First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

How to mess up your risk management program

risk management“Few self–assess their risk management program. Where internal audit assess it, I believe they focus more often on compliance with policy than with the level of risk that risk management will fail.”

My friend and sometime colleague Rick Steinberg has penned an amusing but spot–on piece that was recently published in Compliance Week.

Ten simple ways to manage risk … or not is a quick way to test whether you have an adult’s or a child’s risk management program.

Does your risk management activity ‘check the box’, or does it help the organization succeed by making more intelligent and informed decisions?

Tell me what you think of Rick’s ten. Here are some of my own, in addition to his excellent ones:

  • Be satisfied with the periodic review of a list of risks
  • Separate the discussions of strategy, performance, and risk
  • Ignore the fact that risk is created or modified with every decision
  • Don’t question how people make decisions, whether they do so in a disciplined manner that considers what might happen
  • Believe that an enterprise risk appetite statement drives decisions and risk–taking at all levels of the extended enterprise
  • Fail to assess the reliability of your risk management practices

Let me expand on the latter, a principal theme of World-Class Risk Management.

If you follow the principle that you set objectives, identify risks to those objectives, then ensure that there are measures in place to provide reasonable assurance that the objectives will be met, then we have objectives for risk management. They include:

  • Identify the more significant risks to the achievement of enterprise objectives
  • Analyze the risks to determine their potential effects (consequences) and the likelihood of those consequences
  • Evaluate the risks (individually and in aggregate) to each objective and determine whether they are acceptable
  • Respond when the risks are at unacceptable levels
  • Monitor the condition of controls to ensure that the likelihood and extent of a failure in controls continues to be at acceptable levels
  • Communicate risk information to all who need it, when and how they need it
  • Manage all of the above at the speed of risk

There are risks to the achievement of these objectives. In the book, I reference a number of sources of risk, such as:

  • Unreliable information
  • Failing to involve all the necessary people
  • Failing to communicate to decision–makers guidance that will help them take the right level of the right risks
  • And many more

Few self–assess their risk management program. Where internal audit assess it, I believe they focus more often on compliance with policy than with the level of risk that risk management will fail.

So, let me leave you with a couple of questions.

  1. What other signs are there that you have messed up your risk management program?
  2. Have you defined the objectives of your risk management activity, identified and assessed the risks to their achievement, and reported your assessment to executive management and the board?
Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Send to Kindle

, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.