First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Why do so many practitioners misunderstand risk?

riskMy apologies in advance to all those who talk about third–party risk, IT risk, cyber risk, and so on.

We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos.

We should address risk because of its potential effect on the achievement of enterprise objectives.

Think about a tree.

In root cause analysis, we are taught that in order to understand the true cause of a problem, we need to do more than look at the symptoms (such as discoloration of the leaves or flaking of the bark on the trunk of the tree). We need to ask the question “why” multiple times to get to the true root cause.

Unless the root cause is addressed, the malaise will continue.

In a similar fashion, most risk practitioners and auditors (both internal and external) talk about risk at the individual root level.

Talking about cyber, or third–party risk, is talking about a problem at an individual root level.

What we need to do is sit back and think about the potential effect of a root level issue on the overall health of the tree.

If we find issues at the root level, such as the potential for a breach that results in a prolonged systems outage or a failure by a third party service provider, what does that mean for the health of the tree?

Now let’s extend the metaphor one more step.

This is a fruit tree in an orchard owned and operated by a fruit farmer.

If a problem is found with one tree, is there a problem with multiple trees?

How will this problem, even if limited to a single tree or branch of a single tree, affect the overall health of the business?

Will the owner of the orchard be able to achieve his or her business objectives?

Multiple issues at the root level (i.e., sources of risk) need to be considered when the orchard owner is making strategic decisions such as when to feed the trees and when to harvest the fruit.

Considering, reporting, and “managing” risk at the root level is disconnected from running the business and achieving enterprise objectives.

I remind you of the concepts in A revolution in risk management.

Use the information about root level risk to help management understand how likely and to what extent it is that each enterprise business objective will be achieved.

Is the anticipated level of achievement acceptable?

I welcome your thoughts.

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at editor@firstreference.com. If you liked this post and would like to subscribe to Inside Internal Controls blog click here.
Send to Kindle

, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.