This post outlines six main principles of effective risk management and goes further to define risk management and its role in achieving objectives.
In World-Class Risk Management, I review the eleven principles in the ISO 31000:2009 global risk management standard and condense them to just six. (Later in the book, I discuss a possible risk management maturity model as well as what it takes to go beyond simply effective to deliver world-class value.)
- Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
- Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
- Risk management is dynamic, iterative and responsive to change.
- Risk management is systematic and structured.
- Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
- Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.
I believe it is useful to assess your risk management activity against these principles.
As my friend Alex Sidorenko says in a recent video (which I recommend), risk management is not about managing risks: it’s about enabling informed decisions.
Informed and intelligent decisions are how we achieve objectives. Those decisions need to consider what might happen (harms, opportunities, and combinations of the two) as we strive to succeed.
With that in mind, I suggest a different definition of risk management in the book:
The effective management of risk enables risk-aware decision-making, from decisions about the direction of the organization, to its core strategies, to the decisions made every day across the extended enterprise.
The processes and related policies, structures, and systems for identifying, analyzing, evaluating, and responding to risks are established by management with oversight by the board to ensure that the effects of uncertainty (both positive and negative) on the achievement of objectives are understood and managed to support the realization of the organization’s mission and commitment to stakeholders.
My understanding is that COSO will publish its update of the ERM Framework very soon. It will be interesting to see the principles they have come up with and how they compare with mine.
In the meantime, I welcome your thoughts on the above – and any other comments you may have on this best-selling book.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
- A twist on risk appetite - September 21, 2022
- Upgrade to effective GRC - August 24, 2022
- Common sense on cybersecurity - July 20, 2022
