First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The current state of risk oversight: Useful or useless?

risk“When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?”

For quite a few years, the people at the Enterprise Risk Management Initiative have researched and provided reports on The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.

In February, they published the 8th edition of their report.

I have covered their reports in the past, highlighting:

  • According to the authors, very few organizations have what they consider to be “mature” or “robust” risk management processes.
  • They don’t provide detail on what they consider constitute “mature” or “robust” risk management processes. My educated guess is that they leave it to the respondents to form their own definition.
  • It seems that their idea of risk management is maintaining an “inventory” of risks (i.e., a risk register), updating it every so often, and reviewing it at board and executive management meetings.

There is some useful information in the report.

But does it add value to continue to focus on practices that don’t work?

All the surveys, including this one, report that executives do not believe risk management practices at their organization are making a significant contribution to the development and execution of their strategies.

Here, they found that “Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations.”

When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?

When you think that risk management needs to be “integrated” with strategic planning instead of acknowledging that strategic planning already includes the consideration of what might happen and what we should do about it, I think you are wrong.

Effective strategic planning is not a separate activity from strategic risk management!

So, is this report useful or useless?

Is the traditional practice of risk management, where a risk register is maintained and discussed, useful or useless?

Is it just a compliance exercise (the view of most executives) that ‘ticks the box’?

Rather than track and monitor the maturity of practices that don’t work, let’s figure out what will work.

We need practices that will:

  • Inform and enable more intelligent decisions
  • Increase the likelihood and extent of success

Right or wrong?

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Send to Kindle

, , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.