My good friend, Michael Rasmussen, has written what I consider a special blog post on the topic of Challenges in Risk Management.
I congratulate him for this thoughtful piece and highly recommend that you read it carefully, challenging both your and his thinking.
I agree with much of what he says, but differ a little. Here are a few points I like:
- The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.
- Applying chaos theory to business is like the ‘butterfly effect’, in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops, and influences what ends up being a significant issue.
- Organizations take risks all the time but fail to monitor and manage these risks effectively in an environment that demands agility. Too often risk management is seen as a compliance exercise and not truly integrated with the organization’s strategy, decision-making, and objectives.
- Organizations need to understand how to monitor risk-taking, measure that the associated risks being taken are the right risks, and review whether the risks are managed effectively.
- Risk management is often misunderstood, misapplied, and misinterpreted.
- Risk management is about the risk of not achieving objectives, therefore making the ability to link and measure risk to strategic objectives critical; as is monitoring performance against those objectives. The outcome of this is improved decision-making, better return on investment across the business, improved profitability, and a better customer experience.
- When an organization approaches risk in scattered silos that do not collaborate, there is little opportunity to be intelligent about risk.
- Organizations are best served to take a federated approach to risk management that allows different projects, processes, and departments to have their own view of risk. This can then roll into enterprise and operational risk management and reporting that supports business objectives while being integrated with decision-making processes.
Here is where I differ, although the difference is perhaps subtle:
- I prefer to talk about what might happen instead of the 4-letter word, risk. The 4-letter word has a negative connotation among executives, and it also (mis)leads people to a blinkered focus on potential harms.
- Not only do events and situations have a cascading and domino effect, like a butterfly’s wings, but they have to be considered together with other possible events and situations (a.k.a. sources of risk) when making decisions. Don’t consider individual sources of risk in isolation (to paraphrase Michael’s quote) but consider the possibility of both a butterfly and a bat disturbing the air; the total displacement may move a flower while neither does it by itself. For example, this morning I met with a software vendor that is planning to add a sales representative in Texas. The executive needs to consider, as part of his hiring decision, multiple things that might happen. He has to consider the possibility that the executive has a poor (or excellent) reputation with potential customers; an ability to deliver (or fail to deliver) on commitments, both to management and the customer; an inclination to stay with the company for an acceptable number of years (or leave after only a year, taking client relationships with him or her); the ability to make (or fail to make) sound decisions; and so on. Assessing each source of risk in isolation will not help the executive make a quality decision.
Quality decisions need to consider the big picture: all the things (within reason) that might happen and have a significant effect on the achievement of success. BTW, as I explain in Making business sense of technology risk (which is not only about technology risk), aggregating multiple sources of risk is not as simple as many assume.
- Risk management is not limited to the possibility of failure. It is (in a world-class environment) about ensuring an acceptable likelihood of success (achievement or surpassing of objectives).
- Rather than talking about effective risk management, we should be talking about effective management. How can you be an effective manager if you do not consider and take appropriate action with regard to what might happen?
I welcome your thoughts and comments.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- How effective are your systems of governance, risk, and control/compliance (GRC)? - October 19, 2021
- Delivering value from IT audit - September 22, 2021
- Selecting software for risk management - August 18, 2021