Demystifying Risk Management
By Jonathan Crisp
Director: BarnOwl GRC and Audit Software
There is a lot of debate (and often emotional debate) within the risk management fraternity surrounding various topics – from COSO framework versus the ISO31000 standard, to risk appetite versus risk tolerance, to how risks are rated (rating scales, calculations, inherent, residual, exposure, velocity, qualitative, quantitative, weighted at each business unit, monte carlo simulation etc.).
As risk practitioners we are often so busy with the technical debate that we can’t see the ‘wood for the trees’ and lose sight of our main objective, which is to ‘sell’, evangelise and demonstrate the value of risk management to our board, management, our employees and other stakeholders (shareholders, customers, suppliers, community, environment) with the aim of embedding a culture of risk management and accountability at every level of the organisation. The ultimate aim is to grow, protect and sustain our organisation into the foreseeable future which will provide value to all our stakeholders either directly or indirectly.
Whilst I believe that the risk methodology debate (e.g. COSO versus ISO31000 versus another) is important, I think that we as risk practitioners often get carried away with the theory and technicalities of risk management and forget about being practical. We try so hard to apply a scientific formula to risk management when risk management by its very nature is unpredictable and relies on a number of factors as well as human judgment and past experience. We don’t pay enough attention to the quality and completeness of the risk information that is captured; the old adage ‘garbage in and garbage out’ springs to mind. How effective is our objective and risk identification process and how complete and up to date is related information such as controls, key performance indicators (KPIs), key risk indicators (KRIs), risk interdependencies, root cause analysis, past history (incidents) , near misses, key control indicators (KCIs) etc. What I like about KPIs, KRIs and KCIs is that they are real values and reduce the subjectivity of risk ratings. At the end of the day it is about the ‘quality’ and ‘prioritisation’ of the risks so that people at every level of the organisation focus and take accountability for the important risks within their own context and in time (hopefully preventing them from materialising). By categorising (strategic, business, operational, process) and linking risks (to objectives and other risks) intelligently, one gets a consolidated view of the organisation’s risk profile from ‘top to bottom’ as well as a detailed view at every level of the organisation.
We should spend more time evangelising and demonstrating to our business leaders the value of risk management and the need to embed it within the organisation. Risk management is an ongoing process and not a once-a-year event. Why do we need to keep on at ‘selling’ risk management to our organisation and why is it not taken as seriously as it should by management?
In my opinion the people running businesses (CEOs, CFOs) generally focus and are measured on ‘numbers’ and see risk management as ‘fluffy’. For example seeing a high risk on a heat map at a risk committee meeting compared to reporting a loss; I’m sure the loss in the financials will invoke more of a reaction, even though with good risk management principles in place management may have predicted the loss well in advance. This is why identifying quality risks with accurate prioritisation based on supporting information is important.
Another reason is that whilst we as risk practitioners talk about ‘upside risk (opportunity), the risk registers that I see in organisations are always focused on ‘downside risk’; human beings generally focus on positive outcomes and not negative outcomes. This is why linking risks to objectives (which by their nature are positive) is a critical step in the risk management process.
Risk is seen as a compliance-type / ‘tick the box’ issue and a necessary evil. Risk managers need to change this perception by facilitating the identification of real / quality risks and demonstrating real insight into the business.
This is why Risk Officers need to be out there in their organisations (not behind their desks debating risk methodologies and rating theory) and looking for ways to add real business value and insight within the business. And so whilst we as risk practitioners argue about the pros and cons of different risk methodologies business just gets on and runs the business paying little attention to formal risk management… and who can blame them?
I include a few points below to illustrate the kind of debate that we tend to get fixated on. There is no perfect model:
· whether to use inherent risk ratings (assuming no controls in place or assuming that the controls in place aren’t working) or decide not to use inherent rating at all and focus on residual risk rating only
· taking into account control adequacy (design) (which can be further debated on whether adequacy should be rated per control or rated based on the combination of controls linked to the risk and whether they are key / non key (level of assurance) controls) and the effectiveness of controls (which by the way leads back to consequence and inherent risk rating if controls aren’t working)
· whether residual risk should be rated manually or calculated taking into account those controls (preventative, detective, corrective) that affect the likelihood versus the impact of the risk or both
· and then why aren’t we using incident history and near misses to assist us to calculate the residual risk
· and more importantly why aren’t we using KRIs more effectively which are real values and therefore a significant indicator as to whether a risk and its controls are failing
· and risk interdependencies which are a significant indicator of whether a risk in your area may materialise. Risk registers are typically setup in silos and not linked to other risks in other departments / units. If a risk starts to materialise in one area of the business (e.g. a factory strike / labour problems) it should trigger a warning to the sales department of ‘out of stock’ problems and customer satisfaction issues
· whether to use a non-linear scale on our heat-map (where impact counts more the likelihood) and how many colours to use
· whether we have different rating scales per area of our business or by category of risk (e.g. Health & Safety) and then how does one compare ‘apples with oranges’ across the organisation.
· whether we weight our risks based on business unit importance (possibly based on percentage contribution to turnover and what about strategic importance or for example a reputational risk which can have severe repercussions no matter where it occurs in the business).
In summary it’s about the ‘quality’ and ‘prioritisation’ of the risks so that people at every level of the organisation focus and take accountability for the important risks within their own context and in time (hopefully preventing them from materialising). It’s about the skills of the risk practitioner to evangelise risk management and ensure that you add real value to your organisation by being a trusted advisor with great people skills and valuable insight into the business!
Director: Barnowl GRC and Audit Software
011 540 9100