There is a lot of debate (and often emotional debate) within the risk management fraternity surrounding various topics – from COSO framework versus the ISO31000 standard, to risk appetite versus risk tolerance, to how risks are rated (rating scales, calculations, inherent, residual, exposure, velocity, qualitative, quantitative, weighted at each business unit, monte carlo simulation etc.).
As risk practitioners we are often so busy with the technical debate that we can’t see the ‘wood for the trees’ and lose sight of our main objective, which is to ‘sell’, evangelise and demonstrate the value of risk management to our board, management, our employees and other stakeholders (shareholders, customers, suppliers, community, environment) with the aim of embedding a culture of risk management and accountability at every level of the organisation. The ultimate aim is to grow, protect and sustain our organisation into the foreseeable future which will provide value to all our stakeholders either directly or indirectly.
Whilst I believe that the risk methodology debate (e.g. COSO versus ISO31000 versus another) is important, I think that we as risk practitioners often get carried away with the theory and technicalities of risk management and forget about being practical. We try so hard to apply a scientific formula to risk management when risk management by its very nature is unpredictable and relies on a number of factors as well as human judgment and past experience. We don’t pay enough attention to the quality and completeness of the risk information that is captured; the old adage ‘garbage in and garbage out’ springs to mind. How effective is our objective and risk identification process and how complete and up to date is related information such as controls, key performance indicators (KPIs), key risk indicators (KRIs), risk interdependencies, root cause analysis, past history (incidents) , near misses, key control indicators (KCIs) etc. What I like about KPIs, KRIs and KCIs is that they are real values and reduce the subjectivity of risk ratings. At the end of the day it is about the ‘quality’ and ‘prioritisation’ of the risks so that people at every level of the organisation focus and take accountability for the important risks within their own context and in time (hopefully preventing them from materialising). By categorising (strategic, business, operational, process) and linking risks (to objectives and other risks) intelligently, one gets a consolidated view of the organisation’s risk profile from ‘top to bottom’ as well as a detailed view at every level of the organisation.
We should spend more time evangelising and demonstrating to our business leaders the value of risk management and the need to embed it within the organisation. Risk management is an ongoing process and not a once-a-year event. Why do we need to keep on at ‘selling’ risk management to our organisation and why is it not taken as seriously as it should by management?
In my opinion the people running businesses (CEOs, CFOs) generally focus and are measured on ‘numbers’ and see risk management as ‘fluffy’. For example seeing a high risk on a heat map at a risk committee meeting compared to reporting a loss; I’m sure the loss in the financials will invoke more of a reaction, even though with good risk management principles in place management may have predicted the loss well in advance. This is why identifying quality risks with accurate prioritisation based on supporting information is important.
Another reason is that whilst we as risk practitioners talk about ‘upside risk (opportunity), the risk registers that I see in organisations are always focused on ‘downside risk’; human beings generally focus on positive outcomes and not negative outcomes. This is why linking risks to objectives (which by their nature are positive) is a critical step in the risk management process.
Risk is seen as a compliance-type / ‘tick the box’ issue and a necessary evil. Risk managers need to change this perception by facilitating the identification of real / quality risks and demonstrating real insight into the business.
This is why Risk Officers need to be out there in their organisations (not behind their desks debating risk methodologies and rating theory) and looking for ways to add real business value and insight within the business. And so whilst we as risk practitioners argue about the pros and cons of different risk methodologies business just gets on and runs the business paying little attention to formal risk management… and who can blame them?
I include a few points below to illustrate the kind of debate that we tend to get fixated on. There is no perfect model:
In summary it’s about the ‘quality’ and ‘prioritisation’ of the risks so that people at every level of the organisation focus and take accountability for the important risks within their own context and in time (hopefully preventing them from materialising). It’s about the skills of the risk practitioner to evangelise risk management and ensure that you add real value to your organisation by being a trusted advisor with great people skills and valuable insight into the business!
Director: Barnowl GRC and Audit Software
011 540 9100