I was thinking about a post for the New Year that would highlight the changes I would like to see in both practices and thought leadership around the management of risk, when I listened to a new video from my good friend, Alex Sidorenko.
Alex had been attending a risk management conference in Dubai led by another friend, Alex Dali. In this video, he shares a key takeaway.
The risk management leaders at this global conference said that there were two indicators of effective risk management.
The first is that business decisions are informed and intelligent (my words). The consideration of risk is integrated into the setting and then the execution of strategies through daily decisions.
My caution is that when we are talking about ‘risk’, we should be thinking about all the things that might happen, not only harms.
In fact, as I wrote in my last book, we should be avoiding the word ‘risk’ as management has a negative perception of it.
- Most think it only relates to harms
- Managers tend to think of risk management as a compliance activity
In fact, if we think instead about anticipating what might happen and making informed and intelligent decisions with that in mind, there will be a common purpose and understanding between practitioners and the leaders of the organization.
That’s the second set of indicators: a common understanding and language around risk.
My preference, which I will restate, is that we discard the technobabble of the risk practitioners in favor of using the language of the business. (Where everybody in a mature organization is comfortable with technobabble, then continue to use it – as long as it is not focused solely on harms.)
I come back to a Deloitte study from a few years ago.
Executives were asked whether risk management helped them set and then execute on strategies. Only about 13% said it made a significant positive contribution.
So, Alex, my vote for an indicator of success is when the leaders of the organization in the executive suite and on the board wholeheartedly answer the Deloitte question with a hearty thumbs up!
In 2019, let’s press the regulators, consultants, and other thought leaders to focus less on managing harms (especially in silos like vendor risk management) and more on helping those leading the business anticipate what might happen and make intelligent and informed decisions.
I welcome your thoughts.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021