Risk Management Is Incomplete Without Continuous Risk Monitoring

I just ran across an insightful piece at EzineMark that merits attention from every audit or risk manager.

Risks change constantly. Risks you are aware of escalate or diminish. New ones appear on the horizon. All of this happens with speed, so you cannot think of risk management as "something you do on Friday."

The author of this article talks about combining the forces of an organization's market intelligence and risk management units. Now, I have never worked for a company with a market intelligence unit, but have to think that every company has somebody monitoring competitors' activities and other external threats. I agree with the proposition in the article that the risk management function should seek out those monitoring the external environment and partner for risk monitoring.

Internal audit may also want to seek these monitoring functions out as they may provide valuable input into the risks to be addressed in the audit plan.

I welcome your views. Do you see this partnership happening?

Posted on Oct 11, 2010 by Norman Marks

Share This Article:    

  1. This is a very good article Norman and so thanks for sharing. I agree with your statements above that risk management is incomplete without continuous risk monitoring (as well as other monitoring) and that partnerships between risk management/internal audit with the market intelligence folks are a good thing.

    One way to view this is through the lens of event identification with a simple example. Suppose no one is monitoring competitor activity. (hard to believe but it actually does go on but in the companies that are not so good). Suppose a major competitor goes out of business. If no one is monitoring this, as a company you have probably just lost a great opportunity to capture their business which could be one of the major obstacles in accomplishing one of your own key business objectives.

    So it is important that whoever has responsibility for risk management to put in place enough event identification techniques so that all risks can be raised up and evaluated. One of the key identification techniques is to interview all key employees in the company. I would suggest that this function you refer to is one of the key functions. So at the front end by partnering/interviewing this function or using facilitated assessment, you can determine these critical risks. You can also partner with them at the back end because this is one of the essentail ingredients for an effective risk management program.

    Ironically, the COSO ERM document does not address well the external environment (eg. the first of the eight components is called the internal environment) which is essence of the article attached.





Leave a Reply