Risk management, whether you call it enterprise risk management, strategic risk management, or something else, is about helping an organization achieve its objectives.
All the standards, frameworks, and guidelines[1] talk about risk in terms of its ability to affect the achievement of the organization’s objectives.
Some things might happen that will help[2] and some that will interfere with our progress[3].
Typically, reporting to the management team and the board has been in terms of risks, focusing only on the things that might happen (collected together in categories that reflect where those risks might arise) that would be harmful.
This allows the consideration of risks, but not really how they might affect the achievement of objectives and which ones might be “at risk”.
Why not turn the information around and use it to indicate the likelihood that the organization will achieve each of its objectives. For each initiative, what is the likelihood of success?
Then we can answer these questions.
- Considering all the things that we have identified might happen, how confident are we that we will meet the objective (within an acceptable level of variation[4])?
- What is the possibility that we can exceed it?
- What is the possibility that we will fall short?
That assessment will not only provide valuable insight but enable decisions to be made that will increase the likelihood and extent of success.
The report might look something like this.
Projected Achievement | ||||
Fall Short | Achieve | Exceed | ||
Business Objective | YTD Performance | <6.48% | 6.48%-6.52% | >6.52% |
Improve revenue by 6.5% | 6.52%% | 15% | 80% | 5% |
What this tells us is that so far we are exceeding our target. However, when we consider all the things that might happen over the rest of the period, there is a 15% possibility that we will fall short of the target. (This should be the judgment of the people responsible for running that part of the business and achieving the objective. It is not intended to be the result of a precise calculation.)
Leadership can consider whether this is acceptable. Should action be taken to improve the likelihood of success?
Leadership can also see that there is a small possibility that the target can be exceeded. What can be done to improve that likelihood without increasing the possibility of falling short?
A report like this moves the conversation from focusing on failure to focusing on success.
It changes the discussion to one that resonates with the executive management team, helping them understand how the management of risk can help them achieve their objectives.
This is a revolution in a couple of ways:
- It turns the discussion of risk to objectives around 180 degrees to focus on objectives, and
- It demonstrates how the management of risk is of huge value to the organization.
I welcome your comments.
Is this an approach that COSO and ISO should adopt as they upgrade their guidance?
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management
[1] This includes the COSO Enterprise Risk Management – Integrated Framework and the ISO 31000:2009 global risk management standard.
[2] COSO refers to these as opportunities.
[3] COSO refers to these as risks.
[4] COSO refers to this as risk tolerance.
- CRA recently updated their Basic Guidelines Checklist for registered charities - March 5, 2024
- The burden of care: Addressing challenges in employment in the nonprofit sector – new report by Steven Ayer on Charity/NPO sector employment - February 2, 2024
- Only about 9 months left for Ontario non-profits to deal with the Ontario Not-for-Profit Corporations Act (“ONCA”) – time is running out - January 31, 2024