First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Risk in the fourth dimension

risk“[…]we should manage risk because of its value to the organization, not because we are told to do it, because it is in the governance code, it is our job, or because of professional standards.”

As a young boy, my family often spent our vacations at a hotel near Rimini, on the Adriatic coast of Italy.

The hotel owner had a six year old son. If I recall correctly, his name was Mario.

Mario only spoke a little English, which he had picked up from guests. But there was one word that he used all the time and which I recommend to you now.

The word, a magic word with amazing power, is “why”.

“Why are you going to the beach?” “Why do you want to swim?” “Why do you want a tan?”

Let’s think of the power of this word when it comes to risk and risk management.

For board members and executives, the question is “why should I spend my limited time on risk management? Do I do it only because it is expected or the regulators told us to do it?”

For risk practitioners, the question is “why should risk management be important to the organization and its leaders? Are its leaders only paying scant attention because it is expected or required for compliance with regulatory requirements? Why am I doing this; is it because my job is to help manage risk, or is it for some larger purpose?”

For internal auditors, the question might be “why should I assess risk management? Is it because that is what internal auditors are expected to do? Is it because it is ‘best practice’ or required by IIA Standards?”

I think these are all good questions that demand answers.

The answers are the key to unlocking the value of risk management.

The journey to the answer to the question ‘why’ starts with answering the question ‘what are we trying to achieve?’

We say that risk is about achieving objectives. So what are they? What are we trying to achieve?

We also say that risk management enables us to make more intelligent and informed decisions, and that making the right decisions is how we achieve our objectives.

So, every time we think we need to make a decision, we should ask “What are we trying to achieve?” followed by “Why are we making this decision?”

Now, we can start to think about what might happen (getting rid of the ‘r’ word, which only limits our thinking).

We can progress to additional questions, such as “Do I have all the information I need; am I involving the right people; how will my decision affect my and others’ objectives; what are the options; which is best; are any of the potential consequences of the decision unacceptable?” and so on.

But if you don’t have an answer to why you are making the decision and what you are trying to achieve, will you make the right decision?

For board members and executives, there has to be a rational and adult answer to “why should I care” and “why should I spend my time?”

As adults, we shouldn’t be doing things just because we are told to do them.

As children, when our mother told us to make the bed, did we do it well or just enough to get by?

If we were in the armed forces and the sergeant told us to make the bed, we probably made it better than was really needed for our comfort.

As adults, we make it (I hope) well enough to make the room look OK and our bed comfortable when we return to it.

As adults, we should manage risk because of its value to the organization, not because we are told to do it, because it is in the governance code, it is our job, or because of professional standards.

Understanding the value starts with “what are we trying to achieve?” on the journey to “why are we doing this?” and “what is the right decision?” The word ‘we’ includes us as individuals, as members of a team, but especially the interests of the organization as a whole.

Let’s take a specific risk management task, the report to the executives and the board.

Why do we do this, prepare and share the report?

What are we (the risk practitioner) trying to achieve?

What are they (the board and executives) trying to achieve?

Is this the right communication? Is it helping them achieve what they want to achieve?

Are we practicing risk management as children (doing what we are told or is expected) or as adults (doing so because it helps the organization and its leaders succeed)?

I welcome your comments.

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, ,

Comments are currently closed.