First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

A revolution in risk management

risk managementRisk management, whether you call it enterprise risk management, strategic risk management, or something else, is about helping an organization achieve its objectives.

All the standards, frameworks, and guidelines[1] talk about risk in terms of its ability to affect the achievement of the organization’s objectives.

Some things might happen that will help[2] and some that will interfere with our progress[3].

Typically, reporting to the management team and the board has been in terms of risks, focusing only on the things that might happen (collected together in categories that reflect where those risks might arise) that would be harmful.

This allows the consideration of risks, but not really how they might affect the achievement of objectives and which ones might be “at risk”.

Why not turn the information around and use it to indicate the likelihood that the organization will achieve each of its objectives. For each initiative, what is the likelihood of success?

Then we can answer these questions.

  • Considering all the things that we have identified might happen, how confident are we that we will meet the objective (within an acceptable level of variation[4])?
  • What is the possibility that we can exceed it?
  • What is the possibility that we will fall short?

That assessment will not only provide valuable insight but enable decisions to be made that will increase the likelihood and extent of success.

The report might look something like this.

Projected  Achievement
Fall Short Achieve Exceed
Business Objective YTD Performance <6.48% 6.48%-6.52% >6.52%
Improve revenue by 6.5% 6.52%% 15% 80% 5%

What this tells us is that so far we are exceeding our target. However, when we consider all the things that might happen over the rest of the period, there is a 15% possibility that we will fall short of the target. (This should be the judgment of the people responsible for running that part of the business and achieving the objective. It is not intended to be the result of a precise calculation.)

Leadership can consider whether this is acceptable. Should action be taken to improve the likelihood of success?

Leadership can also see that there is a small possibility that the target can be exceeded. What can be done to improve that likelihood without increasing the possibility of falling short?

A report like this moves the conversation from focusing on failure to focusing on success.

It changes the discussion to one that resonates with the executive management team, helping them understand how the management of risk can help them achieve their objectives.

This is a revolution in a couple of ways:

  • It turns the discussion of risk to objectives around 180 degrees to focus on objectives, and
  • It demonstrates how the management of risk is of huge value to the organization.

I welcome your comments.

Is this an approach that COSO and ISO should adopt as they upgrade their guidance?

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

[1] This includes the COSO Enterprise Risk Management – Integrated Framework and the ISO 31000:2009 global risk management standard.

[2] COSO refers to these as opportunities.

[3] COSO refers to these as risks.

[4] COSO refers to this as risk tolerance.

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.
Send to Kindle

, , , , ,

Comments are currently closed.