• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Uniting risk management with strategic planning

By Norman D. Marks, CPA, CRMA | 3 Minutes Read October 24, 2018

Uniting risk management with strategic planning

The practice of risk management is far too often limited to identifying all and only the things that might go wrong and putting them in a list. It is better to pair this with strategic planning.
risk managementWho can argue that the consideration of what might happen (what some refer to as risk) should be part of the strategic planning process?
Objectives and strategies should be set only after thinking carefully about where you are, what is happening around you, and what may happen in the future. They should then be executed on, keeping an eye as you progress on what is happening that may affect the success of your journey.
I much prefer talking about ‘what might happen’ than ‘risk management’, because while the terms should be synonymous, the word ‘risk’ has a negative connotation. Indeed, the practice of risk management is far too often limited to identifying all and only the things that might go wrong and putting them in a list or heat map.
Neither of those (a list of risks or a heat map) helps executives make decisions, including deciding on objectives and strategies and then executing on them.
My good friend, Alex Sidorenko, tells a story I love. He worked with the senior executives to develop a list of the top risks facing a major organization where he was CRO and took it to the CEO for a discussion. The CEO turned his nose up and told Alex that the list wouldn’t change anything he was doing. It wouldn’t help him make decisions and run the company.
Alex returned from this with a resolution to stop focusing on a list of risks (except where required for compliance purposes, when he would do it as cheaply as possible) and focus on what I would call decision support. He works to help people make informed and intelligent decisions.
Now we have an interesting article on this topic by Mike Skorupski, corporate head of ERM at Siemens Games, a renewable energy company in Denmark.
Uniting risk management with strategic planning urges risk practitioners to get more involved in and add more value to the strategy-setting process.
Skorupski sees more in the COSO ERM guidance than I do when it comes to strategy-setting. While I can see that COSO suggests that risks to strategies be identified after objectives and strategies have been established, he reads COSO ERM the way it should have been written: you consider where you are, what is happening, and what might happen before establishing enterprise objectives.
Where I differ from Skorupski is on the focus on the negative.
Objectives and strategies should be set and then managed with an eye on all the things that might happen, both the positive and the negative.
Expert practitioners have tools, like Monte Carlo simulations, that help assess the range of possible future situations and their effects on objectives, and the likelihood of those possible effects.
But, they are only used to using them on calamity management, not on the range of rewards and opportunities.
Do you make decisions by considering only what might go wrong? Or do you also consider what might go well?
Don’t you make decisions after thinking through all the possibilities?
What will management and the board think if the CRO is only telling them about the likelihood of the sky falling?
Why not help management assess the possibilities of favorable trends in customer spending, an uptick in the economy, or improved pricing by major vendors – using the same methods as they do for potential harms?
I welcome your thoughts.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Finance and Accounting, Information Technology, Privacy / COSO ERM, risk management, strategic planning

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy