The management of risk, whether you call it enterprise risk management, strategic risk management, or something else, is about helping an organization achieve its objectives.
All the standards, frameworks, and guidelines—including the COSO Enterprise Risk Management – Integrated Framework and the ISO 31000:2009 global risk management standard—talk about risk in terms of its ability to affect the achievement of the organization's objectives.
Some things might happen that will help, referred to by COSO as opportunities, and some that will interfere with our progress, which COSO refers to as risks.
Norman Marks will be speaking on this topic at the IT Audit & Controls 2016 conference taking place in New Orleans from Dec. 6 to 8. Click here for more information or to register to attend.
Typically, reporting to the management team and the board has been in terms of risks, focusing only on the things that might happen (collected together in categories that reflect where those risks might arise) that would be harmful.
This allows the consideration of risks, but not really how they might affect the achievement of objectives and which ones might be "at risk." Why not turn the information around and use it to indicate the likelihood that the organization will achieve each of its objectives? For each initiative, what is the likelihood of success?
Then we can answer these questions:
• Considering all the things that we have identified might happen, how confident are we that we will meet the objective (within an acceptable level of variation, which COSO refers to as risk tolerance)?
• What is the possibility that we can exceed it?
• What is the possibility that we will fall short?
That assessment will not only provide valuable insight but enable decisions to be made that will increase the likelihood and extent of success.
The report might look something like this:
What this tells us is that so far we are exceeding our target. However, when we consider all the things that might happen over the rest of the period, there is a 15 percent possibility that we will fall short of the target. (This should be the judgment of the people responsible for running that part of the business and achieving the objective. It is not intended to be the result of a precise calculation.)
Leadership can consider whether this is acceptable. Should action be taken to improve the likelihood of success? Leadership can also see that there is a small possibility that the target can be exceeded. What can be done to improve that likelihood without increasing the possibility of falling short?
A report like this moves the conversation from focusing on failure to focusing on success. It changes the discussion to one that resonates with the executive management team, helping them understand how the management of risk can help them achieve their objectives.
This is a revolution in a couple of ways:
• It turns the discussion of risk to objectives around 180 degrees to focus on objectives, and
• It demonstrates how the management of risk is of huge value to the organization.
Is this an approach that COSO and ISO should adopt as they upgrade their guidance?
Norman Marks is a former chief audit executive and risk manager at several Fortune 500 companies and the author of the book, World Class Risk Management. This article was republished with permission from the blog, Norman Marks on Government, Risk Management, and Audit, Risk Management, and Audit.