First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

If risk management is the answer, what is the question?

risk management

This insightful point was made by Roger Estell on my blog last week.

It merits our thoughtful consideration.

Let’s start with some thoughts about the fundamentals underlying any successful enterprise, whether large or small.

Let’s assume that we are all working together to deliver success for the enterprise.

Then how is success measured?

The executive team, from CEO on down, is usually measured based on whether the organization has achieved targets (or metrics) approved by its owners (of their representatives on the board).

Rather than (as in the case of COSO ERM and ICF) assuming that those are the right metrics to measure success, I suggest considering:

  • Have the best objectives been set? Were all opportunities and potential hazards of significance considered during the objective (and strategy) setting process?
  • Have the right targets been set? Are they too low, so that the executives don’t stretch as much as they should; if they are too easily achieved, there is a temptation to store opportunities for the next period. If they are too high, management may take a level of risk (a potential for harm in this case) that is beyond what the owners consider acceptable.
  • Have performance targets and incentives been established throughout the organization that are consistent with the targets set for the enterprise as a whole? Does everybody understand what is needed from them for the organization to succeed? Are there performance metrics that will lead management (at any level) to act in a way that is inconsistent with enterprise goals?
  • Are objectives, strategies, and related metrics adjusted as necessary when conditions change?
  • In other words, is there a reasonable level of assurance that the right objectives (and strategies) are set to deliver optimal levels of shorter and longer-term success.

In a video, Alexei Sidorenko talks about how he worked with the management team to ensure that the objectives they set had a reasonable likelihood of success. He used scenario planning and other tools to help management understand that the first targets they set were unreasonable, with only a 1% (or less) likelihood of being achieved. The target was revised and the new one, approved by management and the board, had a projected 70% likelihood of being achieved.

Management and the board accepted that there was a 30% chance of failing to achieve their objective. (A far more reasonable and practical approach than the concept of risk appetite, as the latter only considers the downside and not the big picture of upside and downside.)

Alex used the tools and techniques he learned for risk management to help the organization set reasonable and appropriate objectives, targets, and metrics for success and the measurement of executive performance.

The question to be asked first is: how can we assess the likelihood of success (achievement of our objectives) given a reasonable understanding of what might happen.

The answer is not really ‘risk management’, because success is not achieved by managing downside risk. We want to manage for success rather than for avoiding failure.

The answer is the use of the tools and techniques traditionally only used for assessing and evaluating the downside – and you can call that risk management if you like. I don’t.

Once the objectives, strategies, metrics for measuring performance, and so on are set, management has to run the business to achieve them.

Management runs the business by making decisions. We hope they are informed and intelligent decisions: informed about what might happen that would affect their achievement, both for the better and for the worse.

How do they get the information about what might happen, both good and bad, on which they will base their decisions?

How will they determine whether their decision will improve or negatively affect the likelihood of achieving their objectives? In Alex’s case, will each decision they make increase the likelihood of success to above 70% or will that likelihood drop below acceptable levels?

Is the answer to those questions ‘risk management’? Certainly, the tools and techniques used to assess adverse events and situations, and their effect on objectives, can be used to paint the larger picture.

But I don’t think the answer is ‘risk management’.

It’s also not ‘objective management’.

It’s effective and intelligent management. It’s the ability to make informed and intelligent decisions, which is the core of effective management.

We need to stop coming up with new words and phrases when all we need to address is the effectiveness of management. So stop talking about ERM, IRM, or even objective assurance, and start thinking about how to obtain reasonable assurance that the management of the organization, including how it sets objectives and makes related execution decisions, is effective.

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.