How to assess the effectiveness of risk management
Internal auditors are expected, according to the IIA Standards and some governance codes, to assess the effectiveness of risk management.
achievement of objectives
Is the goal of risk governance taking boards in the wrong direction?
The board is discharging its responsibilities to ensure stakeholders get the performance they should: value creation as well as (and not just) value protection. The board should make sure the management team is effective in running the organization, and that is not done by focusing on a list of harms. Effective governance of an organization is limited if the board focuses on risks.
It’s not about risk management – it's about the achievement of objectives
I have said many times that it’s not about managing risks: it’s about managing the achievement of objectives.
It’s about being successful.
Success is measured through the achievement of specified objectives.
We improve the likelihood and extent of success if we understand what might happen, both good and bad, as we strive to achieve our objectives.
The “what might happen” is risk, but the focus should not be on managing them individually but on being successful – taking the right level of the right risks.
The CRO (or equivalent) should be concerned with helping leadership run the organization and achieve its objectives, rather than helping them manage a list of risks.
Let me explain what I mean with a hypothetical story.
The executive team has come to the point in their monthly meeting where they review the report of the Chief Risk Officer.
The CEO invites the CRO to join … Continue reading “It’s not about risk management – it's about the achievement of objectives”
