First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Do we understand what a risk event is?

risk eventPeople talk about a risk event as if it is obvious what it is and what it means.

COSO ERM talks about the possible effect of an event on objectives, and in common parlance we are talking about something happening that has an effect on the organization. (COSO thinks of risk as the possibility of that event occurring; ISO talks about risk as the effect of what might happen on objectives.)

Most often, people are thinking of a negative effect, something harmful that is the consequence of the event.

Examples of so-called risk events include:

    • The passing of new regulations
    • The loss of a key employee
    • An earthquake, hurricane, flood, or other natural disaster
    • A data center fire
    • An intrusion by a hacker
    • One of the things that concern me is that these events may have multiple effects or consequences, not just one.

Some of those effects might be positive.

For example, a new regulation might mean that sales are disrupted and additional costs incurred to bring a product into compliance. There is an increase in cash flow risk, revenue risk, customer satisfaction risk, and compliance risk. But, if the organization is sufficiently prepared and agile, it may be able to release a compliant product earlier than its competitors and gain market share. In fact, some competitors may not be able to adjust at all.

The loss of a key employee may be a risk to a project or other key activity, but it is also an opportunity to hire somebody with greater or different skills, making other things possible. It may even be an opportunity to reorganize for agility or efficiency.

The loss of a data center due to fire or flood may have multiple and diverse effects, but is also an opportunity to build a better one, financed by the insurance proceeds.

There are times when it may be to a company’s advantage to get new regulations passed, simply because they are better prepared to respond than their competitors! It also helps the company’s reputation to be seen as sensitive to the demands of the community – for example by adding safety features.

All of this needs to be considered: the likelihood of an event, the range of potential consequences and the likelihood of each, how the organization can be prepared, and how advantage may be taken.

The other thing that gives me cause for concern is that events are not the only source of risk.

Decisions have an effect as well. The action taken following a decision, for example the decision to read this article, can have an effect as well.

But let’s come back to events.

Years ago, when I was a VP in IT, I was responsible for data center disaster recovery and corporate contingency planning.

I learned that rather than building a plan for every event that could cause the data center to be out of commission, it was better to build a plan that addressed how to deal with the effect of those events.

In other words, we had a plan for the loss of a data center, rather than separate ones for loss due to fire, flood, and so on.

Similarly, many things can happen that might affect the achievement of an objective.

Shouldn’t we have plans that address how we respond to the effect rather than to every event?

If we are monitoring the likelihood of achieving an objective rather than simply the levels of individual risks, won’t that help the organization run the business to success?

Just thinking.

What do you think?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Comments are currently closed.