November 14, 2016
A Revolution in Risk Management
by Norman Marks
The use of risk information needs to do a 180. Don't look at the likelihood of failure. Look at what risks say about the chances of achieving key goals.
The management of risk, whether you call it enterprise risk management, strategic risk management or something else, is about helping an organization achieve its objectives. All the standards, frameworks and guidelines talk about risk in terms of its ability to affect the achievement of the organization’s objectives.
Typically, reporting to the management team and the board has been in terms of risks, focusing only on the things that might happen (collected together in categories that reflect where those risks might arise) that would be harmful. This allows the consideration of risks but not really how they might affect the achievement of objectives and which objectives might be “at risk.”
See also: How to ‘Gamify’ Risk Management
Why not turn the information around and use it to indicate the likelihood that the organization will achieve each of its objectives. For each initiative, what is the likelihood of success?
Then we can answer these questions.
- Considering all the things that we have identified that might happen, how confident are we that we will meet the objective (within an acceptable level of variation)?
- What is the possibility that we can exceed it?
- What is the possibility that we will fall short?
The assessment will not only provide valuable insight but will enable decisions to be made that will increase the likelihood and extent of success.
The report might look something like this.
What this tells us is that so far we are exceeding our target. However, when we consider all the things that might happen over the rest of the period, there is a 15% possibility that we will fall short of the target. (This should be the judgment of the people responsible for running that part of the business and achieving the objective. It is not intended to be the result of a precise calculation.)
Leadership can consider whether this is acceptable. Should action be taken to improve the likelihood of success?
Leadership can also see that there is a small possibility that the target can be exceeded. What can be done to improve that likelihood without increasing the possibility of falling short?
A report like this moves the conversation from focusing on failure to focusing on success.
See also: Can Risk Management Even Be Effective?
Such a report changes the discussion to one that resonates with the executive management team, helping them understand how the management of risk can help them achieve their objectives.
This is a revolution in a couple of ways:
- It turns the discussion of risk to objectives around 180 degrees to focus on objectives, and
- It demonstrates how the management of risk is of huge value to the organization.
I welcome your comments.
Is this an approach that COSO and ISO should adopt as they upgrade their guidance?