First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Assessing the effectiveness of your risk management program

risk management

The IIA has published a new Practice Guide, Assessing the Risk Management Process. In IIA-speak, this is recommended but not mandatory guidance for its members.

A previous December 2010 Practice Guide, Assessing the Adequacy of Risk Management Using ISO 31000 is still available.

I much prefer the earlier version, especially as it talks about meeting the needs of the organization (which is critical) and how management needs to know what risks to pursue, not just avoid or mitigate, so that it can achieve its objectives. It also includes the famous “fan”, indicating which risk management roles are appropriate for internal auditors.

The new PG has some good content, including (my highlights):

  • Risk management is driven by more than regulations and external forces. Implementing efficient and effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value and sustainability, ultimately better safeguarding their stakeholders.
  • Benchmarking the current state of the organization’s risk management against a risk management maturity model is a good place to start this type of assessment. Benchmarking may help the internal audit activity communicate with senior management and the board about the organization’s level of risk management maturity and about aspiring to improve the process and advance in maturity.
  • A mature risk management process typically demonstrates benefits, such as: enabling risk-based decision-making and strategy-setting [and] increasing the likelihood the organization will meet its strategic objectives.
  • If management believes that the risk management process is a bureaucratic exercise that is not worth the resources needed to execute it, then recommending large-scale improvements may be premature and received with skepticism or rejected completely.

I also like the fact that the PG recommends identifying and considering risks to the risk management process itself, a concept I invented in World-Class Risk Management (unfortunately not referenced in the PG).

But both PGs fail to focus on whether the risk management program helps organizations achieve their objectives. They only consider the potential for harm.

Consider this.

In 2008, when so many financial institutions were in trouble, the UK banks decided to stop making loans. They brought their ‘risk appetite’ down to very low levels.

If their risk management program had been assessed using either of these PGs (or, frankly, any of the major frameworks, standards, or guides), it would have been rated highly.

Their level of risk was within their desired range, their risk appetite.

But what happened from a business point of view?

They had next to no revenue and cash flow was severely impacted.

It was not sustainable.

What they should have been doing (and I assume they turned to this) was taking an appropriate level of risk that gave them an acceptable likelihood of achieving their short and longer-term objectives.

To repeat what the PG correctly says: “effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value”.

In order to achieve your objectives, you have to take risks. The question is whether you are taking the right level of the right risks, with quality information about what might happen!

Avoiding failure is a recipe for failure.

So how should you assess the effectiveness of risk management?

You do it by assessing whether it meets the needs of the organization. Those needs include:

  • Enabling intelligent and informed decisions, both strategic and tactical, anticipating what might happen
  • Being confident that the right level of the right risks are being taken to achieve enterprise objectives, balancing the potential for both harm and reward
  • Having an acceptable likelihood of achieving (or surpassing) enterprise objectives

When your executives say that the management of risk helps them set and then execute on strategies (paraphrasing a Deloitte survey and report, where less than 20% said it did), then you probably have effective risk management.

There are multiple approaches to assessing the effectiveness of risk management. They include determining whether management is in compliance with its policies and standards, and its risk register is complete and assessments are ‘correct’; this has some but little value. Another approach is to see whether the principles in ISO 31000 (I prefer those in the 2009 version) are achieved; this has more value. But I like what I suggested above more: seeing whether the executives believe it is essential to their and the organization’s success.

I like the maturity model approach and included a few (all of which I prefer to the one in the 2019 PG) in my book, World Class Risk Management.

But any maturity model has to avoid a focus that is limited to identifying, assessing, and managing the potential for harm. It has to include whether both potential harms and rewards are considered (in a disciplined and reliable manner) in decision-making.

Building on the discussion in the new PG about risk to the risk management process, in an effective program the likelihood that the information provided being significantly wrong is low (acceptable level).

What do you think?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me
Send to Kindle

, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.