First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Insight into effective risk management

risk management

I don’t know Christopher Burt of Halex Consulting, although we are connected on LinkedIn.

But I need to draw your attention to a provocative piece by his firm (presumably by him): The risks of risk management. (My thanks go to Tim Leech for tweeting about it.)

While he doesn’t reference either World-Class Risk Management or this blog, what he says is very much in line with my core message:

  • The periodic review of a list of top risks is not effective risk management. It actually has very little value in leading the organization to success.
  • Organizations need to obtain confidence that there is an acceptable likelihood of achieving enterprise objectives. (Some prefer to talk about certainty in achieving objectives; it’s the same concept but I don’t like talking about certainty or uncertainty – it’s confusing.)
  • Its not about managing risk. It’s about achieving those enterprise objectives. Chris talks about performance management whereas I say this is simple effective management.

You will see how Burt’s language is consistent with mine. For example, he says:

  • In many businesses, there is a tendency towards ‘risk listing’, with the primary focus on documenting, assessing and prioritising lists of risks. Sadly, in most cases this approach adds little value, leading to page-turning discussions around the top 10 or 20 risks whilst diverting attention away from the real value of risk management – helping the business deliver its strategy through achieving its objectives.

In the end, the thing risk listing is most successful at is convincing the board and senior management that they are dealing with risk in the same way as other organisations, since this approach is endemic across UK and international businesses.

  • The purpose of risk management is not to manage risks per se. The purpose of risk management is actually to help the business deliver its strategy through focusing on achievement of its strategic business objectives.
  • Moving the focus away from risks and onto business objectives, or key goals, is also more natural and engaging way to consider risks. In effect, it puts risk in the context of reward and focuses senior management and Board attention on the objectives that the organisation is trying to achieve, and what they need to do to increase the certainty of achieving them. It should also lead to a more forward-looking mind set, increased focus on priorities and greater responsiveness to unexpected events.
  • The third line [of Defense] (Internal Audit) remains responsible for providing independent assurance over all aspects of the organisation’s activities, including looking at the ERM system and the work of the second line. A brave Internal Audit function may even opine on whether management has fairly stated the certainty of it achieving its business objectives.

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.