Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
My good friend, Michael Rasmussen, and I have had a number of interesting conversations and debates over the last few years. Many have focused on what the term GRC means, with both of us ascribing to the OCEG definition as a capability that enables optimized performance through the management of risk while acting with integrity (my phrasing).
Recently, Michael concluded a ‘rant’ (his word) about how the analysts view the so-called GRC market. I recommend it to you at http://www.grc2020.com/?p=1239
But, in his latest post “What is Risk Management?
”, Michael has fallen from grace (IMHO). To his credit, he has followed the (lamentably poor) example set by Richard Kaplan and Annette Mikes. I first heard Annette present her view that risk management is about the downside at the ISO 31000 conference in Paris this year, when her views were very much out of tune with the majority of the expert practitioners and thought leaders in attendance.
No, risk management is NOT just about the downside. Whether you like the COSO ERM Framework or the ISO 31000:2009 standard (or its ANZ predecessor), risk management is about managing the effects of uncertainty – which can be positive or adverse. True, COSO defines risk as adverse and opportunity as the positive, but includes both in risk management.
Here is how the COSO ERM Framework Executive Summary starts – the very first paragraph:
“The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.”
In another place, the Framework has a statement I really like:
“Enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
The ISO 31000:2009 risk management standard is built on a number of principles, including that risk management:
- Creates and protects value
- Is an integral part of organizational processes
- Is part of decision-making, and is
- Dynamic, iterative, responsive to change
My own view is that risk management effectiveness is measured by its ability to influence decision-making. Better decisions, made with quality information, enable better performance.
An Ernst & Young study
(which reported that companies with more mature risk management programs had better longer-term financial results) had this to say:
“By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk.”
Another friend with whom I have had interesting debates is Grant Purdy – one of the most respected practitioners and thought leaders in risk management. Grant led the development of the ANZ risk management standard and followed up with a leading role on ISO 31000.
When Grant works with his clients to improve risk management, he starts by understanding how they make decisions: “what they consider and how they act” (from a recent email). I believe this the ‘secret sauce’ to risk management.
Risk management is NOT about assessing risks every so often, so you can check the box and say you have a risk management program.
No, it’s about enabling better decisions, leading to better performance, because you are considering and acting on information about what could happen – positive and negative. It’s about understanding the assumptions behind your planning and forecasting, and taking actions to improve potential outcomes. As Grant said just today of one of his clients: “risks have to be taken and they endeavour to minimise the likelihood and magnitude of detrimental outcomes while maximising the likelihood and magnitude of beneficial ones”.
Risk management is something effective managers do every day, as part of their decision-making process.
Now, you can argue (as many do) that “risk” is just the adverse (which is what COSO says, with “opportunity” being the positive) rather than (as in ISO 31000) any effect of uncertainty on objectives.
But if you want effective risk management that enables optimized performance and the ability to “get to where [you want] to go and avoid pitfalls and surprises along the way”, then limiting yourself to periodic assessments of potential “threats and failures” is itself a recipe for failure.
Incidentally, Kaplan and Mikes add to the recipe for failure with the proposition that risk needs to be managed by a separate group. As my friend Bruce McCuaig wrote in a recent post
, the management of risk should be owned by the person who owns and is responsible for performance.
Sorry, Michael. While it is attractive to listen to the sirens of Harvard and the balanced scorecard, this course is one that will drive enterprises onto the rocks.