Misunderstanding Risk and Controls

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Time and again I hear that risk management is seen as something that is required by the regulators, perhaps by the board or top management, but is not seen as something that helps individual managers succeed.

Time and again I hear that boards are not receiving the information they need to know whether the risks to the organization’s strategies are managed appropriately.

Time and again I hear of organizations that are satisfied (i.e., complacent) with the periodic management of a list of significant risks — as if risks are somehow less dynamic than the business environment.

Time and again I hear that practitioners are failing to obtain the support and resources necessary for effective, mature risk management.

This is all due, in my opinion, to a misunderstanding of risk and the controls necessary to manage risk at acceptable levels.

The misunderstanding is due to the inappropriate focus on “risk” instead of “performance” or “success.”

It is also due to considering the management of risk as separate and distinct from how the organization is directed and managed to success. Risk management is an essential and integral element of decision-making and the management of resources. Just look at how COSO ERM and ISO 31000:2009 both define risk — as the effect of uncertainty on objectives. In other words, they are talking about achieving objectives and managing both the threats to their achievement and the opportunities to surpass them.

How do you get the attention of managers, executives, and board members — by talking about how to increase the likelihood of their and the organization’s success, and the likelihood of greater levels of success.

You don’t manage risk for risk’s sake. You manage risk to achieve and optimize outcomes and performance.

And that is what risk and controls is all about. It is all about increasing the level of confidence in achieving or surpassing objectives to acceptable levels or better.

Another obstacle for risk practitioners is the language they use. They use the babble of risk, audit, and controls instead of the language of the business.

If you are trying to persuade a manager to embrace new ideas, do you talk to him in the terms he uses or in some strange language he doesn’t understand?

Let’s consider a situation where an executive is considering the marketing program for a new model car that the company plans to introduce in the U.K. in a few months.

The goal of the program is to help drive sales of the new model in terms of units sold at a defined price, without impairing sales of other models.

To be successful, the management and marketing teams have to address a number of uncertainties. These need to be understood, assessed, and where appropriate actions have to be taken. They might include uncertainties relative to:

  • The demographics, the type of people most likely to be interested in purchasing the new model. These are the people that should be targeted by the marketing campaign, but even after market research is completed there is no certainty that the right people have been identified. The market research could be faulty, its results misinterpreted, and so on.
  • The channels through which the marketing campaign will try to reach and influence the targeted potential customers. There are many choices (including traditional print and television, social media, product placement in movies, and so on) and hundreds of options within each channel. There is no certainty that the optimal channels and options within each channel will be selected.
  • The content and delivery of the marketing message. It may not resonate with the targeted audience and may even have a negative influence. In addition, it is possible that only existing customers will be interested, cannibalizing the sales of one product to drive the new one.
  • The timing, extent, and duration of the message. It might be delivered at a time or on dates where the targeted audience is less likely to receive it. It is also possible that events or activities which would be prime opportunities to meet the desired audience are missed.
  • The ability to respond to the volume of inquiries in response to the marketing campaign. This might result not only in the loss of the immediate sale, but damage the company’s reputation and future sales opportunities.

These are all uncertainties that lie between the marketing department and the achievement of its objectives. Actions are needed to ensure that these uncertainties and the effect they might have on achievement of objectives are:

  • Identified.
  • Understood and assessed. This includes assessing whether the measures taken to date (such as completion of market research) and that continue to be taken (such as monitoring feedback as the campaign is initiated) provide an acceptable level of confidence in the success of the program. In other words, they provide reasonable assurance that the uncertainty and its potential effects are at acceptable levels. By the way, these measures can be considered risk treatments or controls.
  • Where the level of uncertainty (likelihood and effect) is unacceptable, additional actions need to be taken.

Another way of putting the situation is this: management needs to have an acceptable level of confidence that the marketing campaign will be successful. This requires that certain things necessary for success happen and that other things that might impair success do not. Actions need to be taken in both cases: to increase the likelihood that positive things happen (and the size of any beneficial effect) and decrease the likelihood that negative things happen (and the size of any adverse effect).

What I have been talking about is the consideration of risk (uncertainty) in every decision that is made, from the setting of strategy to the daily management and operation of the business.

Does this mean that there is no need to manage that list of “significant risks” that the consultants love, such as the risk of new regulations, changes in the economy, or the actions of our competitors? Of course, these need to be managed as well.

But these tend to be more strategic in their nature. They are slower to arrive and while monitoring them should be frequent, addressing them is typically not an everyday activity.

The "risk" is that by keeping our eyes on the horizon and this list of more strategic risks, we fail to understand and address uncertainties that may lead us to make poor decisions and fail to take necessary actions in running the business. With our eyes on the horizon and not on our feet, we can trip and break our neck well before any of the risks on the risk register can affect us.

Coming back to my theme: unless we stop talking about the management of risk in a defensive way using the babble of the risk practitioner and start talking about the optimization of performance in a positive way in the language of the business, we are unlikely to succeed.

And success, optimizing performance, is what it is all about.

Do you agree? If not, where do you differ?

Posted on Feb 1, 2014 by Norman Marks

Share This Article:    

  1. For those interested on the internationally-adopted ISO 31000 risk management standard, you might want to join the official discussion group on the content of ISO 31000. We have reached 32,000+ members and are growing by 100 members every week. Here is the link to join:http://www.linkedin.com/groups?mostPopular=&gid=1834592

    Our LinkedIn group proposes quality discussions related to the ISO 31000 standard without waste of time and energy. The group is moderated by a team of 10 volunteers for your convenience.

    Best regards


    Conference website in New York - July 2014: www.conference2014.G31000.org

  1. I will like to be part this important fellowship
  1. I totally agree with this article. Risk assessment/management has to be focused on and integrated with the performance objectives rather than being a "compliance" exercise. It has to be part of the way we ensure success and part of the planning/strategising process. We must therefore try and get management to integrate this in what they do and as stated in the article integrate it in a way that makes sense and is easily understood by managment i.e. in their language and in terms of performance/success.

  1.  Spot on Norman,

    Good management by neccessity incorporate risk management. Moving the 'debate' from risk to performance changes the entire dynamics of the discussion and the risk management function is seen as a supporter of the business through the provision of tools and techniques to drive improved performance.

    David Tattam, author of "A Short Guide to Operational Risk" and founder of the Protecht group, recently collaborated on an article titled "From Risk Management to Performance Management" which has been published by the Governance Institute of Australia. I would be delighted to send repriints to any interested party.


    Alf Esteban

  1. Norman, totally agree with you. Internal audits' primary aim should be the same as any other function: to ensure the organisation achieves its objectives. It does this using its unique expertise in ensuring that risks threatening those objectives are managed down to an acceptable level (or in our jargon, 'reduced to below the risk appetite set by the board').  We seem to have an uphill battle. The recent UK Financial Reporting Council draft guidance (referred to in one of your November blogs) fails to emphasise the importance of understanding the company's objectives in order to understand its risks. Although one of the principles (C.2) states, 'The board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives.' Regrettably the guidance fails to properly define 'principal risks' (in my opinion). Is there a need to redefine 'internal audit' to reflect the different emphasis of internal audit?

  1. I too agree completely. Sadly, there are too many people who consider risk management a chore, or a simple box ticking exercise, to be done because a regulator says it must be done. You have highlighted in a concise way the what the real purpose is and the benefits it brings if done properly. 




    If there is a difference between “risk management” and just “management”, I would like to know what it is.  Risk management is about achieving objectives and it is about dealing with uncertainty: surely this is what management is about.  ISO 31000 (of which I am a fan) makes no difference between the uncertainty that leads to underperformance and the uncertainty that leads to exceptional performance.  The rational application of risk management does not concentrate solely on “what might go wrong” and lead therefore to lots of controls to prevent and detect unfavourable deviations.  It thinks about what should go right and will therefore lead to controls that promote favourable (including planned) outcomes.

    There are circumstances in which special problems needs specialised modelling of the risk and specialised control techniques but, if these are directed only at what can go wrong, then much of the effort is wasted.

    Concentrating only on the downside leads to heavy handed controls that, far from improving an organisation, make it sluggish.  Balanced management of risk leads to controls that are consistent with the potential effect on objectives and the level of uncertainty.

  1. Your views are perfect but the reality is the poor adoption of the ideas. For this shift to happen I think the risk compliance (not audit) team should start making changes in their objectives.

    1) The team should have adequate competence and understanding of the business as it happens. It needs a lot of training and business perspective for the compliance team. The alternate way is to hire from the business teams themselves help talk the business language.

    2) Audit teams should move away from 'risk' angle to 'performance' perspective, from 'risk' mitigation to 'opportunity' creation engagement.

    3) The compliance teams should have a phased approach as it takes time to change the perception from the 'financial audit' based approach to 'business' performance

  1. Michael (Parkinson) - I agree with you that there isn't any real difference between 'risk management' and 'management'. It's interesting to speculate whether there are any management decisions made which aren't a response to risks. Turning that round, are management decisions irrelevant if they aren't a response to risks?

  1. Norman: Spot on. Sadly I suspect that current training, guidance, and regulatory methods/rules/laws do not align with what you and other informed responses above are suggesting. There needs to be significant and radical steps taken by governments, regulators, the IIA, and risk profession to make the vision you paint of what's really needed a working reality. Unfortunately, at the current time, the "risk profession" such as it is, is too fragmented to have a single credible spokesperson/professional association. ISO via ISO 31000 is trying but traction is still low. At RO we promote that risk management is simply application of rigour and structure to increase certainty organizations will achieve what they want and avoid/mitigate what they don't want. The decision by boards and/or management how much and how rigorous is, by itself, a significant risk decision. We are calling on boards of directors to elevate their role and "demand" (i.e. "board-driven) credible information on their company's risk governance framework and the reliability of the consolidated reports, if any, they receive on the entity's current retained/residual risk status.
  1. Hi Alf Esteban, I would appreciate the reprint of "From Risk Management to Performance Management". My email address iskeobakile@icloud.com
  1. This is a well thought out article.

    The role of audit is not that of performamce management but risk assessment. Most organisations have seperate Units responsible for risk perfomamance monitoring and management. Hence, in my opinion, the emphasis should still be on risk rather than performance since the  objective of audit  is to provide assurance that risk are managed according to appetitie of the organisation.

  1. Totally agree Norman, but changing human behavior has not been so difficult because the tendency of learning changed course. I believe, the curricula of the colleges and universities do not reflect the current reality. That means we need couple of decades to have current students to learn and apply what they have learned in the future. Since, it is quite difficult to train and change the way of their decison making of the current directors and executive managers, I think we need to wait a little more to see the effect of our certainty. As the new books published within this context, there will be more chance to speed up the process. We are currently putting a seed, and hopefully will see it grow exponentially.
  1. ALf Esteban: I would also appreciate receiving a copy of "From Risk Management to Performance". My e-mail is tim.leech@riskoversight.ca. I tried to source it on the internet but wasn't successful. I have believed for many years that risk assessment processes that don't explicitly link risk assessment work to performance on the objective(s) being assessed are missing an opportunity to truly engage management and boards in risk management.
  1. ...but not forgetting that Boards and Management need to actively embrace balanced risk taking as their key driver to success.  It can not be entirely driven by the risk and audit functions or it will not succeed.

  1.  Norman - I couldn't agree more with your position in the article. While there is a lot which will need to change globally for these ideas to become common practice, one small step which can help is following: - 

    - Senior managers + board members + regulators should reject any risk related report, where the risks are not presented with their associated business objectives. This force the risk + compliance + audit teams who create such report to think about risk and business objectives. 
  1. Manoj: I have been advising boards to do exactly what you recommend for many years. I also advise them to require internal auditput a price tag, fully costed, on each audit report. Unfortunately the internal and external audit professions have strong historical attachment to compliance and process centric methods in spite of claiming to be "risk-based". The PCAOB is currently putting on a major push to convince external auditors and companies to actually link risks to objectives and the controls/risk treatments to specific risks. They haven't gone so far yet to require careful assessment of risks. They are getting lots of pushback. The ERM profession, such as it is, often defaults to "risk-centric" methods (risk registers/risk lists/risk heat-maps,etc) and looses the link to business objective and/or analyzes risk one by one instead the cumulative impact on uncertainty of achieving a business objective. Customers are not provided with composite assessments of the uncertainty of achieving specific objectives. These "habits" will not be overcome easily. The IIA needs to elevate the importance of internal auditors transitioning to "objective-centric" risk assessment methods and linking performance information on the objectives being assesed to the current risk treatment design and residual risk status.
  1. Tim, I entirely agree with you but I am concerned that your worry about risk registers/risk lists/risk heat maps may give auditors the impression that they aren't necessary. I believe they are essential but: they must start with the business objectives; and they must be considered a means to an end (the proper management of risks) not an end in themselves. I've been trying a 'mindmap' (see http://dmgriffiths.com/rbia/files/mindmaps/Risk%20Universe.html) as a means of linking objectives, risks, controls and tests and then converting these into a risk register. I'm not entirely satisfied but it's a start.

  1. David: I do want auditors to believe "risk registers" are not necessary and should be replaced with "objective registers". I have written extensively on that point and provide a lot of technical reasons for that position. (See "The High Cost of ERM Herd Mentality" and "Risk Oversight: Evolving Expectations for Boards") Those objectives that have high value creation potential and/or high potential to erode enterprise value should attract the highest amount of formal risk assessment and the highest amount of formal assurance from external and internal auditors. The approach we promote puts the onus on senior management and the board to engage in the process of determining what should be included in the organization's objective register and make conscious decisions on how much risk assessment rigor/rigour ("RAR") they want. Instead of doing "mindmaps" to link the elements why not just convert to the Objective Register/Objective-centric approach?
  1. Norman, without a doubt members of the risk management community can do themselves a disservice by getting stuck on the theory of Risk and not the practice of business. Focus has to be about integrating risk management into the fabric of the business - in the language of the business.

    It is about getting teams to understand they do not necessarily fail because of the way they managed the objective itself but because they didn't proactively consider and manage those things which may prevent the achievement of that objective. Typically the objectives set are the 'bread and butter' for a team. It is what their job is about so assuming things don't go wrong they are more than likely to achieve the end goal.

    This leads one to question why the core of a typical management system is geared towards assessing and reviewing what we do well as opposed to identifying and managing those things the business/team doesn't typically expect on a day to day basis and doesn't 'do' well when it happens.

    It has absolutely got to be about showing the business they have the power to be in control of achieving their objectives rather than being on the back foot when having to address unforeseen and significantly more costly issues.

    For me risk is just the flip side of the coin... Heads - the journey to the objective and Tails - ensuring you know what is going to cause that journey to deviate so you can arrive there to plan. Managing what may prevent achievement of the objective with the same vigor as managing the objective itself.

    The challenge is getting business to 'get' this given they are so often inundated with a 'risk agenda' that is about risk for risk sake and not for the business sake.

  1. Once again, Norm, you have framed a great argument for what should happen and why it doesn't. I would add a voice on three points:

    Language: The psychobabble practitioners use, regardless of the community, is counterproductive to an enterprise risk discipline. Risk must be explained in terms that anyone, regardless of industry, can understand and is not subject to misinterpretation in translation. I have a 5 minute crystal clear explanation of risk and control that I'd be willing to share.

    Risk per se: The word elicits a visceral response. It implies danger, and constitutes the 800 pound gorilla in the room every time it comes up. Taken with the above, the classic George Carlin routine on language points out the loss of the real essence of any concept. He talked about the evolution of the term "Shell Shock" that has become "Post Traumatic Stress Disorder". No wonder no one has any idea what any of it means any more, and the consequence of risk, buried in indecipherable invented language, loses its immediacy, hence the constant too little too late scenario.

    Risk response: If I were king of the forest....acceptance of risk would be the last resort after all other avenues had been explored thoroughly, and documented to prove it. Personally, under other than extremely rare circumstances, I wouldn't allow it at all, but that's a debate for another day.

    Thought-provoking as always.

    Thanks Norm.

  1. Hi:

    Totally agree.  I am currently doing research into the integration of ERM and Performance Management and finding that many companies still treat the processes as separate activities.  If there are linked it is only at the Strategic Planning phase (i.e. once a year).  The impact of new or emerging risks is not measured on an ongoing basis nor is changing risk levels used to adjust performance measures.

    A second area of research I am conducting is the use of data-driven risk indicators that will allow for an ongoing assessment of lagging and leading risks.

    Norm - as always you are on the leading edge - keep pushing us.

  1. Alf Esteban - I am interested in the article you mention "From risk management to performance management". Can I please have a copy at chlovi@cytanet.com.cy?

    Norman I am fairly new in risk management but have experience in internal audit. I fully agree with what you say. What I find difficult in practicing risk management as a second line of defence is how to practically implement and evidence the integration of the risk management discipline into day-to-day operations management and decision making. And this is because most frameworks emphasise the annual or semi annual assessment of risks rather than the day-today management of risks. If you or other commentators have any specific ideas, or have already written on this topic i would be very interested to know and would really appreciate it. Thanks


  1. Thank you so much for this forum, Norman.  As a relatively new practitioner, I am just getting objective-driven risk management program off the ground and have the first report to the Board in a couple of weeks (versus our traditional heat map of what are primarily operational risks).  The timing of this article is great as we will also be presenting our first balanced scorecard results to the Board at that time.  I have been working closely with this group so that we are aligned on the performance optimization aspect of the risk reporting exercise.


    Alf Esteban - I would really appreciate a copy of the article you mentioned, "From Risk Management to Performance Management"  My address is dderoche@flyeia.com


    Thanks so much. D

Leave a Reply