CEOs got to the pinnacle of their organization because they are anything but idiots.
Yet, if you consider the small number of organizations where risk management is considered as providing a strategic advantage (according to the latest study by the ERM Initiative that number is 20% of all organizations), one of these alternatives must be true:
- Even mature risk management doesn’t provide a strategic advantage. In fact, it is doubtful (as indicated in the report as the sentiment of most organizations) that the value of risk management exceeds its cost.
- People don’t know how to design a risk management program that delivers value in excess of its cost, to the point that it provides strategic advantage.
- CEOs are idiots.
I pick the prize behind door number two.
Here’s the problem.
If all you do is manage the downside, you are not helping manage the upside.
I have been saying for at least a decade that management needs to take risks to survive and thrive, and that means balancing the potential harms that may occur against the potential rewards.
Yet, time and again I keep seeing risk management portrayed as understanding, assessing, evaluating, and addressing potential harms.
That is not how you or anybody else that enjoys a modicum of success make decisions.
The ERM Initiative talks about risk management being an effort to build a risk profile or list of “risk exposures”. Even this limited approach to risk management seems to have been achieved by a small percentage of organizations. Just 6% of the largest organizations report robust risk management processes and 28% say they are mature.
There’s a big difference between maintaining a list of potential exposures and an environment where everything of significance is considered when making a decisions.
In other words, if organizations are to optimize results, they need to set aside managing risk (downside) and instead do what it takes to make informed and intelligent decisions.
For ten years, the ERM Institute has been working with IBM to assess whether organizations have mature processes that deliver risk profiles.
Isn’t it time for them to assess how many organizations are able to make, with confidence, intelligent and informed decisions?
I welcome your thoughts.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024