First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The basics of risk management

risk managementI want to congratulate David Hillson (a.k.a. the Risk Doctor) for his video explaining his view of risk management basics.

In Risk management basics: What exactly is it?, he takes less than five minutes to sum up risk management with six questions:

  1. What am I trying to achieve?
  2. What might affect me? Are there things out there in the future that might help or hinder me?
  3. Which of those things that might affect me are the most important?
  4. What should I do about it?
  5. Did it work?
  6. What changed?

He says that “managing risk is one of the most natural things we can do and one of the most important”. I have to agree, although I don’t think we do it as well as we should.

I like his six questions.

David has written 11 books on risk management, which is more than me, and I have to admit that I have not read them. While I suspect that we will not agree on every topic, such as the value of risk appetite statements, his six basic questions are similar to my set.

This is what I have included in the book I am writing now, on making business sense of technology risk.

I like to explain risk management as something every effective manager does:

  • They understand where they are today and where they need to go (their objectives).
  • They understand, as best they can, what might happen as they work towards achieving those objectives. I recommend the expression: “they anticipate what might happen.
  • They consider (or assess) whether that is acceptable. Will they still be able to achieve their objectives, even if they suffer an acceptable level of harm in the process?
  • If either the likelihood of success or the likelihood of great harm is unacceptable, they take action. That action could include not only managing the risk but also changing the strategy or even the objective.

We start in a similar fashion and use plain English rather than risk technobabble. (See Risk Management in Plain English).

But I believe you need to set the right objectives first.

I also believe that rather than assessing risks out of context, you need to consider all the things that might happen and assess whether that totality is acceptable.

In other words, manage success rather than risk and certainly don’t manage one risk at a time.

Beyond that, we seem to be on the same page.

What do you think?

Is this simple approach right? Certainly there is more complexity when assessing the various things that might happen, especially when multiple things might flow from a single decision. But isn’t this a good start?

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , ,

Comments are currently closed.