time.
The normal approval structure will also dictate who decides whether the risk should be taken. The decision maker is the person charged with making that decision, subject to review and approval.
The decision-maker will normally weigh all the options, given the information available to him/her, and try to make an informed, intelligent, decision. If there are risk-reward trade-offs, they will be considered in the decision-making process.
But how does the decision-maker know how much risk he/she should be taking? How do they know whether the risk level for the organization as a whole will now exceed the levels approved by more senior management and the board?
In fact, how do people know how their decisions will affect others, which objectives at the enterprise level might be affected, and what the desired levels of risk to those objectives are?
For example, if you consider a recruiter in the HR department who is vetting candidates, prior to their being considered by the hiring manager, does he really know how his/her decisions on which to take forward will affect the organization?
Do they realize how much value and impact an individual with additional experience will bring to the sales operation, or how their lack of familiarity with ethical practices could increase compliance risk?
Do they understand that a major IT initiative might suffer if they delay their decision on which IT specialist candidates to consider? The risk may be to objectives in IT and in the objectives of the IT function’s customer – the one impacted by the delay in completion of the project, or even the possibility of a failure of the project.
There are ways to address this that center around communication and collaboration. In the recruiting example, it is incumbent on both IT and HR to ensure the hiring urgency is understood and the value of different levels of experience and technical talent is appreciated and informs the recruiter’s decisions. Similarly, it is up to the IT customer to convey to the IT team the value of the IT project and the various risks (i.e., the effect on their and others’ objectives) should the project fail or be delayed.
Setting acceptable levels at board or top management is not the answer; it may be part of the answer, maybe even a significant part of the answer, but every decision-maker needs to know what is desired at his/her level, and it is impractical to believe that the enterprise risk appetite statement can be translated and cascaded down in an useful and actionable way to every individual actually taking the risks.
In addition, in a dynamic world, desired levels of risk are (or at least should be) changing dynamically.
In some cases, more granular risk criteria can be defined – but, again, not for every single decision.
No, risk is taken and must be taken by individuals at all levels across the entire enterprise. If you want them to take the right risk at the right level, they must be informed and trained in the consideration of risk – and not just the risk to their personal or team objectives, but the effect on others and, eventually, how that can affect enterprise objectives.
Senior management should help by ensuring the people on their team get that decision-making training, with the help as needed of the risk officers.
How, then, do the board and senior management know that the right risks at the right levels are and will be taken? It’s not possible to be certain that they will be taken. Perfect assurance is not possible, as decision-makers are human and they will make mistakes even when all the information is available and they have taken all the required training.
Only reasonable assurance can be obtained.
A few things contribute to obtaining that reasonable assurance:
- Care and attention to the decision-making process, ensuring that decision-makers consider what might happen as an integral element in that process: what needs to go right as well as what could go wrong.
- Care and attention to the ‘risk management process/framework/whatever-you-want-to-call-it’, thinking through how desired levels of risk are defined and communicated, the appropriate review and approval process, how people are provided the information they need to make risk-informed decisions, and so on.
- The objective assessment by management (and the CRO) of that risk management process – an honest assessment of whether it provides the necessary assurance and whether it is delivering the value to the organization it should by improving the quality of decisions. I think this assessment should be shared formally with the board.
- Careful monitoring, after-the-fact, of actual risk levels, and determining what failed when risks exceed desired levels.
- An independent and objective assessment of the enterprise’s management of risk by the internal audit function.
This is a quick ‘essay’ on the topic, which is complex and tough to achieve in practice.
I welcome your thoughts and hope to discuss it further with you in April or May.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management