Risk Is Not a Quarterly Exercise; It Should Be a Way of Life

The International Organization for Standardization (ISO) recently released a new risk management standard: ISO 31000. It prompted me to think about what really matters — what makes an organization effective in managing risk.

The only way risk management has value is if it affects the way you do business. It must influence decisions and actions; otherwise, it is no more than decoration. Risk management should not be a "check-the-box" activity. Used well, it can help an organization achieve and sustain optimal long-term performance.

To be effective in managing risks, an organization needs not only to understand and assess its risks, but it needs to have a culture that embraces the active consideration of risk in:

  • Establishing the (short and long-term) strategy, organizational goals, and objectives.
  • Developing, executing, and monitoring its execution of strategy and achievement of goals and objectives.
  • Everyday decisions.

I have seen too many organizations focus on identifying and assessing risks every quarter, maybe even talking in terms of a high-level risk response (e.g., accept the risk or hedge it using currency swaps) at the expense of actually managing the risks day-to-day.

Let’s take a mundane example: my commute to work. One approach is to perform a quarterly assessment of the risks: (a) that I will be in an accident, or (b) be delayed and miss important meetings. Since I am assigned to SAP’s Palo Alto, Calif., office, which is about 18 miles and 25-30 minutes away (by freeway), to a certain extent I must accept the risk. I believe the risk of accidents to be low, and my response is to train myself to drive carefully. The risk of traffic delays is higher, especially if I leave during the morning rush hour, so my response is to schedule meetings for later in the day.

I assess these [residual] risks, compare them to my risk tolerance, and am satisfied. But should I be?

The other approach is to embed risk in my daily decisions. Each day, I review the next day’s schedule and plan ahead. If I have an early morning meeting, I will decide to leave home very early to avoid most of the traffic. (I will also check to confirm that I have to be in the office, in case I can reduce my risks by calling in). I also check the weather forecast and take that into consideration. When I wake up, I again check the weather to see if I need to leave earlier (for example, if there is rain I should expect driving times to be longer). As I am driving, I am making more risk decisions. If the freeway is clogged up with traffic, I may elect to take side streets — taking into account the risk they are also slow due to increased traffic. I am certainly making a number of accident risk decisions as I drive. For example, I will stay further behind the car in front of me when it is raining.

It’s not enough for me to understand risks in my daily decisions; I need to actively manage them. Do you and your management team embed risk into your daily activities and decisions — and manage those risks constantly? Do you:

  • Consider risks in setting strategy — and assign responsibilities and tasks for minimizing the likelihood and adverse effects of those risks?
  • Include risk mitigation activities in project plans, etc.?
  • Consider the risks to achieving your objectives every time you make a hiring or purchasing decision — and identify what you can do to manage the risks?
  • Do you continue to manage risks by taking actions every day?
  • Are you monitoring risks, so that you are not surprised? Or do you wait until the official risk assessment time?

Is your risk management program a quarterly exercise or a way of life in the business?

Posted on Nov 28, 2009 by Norman Marks

Share This Article:    

  1. Norman

    This is a big question, so I am only going to talk about a couple of small points, otherwise I will be here for years! The driving example is interesting because it brings into question the concept of automaticity: you become so adept at driving after a few years, you virtually do it on auto-pilot. When organisations suffer from involuntary automaticity then the checks that they have in place become redundant because they are done without thinking. The driving equivalent is getting home and thinking "where have I just been - I don't remember the journey".

    I also just wanted to touch on an emerging subject - fast clock speed risk management. It is somewhat akin to the "fight or flight" response as opposed to traditional slow clockspeed risk management which is more akin to the more sophisticated cognitive approach when we subdue the fight of flight response. Not many businesses are yet very good at FCSRM - although needless to say emergency services, the armed forces and such like are.

    So you have detailed a lot of questions about managing risks in a SCSRM approach. Do you even know which heuristics and rules of thumb you use for managing the others?

    Kind regards


  1. Hi Norman,

    I like Dan Rather's (retired world news reporter) comment a couple of weeks ago on a Sunday morning talk show:

    "So far, the new millenium is proving that the least likely considered (if considered at all) alternative is the most likely to happen, i.e., WTC, financial collapse, too big too fail, fraud, corruption, scandals at all levels of government, etc"... 

    I like how you continuously think "outside the box" (or in this case, the car)!



  1. Norman:

    I think that you know the answers to the questions you pose which is that most internal audit departments do not do the kinds of things you are asking about. In the year 2009/2010, it is a sad reflection on the internal audit profession.

    You have neglected to bring up the two most important questions which are:

    How did we as an internal audit profession get into a situation where such basic risk questions are not getting addressed on a timely basis?

    What are we going do do about it?

    I think that you should address these comments to IIA. If you wish to see some suggested solutions to these problems, then please read my response to Richard Chambers blog of last month and as well see my commentary in Journal of Accountancy page 14 in the December issue.


    Arnold Schanfield


  1. Hello Norman:

    I started reading your blog entries and have found them to be both helpful and thoughtful. I think most audit shops are pretty good at financial reporting and legal/regulatory risk assessment and auditing.  However, most are not very capable of operational and strategic risk assessment, due to a combination of capability and process issues.

    From a capabilities perspective, we as a profession should develop better knowledge of process improvement theory, such as through Six Sigma / Lean training.  Every 21st century senior auditor should be a Six Sigma Green Belt or equivalent.

    From a process perspective, too few of us have adopted a top-down risk based approach analogous to SOX in analyzing operational risk (i.e., specifically identifying processes, risks and controls in the non-financial parts of the business, then ranking them and determining what to test.)   Each department should have a database similar to SOX for its operational processes, risks, controls, tests, and deficiencies.

    I think we stretch beyond our expertise when it comes to strategic risk assessment, which requires a thorough understanding of strategy and the business.  I think a first step on the strategic risk path is helping the business by ensuring that strategic plans link business objectives, measures, risks, and responses/initiatives.  Take the strategic plans for each area, copy the key objectives and measures into a spreadsheet matrix or database, and then find out what the top 3 risks are to each.  Start with perhaps 10 major objectives, so you'll only have to deal with about 30 risks. 

    Then link the risks to responses or strategic initiatives.  This is actually a good framework to use in annual planning meetings with management, as much of the audit plan can be tied to these initiatives.

  1. Norman,

    I really liked your illustration about the commute to work. I re-posted this on my site and really hope folks will read it an "get it".

    I agree with Mr. Doney's comments: I am Six Sigma Black Belt trained and quite agree that combining these tools with other risk and audit training is an excellent mix. The more tools in the tool box the better.

  1. Hi Norman,

    I agree with what you've touched upon in the ideas of managing risk. I think minimizing risk does take more than a quarterly evaluation but rather a daily action plan. Managing risk on a daily basis can develop into a habit that'll encourage not only preparation but wise decision making leading to saving time and money. Being able to identity potential risks may lead to minimal risk or even risk prevention. Incorporating actions that monitor risks and enforcing actions that manage risks in itself can call for a more efficient plan in achieving goals and completing tasks. Identifying risks may also produce alternative contingency plans that would be more effective than planning along the way. It's about thorough planning and recognizing what may threaten your plan. Always prepared for the worst so that you may do your best.

    Kind regards,



Leave a Reply