First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

What is your consolidated risk exposure?

This article discusses consolidated risk exposure and different risk management tools.

consolidated risk exposureThis question came up as I was reading the preface to what appears to be a major contribution to risk management thought leadership.

Prepared to Dare is by Hans Læssøe, formerly the chief risk officer at LEGO. His risk management program has been profiled extensively, for example in the Wall Street Journal, Strategic Finance magazine, and in the work of Professors Robert Kaplan and Anette Mikes.

I like what Hans has to say in the description of the book (with my highlights):

The discipline and profession of risk management is undergoing significant changes these years, and will continue to do so for years to come. In an ever-changing world, the attention towards taking risks and managing the risks taken becomes increasingly important for businesses and organisations to survive and prosper.

The stakes are getting higher and speed is increasing. Hence, intelligent risk taking becomes a necessary core competence of leaders at all levels of an organisation.

This book builds on solid and practical experience, and takes the reader from the basic concepts and approaches to making maneuverability a true competitive advantage by actively and deliberately leveraging the tools and processes of risk management in business design, strategic and operational decision making.

One of the thoughts that he shares is that thinking about what might happen (risk) comes before you take the risk. Contrast this with COSO, where risks are identified after strategies are defined.

By the way, I encourage everybody to read and listen to the work of Alex Sidorenko (see his blog). In January, he interviewed Hans.

There’s a difference, though, between my books (World-Class Risk Management and Risk Management in Plain English) and this new one by Hans.

The difference is clear when you examine this description of chapter 2 from the Preface to the book.

In this chapter, I will describe an avenue to establish an Enterprise Risk Management (ERM) which is consolidating the risk exposure of an organisation as well as enable depiction of the key risks of the organisation. Different approaches to portfolio consolidation, including Monte Carlo simulation will be described and assessed. I will also describe potential linking between risks and opportunities.

Taking the second half of the paragraph first, Hans provides guidance on useful risk management tools and techniques, such as Monte Carlo simulation and game theory.

My books don’t cover those techniques as they focus more on how risk practitioners can contribute to the success of the organization as a whole – by enabling informed and intelligent decision-making.

Hans also emphasizes informed decision-making, but I see his book as adding more value when it comes to specific risk management tools and techniques.

The major difference, as I see it, is in that first sentence.

What is the “consolidated risk exposure”?

At LEGO, Hans used likelihood and impact scales, together with heat maps.

I have problems with those, instead suggesting that we should focus on the likelihood of achieving objectives.

After all, it’s not about managing risks; it’s about managing the organization (my latest mantra).

Let’s consider the partner of a CPA firm. As he considers his audit of the financial statements of his major client, he is required by standards to assess the risk. The risk he is considering is the risk of issuing the wrong opinion.

If you asked him about his level of risk, I think he should think first about the likelihood of reaching an incorrect opinion. He might also consider the likelihood of upsetting the client; failing a PCAOB examination; going over budget; or having problems among the staff.

Several things might happen, each of which is a source of risk. I would not advise assessing each source of risk, but instead consider the overall likelihood of achieving his objectives.

I have just started a book suggested by my wife, I’ve Decided to Live 120 Years: The Ancient Secret to Longevity, Vitality, and Life Transformation. (I am not recommending it yet as I have only read the first chapter or so.)

The author’s goal is to live and enjoy his life for another 50 or more years (he is in his late 60s).

How would he assess his “consolidated risk exposure”?

I don’t think he would appreciate a heat map as much as knowing the likelihood of living to 120 in a style that affords meaning to the second half of his life.

Then let’s turn to the CEO of a large organization. He will probably be turned off when he hears the phrase “consolidated risk exposure”. He will prefer reports that show the likelihood of achieving EPS, market share, customer satisfaction, revenue growth, and other targets.

So where does this leave me?

I recommend that risk practitioners charged with their organization’s ERM program read both my and Hans’ books – and monitor Alex Sidorenko’s site for blogs and interviews.

Internal auditors will, I think, gain more from my books. They need to understand the principles and how risk management can contribute to success more than they need to understand specific risk management tools and techniques.

Board members and those advising the board and/or the C-Suite should read Risk Management in Plain English.

What do you think?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Comments are currently closed.