• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Six principles for effective risk management

By Norman D. Marks, CPA, CRMA | 2 Minutes Read September 20, 2017

Six principles for effective risk management

This post outlines six main principles of effective risk management and goes further to define risk management and its role in achieving objectives.
effective risk managementIn World-Class Risk Management, I review the eleven principles in the ISO 31000:2009 global risk management standard and condense them to just six. (Later in the book, I discuss a possible risk management maturity model as well as what it takes to go beyond simply effective to deliver world-class value.)

  1. Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
  2. Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
  3. Risk management is dynamic, iterative and responsive to change.
  4. Risk management is systematic and structured.
  5. Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
  6. Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.

I believe it is useful to assess your risk management activity against these principles.
As my friend Alex Sidorenko says in a recent video (which I recommend), risk management is not about managing risks: it’s about enabling informed decisions.
Informed and intelligent decisions are how we achieve objectives. Those decisions need to consider what might happen (harms, opportunities, and combinations of the two) as we strive to succeed.
With that in mind, I suggest a different definition of risk management in the book:

The effective management of risk enables risk-aware decision-making, from decisions about the direction of the organization, to its core strategies, to the decisions made every day across the extended enterprise.
The processes and related policies, structures, and systems for identifying, analyzing, evaluating, and responding to risks are established by management with oversight by the board to ensure that the effects of uncertainty (both positive and negative) on the achievement of objectives are understood and managed to support the realization of the organization’s mission and commitment to stakeholders.

My understanding is that COSO will publish its update of the ERM Framework very soon. It will be interesting to see the principles they have come up with and how they compare with mine.
In the meantime, I welcome your thoughts on the above – and any other comments you may have on this best-selling book.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting, Information Technology, Privacy / achieving objectives, actionable information, effective risk management, ERM Framework, organization’s mission, policy and procedures, risk management, risk to objectives

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy