What Are the Characteristics of a World-class Risk Management Function?

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.


In a short video, Watson Wyatt’s ERM Services Leader asserts that these are the characteristics of a world-class risk management function:

  1. A culture that encourages enterprise risk management and communication.
  2. Integrated risk functions that coordinate and cooperate with each other.
  3. An expansive risk management framework that considers all the risks that can impact the enterprise.
  4. A clear understanding of the connection between risk and enterprise value.
  5. A Chief Risk Officer that reports to the board or CEO and strongly influences all aspects of enterprise risk management.
  6. Pervasive use of risk information in decision-making across the enterprise.
  7. Incentives that reward effective risk management.

While allowing that the speaker, Sim Segal, only has 4 minutes to speak, I believe there are some HUGE gaps!

Let’s start with the primary issue.

There is a HUGE difference between a "world class risk management function" and an organization that manages risk in a world class manner to drive value. I hold to the belief that the only true measure is whether the organization is able to make better decisions because of the way it considers and addresses uncertainty.

You can have all of the characteristics listed by this speaker without the organization being effective in managing uncertainty.

As my good friend Grant Purdy told me, the organization can have NONE of these and still be pretty good at managing uncertainty.

I suggest that rather than focusing on a world-class risk management function, we should recognize that operating and executive management, with board oversight, are responsible for the management of uncertainty (i.e., risk) as an integral part of running the business.

That means that we should focus on the world-class management of uncertainty as part of how the organization drives to and delivers optimal performance and value.

That’s the next objection I have to the Watson Wyatt list: it’s all about risk management and not about performance. (I would accept the Deloitte concept of risk-intelligent management.)

Incentives that reward “risk management” (#7 on the list) may incent people not to take risks they should. Risk management is not about avoiding or mitigating risk: it is about taking the right risks!

Finally, why is it necessary for the Chief Risk Officer to report to the board or CEO if everybody is responsible for the management of risk? This is only necessary if the CRO is set up as the policeman to monitor management and balance their predilection for taking inappropriate risk. It is not necessary if the risk officer is a facilitator that helps and mentors management in addressing uncertainty and its potential effects. (Yes, I am fully aware that regulators of the financial services sector insist on a CRO “cop” that reports to the board, but am hopeful that over time we can move even financial services to seeing management as responsible for both risk and performance — rather than using risk as the enforcer of risk limits, which requires the CRO to have a voice outside management.)

I welcome your comments.

Posted on Mar 8, 2014 by Norman Marks

Share This Article:    

  1. Norman, you're spot on! One of my biggest problem with 'risk managers', highlighted in your last paragraph, is that they don't (and can't) manage risk. That's the job of management. What we really need is a different title for them. 'Risk Facilitators' ?

  1. Anything and Everything "world class" starts with Leadership.  Good leaders can sit any where on the bus, take charge, and move toward desired results

  1.  I'm not even sure that the Watson comments are worth getting worked up about Norman. They are so far away from real risk management that giving them air time is doing everyone a disservice, including them. So now having made a negative comment can I go on to say positively what we could do perhaps to change the perspective on uncertainty management so that we lessen the risk of it falling into this lala pseudo risk management world. Lets start promoting uncertainty management in a positive way, for within uncertainty lies opportuinity, and most times uncertainty is managed effectively its associated, i suggest, with an expansion of our knowledge base and or an innovation. You may have already blogged on this before Norman but if you haven't I don't think that we can hear too little of this message so ask you to broadcast it far and wide.

  1.  These are very good observations, analyses and recommendations. We still have a very long way to go......!

  1.  I actually do concur that the best organsiations can do is by recognizing  that operating and executive management, with board oversight, are responsible for the management of uncertainty (i.e., risk) as an integral part of running the business.

    having all these fancy headings or making all these fancy statements is not going to help us.

Leave a Reply