Misunderstanding Risk and Controls
Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.
Time and again I hear that risk management is seen as something that is required by the regulators, perhaps by the board or top management, but is not seen as something that helps individual managers succeed.
Time and again I hear that boards are not receiving the information they need to know whether the risks to the organization’s strategies are managed appropriately.
Time and again I hear of organizations that are satisfied (i.e., complacent) with the periodic management of a list of significant risks — as if risks are somehow less dynamic than the business environment.
Time and again I hear that practitioners are failing to obtain the support and resources necessary for effective, mature risk management.
This is all due, in my opinion, to a misunderstanding of risk and the controls necessary to manage risk at acceptable levels.
The misunderstanding is due to the inappropriate focus on “risk” instead of “performance” or “success.”
It is also due to considering the management of risk as separate and distinct from how the organization is directed and managed to success. Risk management is an essential and integral element of decision-making and the management of resources. Just look at how COSO ERM and ISO 31000:2009 both define risk — as the effect of uncertainty on objectives. In other words, they are talking about achieving objectives and managing both the threats to their achievement and the opportunities to surpass them.
How do you get the attention of managers, executives, and board members — by talking about how to increase the likelihood of their and the organization’s success, and the likelihood of greater levels of success.
You don’t manage risk for risk’s sake. You manage risk to achieve and optimize outcomes and performance.
And that is what risk and controls is all about. It is all about increasing the level of confidence in achieving or surpassing objectives to acceptable levels or better.
Another obstacle for risk practitioners is the language they use. They use the babble of risk, audit, and controls instead of the language of the business.
If you are trying to persuade a manager to embrace new ideas, do you talk to him in the terms he uses or in some strange language he doesn’t understand?
Let’s consider a situation where an executive is considering the marketing program for a new model car that the company plans to introduce in the U.K. in a few months.
The goal of the program is to help drive sales of the new model in terms of units sold at a defined price, without impairing sales of other models.
To be successful, the management and marketing teams have to address a number of uncertainties. These need to be understood, assessed, and where appropriate actions have to be taken. They might include uncertainties relative to:
- The demographics, the type of people most likely to be interested in purchasing the new model. These are the people that should be targeted by the marketing campaign, but even after market research is completed there is no certainty that the right people have been identified. The market research could be faulty, its results misinterpreted, and so on.
- The channels through which the marketing campaign will try to reach and influence the targeted potential customers. There are many choices (including traditional print and television, social media, product placement in movies, and so on) and hundreds of options within each channel. There is no certainty that the optimal channels and options within each channel will be selected.
- The content and delivery of the marketing message. It may not resonate with the targeted audience and may even have a negative influence. In addition, it is possible that only existing customers will be interested, cannibalizing the sales of one product to drive the new one.
- The timing, extent, and duration of the message. It might be delivered at a time or on dates where the targeted audience is less likely to receive it. It is also possible that events or activities which would be prime opportunities to meet the desired audience are missed.
- The ability to respond to the volume of inquiries in response to the marketing campaign. This might result not only in the loss of the immediate sale, but damage the company’s reputation and future sales opportunities.
These are all uncertainties that lie between the marketing department and the achievement of its objectives. Actions are needed to ensure that these uncertainties and the effect they might have on achievement of objectives are:
- Understood and assessed. This includes assessing whether the measures taken to date (such as completion of market research) and that continue to be taken (such as monitoring feedback as the campaign is initiated) provide an acceptable level of confidence in the success of the program. In other words, they provide reasonable assurance that the uncertainty and its potential effects are at acceptable levels. By the way, these measures can be considered risk treatments or controls.
- Where the level of uncertainty (likelihood and effect) is unacceptable, additional actions need to be taken.
Another way of putting the situation is this: management needs to have an acceptable level of confidence that the marketing campaign will be successful. This requires that certain things necessary for success happen and that other things that might impair success do not. Actions need to be taken in both cases: to increase the likelihood that positive things happen (and the size of any beneficial effect) and decrease the likelihood that negative things happen (and the size of any adverse effect).
What I have been talking about is the consideration of risk (uncertainty) in every decision that is made, from the setting of strategy to the daily management and operation of the business.
Does this mean that there is no need to manage that list of “significant risks” that the consultants love, such as the risk of new regulations, changes in the economy, or the actions of our competitors? Of course, these need to be managed as well.
But these tend to be more strategic in their nature. They are slower to arrive and while monitoring them should be frequent, addressing them is typically not an everyday activity.
The "risk" is that by keeping our eyes on the horizon and this list of more strategic risks, we fail to understand and address uncertainties that may lead us to make poor decisions and fail to take necessary actions in running the business. With our eyes on the horizon and not on our feet, we can trip and break our neck well before any of the risks on the risk register can affect us.
Coming back to my theme: unless we stop talking about the management of risk in a defensive way using the babble of the risk practitioner and start talking about the optimization of performance in a positive way in the language of the business, we are unlikely to succeed.
And success, optimizing performance, is what it is all about.
Do you agree? If not, where do you differ?
Posted on Feb 1, 2014 by Norman Marks
Share This Article: