Making Mistakes and Poor Decisions Because of Old Risk Information

The other day, I was working on an article about assessing risk management and looked to the COSO ERM Framework for quotes. Specifically, I looked at the Executive Summary for language concerning the need for decisions to be based on timely, current, and reliable information about risks. I found these excellent observations:

  • “Value is created, preserved or eroded by management decisions ranging from strategy setting to operating the enterprise day-to-day. Inherent in decisions is recognition of risk and opportunity, requiring that management considers information about internal and external environments, deploys precious resources and recalibrates enterprise activities to changing circumstances.”
  • “In sum, it helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
  • “Enterprise risk management considers activities at all levels of the organization, from enterprise-level activities such as strategic planning and resource allocation, to business unit activities such as marketing and human resources, to business processes such as production and new customer credit review.”

Unfortunately, I was looking at a draft of the Executive Summary and only the second of these three survived the process of cutting down what was a 21-page summary to a much shorter final document.

I contacted some of the principals involved in producing the 2004 Framework. I asked whether they agreed with me that perhaps the omission in the Summary contributed to an omission in understanding that risk management must be continual, not a periodic event.

The consensus was that one of the most critical aspects of risk management is providing timely information so that intelligent decisions can be made. They also agreed that if the omission in the Summary had led people to believe that risk management meant taking the top risks and assessing them periodically, those people were mistaken. That is not risk management (per the intent of COSO).

Rick Steinberg, who is a former partner with PwC and is one of the primary authors of COSO ERM, told me: “I for one have joined you in working over the years to convince many that looking at the top 10 or 20 risks is a far cry from ERM.” Jim DeLoach, a managing director for Protiviti and a member of the Project Advisory Committee when the Framework was developed said: “ERM is much more dynamic than maintaining a list of risks.” (By the way, I love an expression coined by Jim to describe the practice of managing top risks on a periodic basis: he calls it ‘enterprise list management’.

If you look at the other primary risk management guide, the ISO 31000:2009 Standard, the linkage between risk management and effective decision-making is even clearer. For example:

  • The Introduction to the Standard says that “the management of risk enables an organization to… establish a reliable basis for decision making and planning.”
  • The Principles for effective risk management include:
    • “Risk management is part of decision-making”, and
    • “Risk management is dynamic, iterative, and responsive to change.”

Other risk management experts say it well. Grant Purdy chaired the group that developed Australia/New Zealand’s highly-regarded risk management standard 4360, and represented Australia in the working group responsible for ISO 31000:2009. He told me that “Risk management, like strategic management, must be dynamic and responsive.  Annual or bi-annual risk assessments are just catching up exercises.  Risk assessment as part of the management of changes (external and internal) is required.”

Felix Kloman is one of the most respected sages of risk management. His view is “managing risk is a continuous exercise, not a sporadic one. Daily, even hourly, we are cautioned to consider the effect on ourselves and our organizations of the changes, large and small that occur.”

So what does all this mean?

I have twice served as risk officer for a large, global corporation. The first time, I was responsible for starting the risk management program; the second time, I came into a program that was relatively well established. However, both relied on Excel for documenting risk assessments, identifying risk treatments (including controls and action items to reduce risks), and tracking completion of action items. I never want to do that again!

I probably spent 20-30% of the total time allocated to risk management (I also led the internal audit function) just making Excel work for me – updating information, consolidating assessments of the same risk from different managers, and producing reports for executive management and the board. (Other risk officers tell me they have similar experiences.) More of my time was consumed in calls and meetings to obtain updates on risk assessments and action items. I could scarcely afford that amount of time and, frankly, it held me back from making the desired progress in maturing the risk management program.

I was sold on acquiring risk management software, and was well along that path when Business Objects was acquired by SAP and I moved into my current role.

In hindsight, the product I was going to buy was not the right software. I now recognize that the value of risk management is not just in understanding and assessing risk periodically, and then ensuring that the risks are managed within tolerance, but in providing risk-related information to support intelligent decisions across the enterprise.

My criteria for a risk management product (and these also apply if you are looking at solutions for risk and compliance – what some call a GRC platform or enterprise GRC solution) include:

  • The ability to gather, update, and share risk information on a continuous basis (including sharing with decision makers). Risk owners can update risk levels and other risk attributes as often as risks change. Decision makers can obtain risk information as needed, drill down into detail as needed, and explore scenarios to determine how risks might affect their various choices.
  • Automated monitoring of risk drivers and updating of key risk indicators. This is critical, increasing the timeliness of risk information and enabling risk-intelligent decisions. I would need to be convinced that there is sufficient integration with other enterprise applications (including ERP) or enterprise business intelligence applications, to support continuous risk monitoring.
  • Workflow to:
    • Remind risk owners to review and update risk information if they have not done so recently, and
    • Notify owners of action items that their attention is needed to complete assigned tasks, together with the ability to identify past-due items for follow-up (again through workflow) and reporting.
  • The ability to provide risk information to the right people, at the right time, wherever they are. I want to understand how the software will enable an executive to review risk information while he is literally making a decision on the run – while he is waiting at the airport in Singapore for his next flight.
  • The future. Risk management, in time, needs to be built into routine business processes if it is to be part of the fabric of the culture and of decision making. While most software is stand-alone, I want to understand how risk management capabilities will be integrated with business processes for vendor selection, customer sales pricing, inventory management decisions, and more. I recognize that this is the future rather than the present for risk management, but I want to buy software that will develop with me over time and provide this functionality.

Do these products exist? Are there reputable vendors who I expect will remain committed to this space for the long term? I believe the answer to both is “yes”.

Do you agree with the above, including my criteria for selecting risk management (or GRC) solutions? Your comments are welcome.

For more on this topic, see my separate post.

 

Posted on Mar 22, 2011 by Norman Marks

Share This Article:    

  1. Norman:

    Very important subject.  Unfortunately many internal audit departments have purchased and use legacy internal audit software that creates yet another risk silo that cannot be integrated with risk and control self-assessment work done by work units and other risk specialists including insurance staff, market risk, credit risk, safety, environment ,compliance etc. 

    In order to meet the needs of senior management and boards who are expected to oversee a company's risk management processes there needs to be integration of assurance efforts and a way of creating a consolidated report on residual risk status of the corporation.   Reports on the 50, 100 or 1000 areas an internal audit department areas where IA thinks controls are deficient or in need of improvement and the status of action plans to remediate those 50, 100 or 1000 areas is not what is needed.

    I drafted my version of your criteria above in an IIA blog some time ago.  I think we agree on more than we disagree.  In addition to the points you list I believe the software should also be capable of raising the organization's overall risk management capability by integrating on-line risk management learning modules for work units and risk and assurance specialists.

    http://bit.ly/hbzXeX

  1. Norman

    Like you I think it is a pity that the phrase "Enterprise risk management considers activities at all levels of the organization, from enterprise-level activities ... to business processes such as production and new customer credit review" did not make it into the document. Organizations do not just acquire risk in big, strategic lumps but one transaction at a time - a bad loan, a risky supplier, a fraudulent claim. If risk is to be managed not just reported on then these risks must be accounted for in-situ.

    As you say "the value of risk management is not just in understanding and assessing risk periodically". To me the value of a proper risk management approach is that it allows you to define how the organization should make decisions - especially operational "micro" decsions about a single customer or single transaction - in a way that is constrained by and contributes to the overall risk management approach.

    This kind of risk by risk or decision-centric approach to risk management is critical in an organization of any size as the number of decisions involved means that systems, not people, must make these decisions. It is true that we must  "provide risk information to the right people, at the right time, wherever they are" but we must also ensure that our risk assessments are "built into routine business processes" by identifying the decisions in those processes and automating those decisions with the right mix of business rules and analytics.

    Thanks for the great post.

    James

  1. Hi Norman: To echo your post, my group also used Excel as the go-to software for our Enterprise Risk Management process. Although it was a good experience practicing pivot table lookups, it was not an analytic process that we hoped. Ultimately, it became a reporting tool for management and a document repository for our group. The best analytic tool we had to use was talking with Accounts Payable, Accounts Receivable, and trusted operations managers - for they were the best at understanding where risk was in the organization. Due to the fact that we were a non-profit organization, it did not make sense to procure an ERM or BI solution. In regards to a solution, from my perspective as a Director of Internal Audit standpoint, I wanted a solution that accomplished three tasks: 1. gathered risks 2. reported risks to management, board of directors, and legal; and, 3. adjusted my audit plan accordingly. I hope these comments are helpful.
  1. Hi Norman: To echo your post, my group also used Excel as the go-to software for our Enterprise Risk Management process. Although it was a good experience practicing pivot table lookups, it was not an analytic process that we hoped. Ultimately, it became a reporting tool for management and a document repository for our group. The best analytic tool we had to use was talking with Accounts Payable, Accounts Receivable, and trusted operations managers - for they were the best at understanding where risk was in the organization. Due to the fact that we were a non-profit organization, it did not make sense to procure an ERM or BI solution. In regards to a solution, from my perspective as a Director of Internal Audit standpoint, I wanted a solution that accomplished three tasks: 1. gathered risks 2. reported risks to management, board of directors, and legal; and, 3. adjusted my audit plan accordingly. I hope these comments are helpful.
  1. Hi Norman,

    I haven't seen yet a client selecting a GRC platform but I've seen them building their GRC webpage within their existing intranet administered by Risk Management human resources.

    When these resources work closely with functional managers on day-to-day risk management activities and have a representative senior manager who is actively involved in strategic decision making: it permits to make RM dynamic and part of decision making. The webpage, when it is maintained on a daily basis and improved in terms of functionalities, is used as a GRC tool by the employees and is enough reliable to be an input for decision making.

    Though, my example is applicable for companies that are enough mature to leverage SOX controls. And my viewpoint is mostly driven by the IT side (IT controls and business automated controls) of GRC due to my experience.

    I would agree with your criteria but the prerequisite would be the dedicated risk management team (different from Internal Audit) who would maintain this platform and make it effective for day-to-day operations and strategic business purposes.

  1. A GRC tool needs to be just like a data warehouse that in this case contains all of IT, Operations, Finance, and Legal GRC data to slice and dice for analyses/reporting/decison making. 

  1.  Norman

    I agree wholeheartedly to your prescription for a meaningful ERM program.  However, it appears to be applicable (perhaps it should) to organisations which are a bit hig on the risk maturity scale (or continuum, whatever we call it), perhaps at the Risk Managed or Risk Enabled stage.  For organisations which are not even at the Risk Defined stage, many of which perhaps want to kickstart ERM due to regulatory mandate and not really as a business enabler, the challenge before many of us risk practitioners would be to give some defined 'product' to the management, for them to get a feel of ERM.  Isn't that what happened with SoX as well (notwithstanding the raging, and legitimate debate, about SoX derailing the ERM roadmap to a large extent, at least as far as its integration with IA is concerned)?

    So at early stages of adoption of ERM, many of us may not have much choice but to adopt Excel or a rudimentary 'risk reporting' tool, though I'd still agree that the risk assessments would need to be kept updated on a regular and not 6/12-monthly basis.  It's an aspiration for many of us to faciliate an organisation reach a state where relevant risk information is both continuously updated and (perhaps more importantly) factored in as strategic input even for operational decisions (the Risk Enabled state).  And as an intermediate state, I'd be happy if the managers at least refer to available existing risk information when they go in for 'big ticket' decisions, at the minimum.

    Deb

Leave a Reply