The practice of risk management is far too often limited to identifying all and only the things that might go wrong and putting them in a list. It is better to pair this with strategic planning.
Who can argue that the consideration of what might happen (what some refer to as risk) should be part of the strategic planning process?
Objectives and strategies should be set only after thinking carefully about where you are, what is happening around you, and what may happen in the future. They should then be executed on, keeping an eye as you progress on what is happening that may affect the success of your journey.
I much prefer talking about ‘what might happen’ than ‘risk management’, because while the terms should be synonymous, the word ‘risk’ has a negative connotation. Indeed, the practice of risk management is far too often limited to identifying all and only the things that might go wrong and putting them in a list or heat map.
Neither of those (a list of risks or a heat map) helps executives make decisions, including deciding on objectives and strategies and then executing on them.
My good friend, Alex Sidorenko, tells a story I love. He worked with the senior executives to develop a list of the top risks facing a major organization where he was CRO and took it to the CEO for a discussion. The CEO turned his nose up and told Alex that the list wouldn’t change anything he was doing. It wouldn’t help him make decisions and run the company.
Alex returned from this with a resolution to stop focusing on a list of risks (except where required for compliance purposes, when he would do it as cheaply as possible) and focus on what I would call decision support. He works to help people make informed and intelligent decisions.
Now we have an interesting article on this topic by Mike Skorupski, corporate head of ERM at Siemens Games, a renewable energy company in Denmark.
Uniting risk management with strategic planning urges risk practitioners to get more involved in and add more value to the strategy-setting process.
Skorupski sees more in the COSO ERM guidance than I do when it comes to strategy-setting. While I can see that COSO suggests that risks to strategies be identified after objectives and strategies have been established, he reads COSO ERM the way it should have been written: you consider where you are, what is happening, and what might happen before establishing enterprise objectives.
Where I differ from Skorupski is on the focus on the negative.
Objectives and strategies should be set and then managed with an eye on all the things that might happen, both the positive and the negative.
Expert practitioners have tools, like Monte Carlo simulations, that help assess the range of possible future situations and their effects on objectives, and the likelihood of those possible effects.
But, they are only used to using them on calamity management, not on the range of rewards and opportunities.
Do you make decisions by considering only what might go wrong? Or do you also consider what might go well?
Don’t you make decisions after thinking through all the possibilities?
What will management and the board think if the CRO is only telling them about the likelihood of the sky falling?
Why not help management assess the possibilities of favorable trends in customer spending, an uptick in the economy, or improved pricing by major vendors – using the same methods as they do for potential harms?
I welcome your thoughts.
- Common sense on cybersecurity - July 20, 2022
- Auditing at the speed of risk with an agile, continuous audit plan - June 22, 2022
- Do smaller companies manage risk better than larger ones? - May 18, 2022