First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

CEOs are not idiots when it comes to risk management

risk management

CEOs got to the pinnacle of their organization because they are anything but idiots.

Yet, if you consider the small number of organizations where risk management is considered as providing a strategic advantage (according to the latest study by the ERM Initiative that number is 20% of all organizations), one of these alternatives must be true:

  1. Even mature risk management doesn’t provide a strategic advantage. In fact, it is doubtful (as indicated in the report as the sentiment of most organizations) that the value of risk management exceeds its cost.
  2. People don’t know how to design a risk management program that delivers value in excess of its cost, to the point that it provides strategic advantage.
  3. CEOs are idiots.

I pick the prize behind door number two.

Here’s the problem.

If all you do is manage the downside, you are not helping manage the upside.

I have been saying for at least a decade that management needs to take risks to survive and thrive, and that means balancing the potential harms that may occur against the potential rewards.

Yet, time and again I keep seeing risk management portrayed as understanding, assessing, evaluating, and addressing potential harms.

That is not how you or anybody else that enjoys a modicum of success make decisions.

The ERM Initiative talks about risk management being an effort to build a risk profile or list of “risk exposures”. Even this limited approach to risk management seems to have been achieved by a small percentage of organizations. Just 6% of the largest organizations report robust risk management processes and 28% say they are mature.

There’s a big difference between maintaining a list of potential exposures and an environment where everything of significance is considered when making a decisions.

In other words, if organizations are to optimize results, they need to set aside managing risk (downside) and instead do what it takes to make informed and intelligent decisions.

For ten years, the ERM Institute has been working with IBM to assess whether organizations have mature processes that deliver risk profiles.

Isn’t it time for them to assess how many organizations are able to make, with confidence, intelligent and informed decisions?

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.