I don’t know Christopher Burt of Halex Consulting, although we are connected on LinkedIn.
But I need to draw your attention to a provocative piece by his firm (presumably by him): The risks of risk management. (My thanks go to Tim Leech for tweeting about it.)
While he doesn’t reference either World-Class Risk Management or this blog, what he says is very much in line with my core message:
- The periodic review of a list of top risks is not effective risk management. It actually has very little value in leading the organization to success.
- Organizations need to obtain confidence that there is an acceptable likelihood of achieving enterprise objectives. (Some prefer to talk about certainty in achieving objectives; it’s the same concept but I don’t like talking about certainty or uncertainty – it’s confusing.)
- Its not about managing risk. It’s about achieving those enterprise objectives. Chris talks about performance management whereas I say this is simple effective management.
You will see how Burt’s language is consistent with mine. For example, he says:
- In many businesses, there is a tendency towards ‘risk listing’, with the primary focus on documenting, assessing and prioritising lists of risks. Sadly, in most cases this approach adds little value, leading to page-turning discussions around the top 10 or 20 risks whilst diverting attention away from the real value of risk management – helping the business deliver its strategy through achieving its objectives.
In the end, the thing risk listing is most successful at is convincing the board and senior management that they are dealing with risk in the same way as other organisations, since this approach is endemic across UK and international businesses.
- The purpose of risk management is not to manage risks per se. The purpose of risk management is actually to help the business deliver its strategy through focusing on achievement of its strategic business objectives.
- Moving the focus away from risks and onto business objectives, or key goals, is also more natural and engaging way to consider risks. In effect, it puts risk in the context of reward and focuses senior management and Board attention on the objectives that the organisation is trying to achieve, and what they need to do to increase the certainty of achieving them. It should also lead to a more forward-looking mind set, increased focus on priorities and greater responsiveness to unexpected events.
- The third line [of Defense] (Internal Audit) remains responsible for providing independent assurance over all aspects of the organisation’s activities, including looking at the ERM system and the work of the second line. A brave Internal Audit function may even opine on whether management has fairly stated the certainty of it achieving its business objectives.
I welcome your comments.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024