In the last couple months as I have prepared to work for myself as a management consultant, I have thought a lot about the value I can offer. A first area of interest for me is discovering and organizing all that should be part of an ideal risk management system. In this journey, focused on adding value, I thought it would be useful for the experts out there to critique my line of logic, add to it, correct it, or help define the next questions.
My career has been in internal audit, and it recently reached a milestone with the 2019 publication of Sawyers 7th Edition for Internal Auditors. Sawyers, which I helped design and write, defines how Internal Audit leaders can be more intentional in developing and modernizing their services and products to meet growing governance and risk management needs. Good Internal Auditors after all, should be well aware the ideals.
Sawyers 7th edition does a lot to frame consideration of ideal audit services and products. However, when it comes to risk management well accepted universal ideals are hard to come by. Maybe that is because risk management involves everyone from the Board, to Executive and Operational Management to Risk functions who manage unique kinds of risk and the Auditors.
Today many components of an ideal risk management system exist but they struggle to become ACTUAL systems. This is most likely the case because each party involved is attempting to be the architect, developer and primary user. Unfortunately, there are few places where Board Members, Executive Management, Risk function professionals and Auditors meet to collaborate and design solutions. A system, according to Wikipedia, is a "cohesive conglomeration of interrelated and interdependent parts that is either natural or manmade. So, how do components of risk management become an interrelated, interdependent system? Only through clear understanding of the core expected outcomes, contributing roles and intentional design.
IMPLIED COMPONENTS OF RISK MANAGEMENT SYSTEMS
1. Risk Management System Core Expected Outcomes
- Board Committees receive information that enables them to carry out their duties to protect, direct and enable the organization*
- Executive Management has formal mechanisms to intentionally draw opportunity risk into decision-making processes
- Executive and Operational Management has easy access to hazard and operational risk data and risk response activities (created by all risk functions and auditors) that impact their objectives
- Risk functions, understand the unique contribution they add to the risk ecosystem, are adequately empowered and funded, and stay within their lane
- Internal Auditors report on the alignment of outcomes with needs and ideals
2. Contributing Roles in Risk Management Systems
- The Board of Directors is ultimately responsible for all kinds of risk oversight to the organization. Risk taking by executive management. Operational capabilities to prevent risk events. Risk Mitigation by risk functions such as Legal, Human Resources, Compliance, Information Security, Ethics, Safety, Business Continuity, Fraud/Investigations, etc. They can delegate this responsibility to Management, but they should always be aware of what is happening with risk.
- Executives are responsible for ensuring that risk-taking is within the appetite of the Board and Stakeholders
- Operational Management is responsible for the resilience of their operations to any risk as they seek to succeed at their specific objectives
- Risk Functions are unique departments within an organization that have been created to manage technical risk or risk areas with a high volume of risk to be managed. These are typically considered to be hazard risks that occur in definable events. (as Legal, Human Resources, Compliance, Information Security, Ethics, Safety, Business Continuity, Fraud/Investigations, etc.)
- Internal Auditors have models and methods to help identify risk management interdependencies, report on current capabilities and promote appropriate next steps towards a true risk management system
3. Challenges to Intentional Risk Management Design
- What exactly is Risk Management? Many don’t agree. It was not until 2009 when ISO 31000 Risk Management was published that any broad professional standard defined the word risk let alone risk management. Prior to that date risk language was largely borrowed from hazard risk folks in the 1990’s and applied to audit and consulting to communicate the importance of something to management
- Today Standards abound, ISO 31000, COSO ERM 2017, OCEG Red Book (GRC Technology) just to name a few broad standards that have been adopted by governments or changed for other specific purposes. Then RIMS, the IIA and other professions have their own unique definitions and interpretation.
- What is the job of the Board? It seems to depend on the industry you are serving and the capability of the organization to attract active Board Members. If the Board is not mature and executing its role how relevant is risk management?
- Who is the Architect? Enterprise Risk Management from 2004 to 2010 was largely designed by auditors or the compliance department. Leading to management feeling like it was a silo or redundant to what they were doing, just in another language. Today many examples of ERM exist that can be tracked back to the influence of one specific risk function specialty which is overplayed in the solution.
- Wasn’t GRC technology suppose to integrate risk information more effectively for Management. Unfortunately, much of the $25B GRC technology industry is focused on enabling organizational “risk assessment”. Rather than creating a link between risk data and the objectives “at risk” it overplays risk professional needs and underserves Executive and Operational leadership.
NEXT STEPS FOR RM SYSTEM DEVELOPMENT?
1. Define who should lead the designing of the architecture for risk management. Most likely it is led by management. Carl Spetzler, SDG, a decision science management consultant has expressed any ideal risk management solution will have a clear RM leadership role defined for Management. To lead risk management, Executives must not just understand what their risk folks do, but they must change the way they manage. They must encourage protocols like formal decision processes for the biggest decisions…
2. Understand what already exists and how close it is to meeting is ideal risk management role? How capable is Governance, what information do they get, what don’t they get? How does Internal Audit incorporate risk management expectations into they assessment of governance and risk? How does it change their perspective of internal control? Are they still discussing transaction or process level control in audit committee meetings, or is the discussion more reflective of management control, governance needs and risk management development? What do risk functions provide? Are they acting as the specialists they are or are they redundantly acting as risk generalists?
3. Chart a path forward
What are your thoughts? How does a topic as broad as risk management become a system within an organization? You can contact me directly via my AdvisoryCloud profile.
*The Governance Model of "Direct, Protect and Enable" comes from the Aligned Influence https://alignedinfluence.com/roles-of-boards-and-staff