First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Finally some good advice on risk for boards


While I still disagree in some areas, I applaud Jim DeLoach for his latest piece for the (US) National Association of Corporate Directors, Revamping Risk in the Digital Age.

Please read the entire piece, but here are points I especially like, with my highlights:

  • It has always been understood that one must take risks to grow. And typically, the more risk one takes, the higher the potential return. Conversely, a risk-averse mindset leads to a lower return. Given the pace of change in the digital age, the reality is such that it’s not just a matter of taking risk to grow or generate greater returns—it’s also a matter of survival. That’s why organizations might have to undertake more risk than they may be accustomed to taking if they are to survive.
  • In the digital age, the board has an important role to play in strengthening and nurturing the risk culture that facilitates the initiative, creativity, and digital thinking so critical to success.
  • Over three decades, best-of-class [in Jim’s opinion] risk management has evolved from a fragmented, siloed model focused narrowly on myriad risks, to an enterprise-wide approach focused on the most critical business risks and integrated with strategy-setting and performance management
  • In the digital age, risk management cannot only be about avoiding bad bets. It should also position leaders to make the best bets, from a risk/reward standpoint, that have the greatest potential for creating enterprise value.
  • Digital leaders proactively take risk, whereas digital skeptics do not. 
  • …a traditional approach to risk management might be the biggest risk that an organization faces

There are so many key points here that I encourage you to reflect on each.

I strongly agree that the traditional approach of focusing on the possibility of harm instead of the likelihood of success is itself a great source of risk to the organization.

You simply have to understand all the things that might happen, the big picture where you can see and weigh them all, if you are to make the informed and intelligent decisions necessary for success.

Focusing on harms, especially one at a time, outside the context of performance and strategy execution, is not the same as making sure you are taking the right level of the right risks – and that, as Jim rightly says, is essential if you are to prosper.

Jim and I agree on one word change in the risk management discussion. Rather than the passive expression of accepting risk, he and I both talk about the active form of taking risk.

I believe it is important to use that word and focus on informed and intelligent decisions as part of how any organization sets and then executes on its strategies for achieving its objectives.

I also agree with the idea of integrating the consideration of what might happen (a.k.a risk) with strategy management and performance management and reporting.

  1. Making quality decisions, both setting and then executing on strategy, requires an understanding of what might happen and their effects. It’s integral to the decision-making process, not something that needs to be integrated as if it were a separate activity.
  2. Effective management requires that you understand where you are (performance management), where you want to go (strategy management), and the likelihood of getting there (which should be a combination of performance, strategy, and risk management).

In fact, I have suggested many times that instead of talking about risk appetite as the amount of risk you are willing to take in pursuit of objectives (i.e., ignoring the reason to take risk, the potential upsides), we should redefine risk appetite (although I would prefer a different term) as the likelihood of achieving objectives that you would consider acceptable.

I depart from Jim in some less important areas.

  1. I don’t like the talk about risk culture. It’s an amorphous term that I don’t believe has a great deal of merit. For a start, there is no single risk culture in any organization. Then there’s the point that culture is multi-dimensional, with attitudes towards taking risk just one; others include ethics and moral behavior, entrepreneurship and creativity, teamwork, and so on.

    Do you want the same attitude towards risk-taking from accounting, safety, marketing, and sales? I certainly hope not!

    It would have been better to just talk about the ability to make intelligent and informed decisions, taking the right risk.
  2. I’m also not a fan of the idea that some risks are compensated and others are not. For a start, the organization may not be able to sustain a huge loss even if there is an equal possibility of a huge gain.

    It would have been better to recognize that in any situation there is a variety of things that might happen and you need to assess and weigh them all together.
  3. I’m not sure whether Jim is saying that this is world-class, but if so I disagree: “an enterprise-wide approach focused on the most critical business risks”. World-class is focusing on success, not managing specific risks, especially not one at a time.
  4. Finally, I still have a problem with talking about risk appetite, as explained above. It’s not something that considers the totality of what might happen, plus it is pretty impossible to define for some issues, such as compliance and safety.

    If you want to have guidance on the risks that should be taken, it needs to be actionable – something that will actually influence the decisions people make. Saying “we have no appetite for failing to comply with laws and regulations” will not influence the decision on how much money to invest in a compliance program.

If you want to have guidance on the risks that should be taken, it needs to be actionable – something that will actually influence the decisions people make. Saying “we have no appetite for failing to comply with laws and regulations” will not influence the decision on how much money to invest in a compliance program.

As always, I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.