The other day, I was working on an article about assessing risk management and looked to the COSO ERM Framework for quotes. Specifically, I looked at the Executive Summary for language concerning the need for decisions to be based on timely, current, and reliable information about risks. I found these excellent observations:
Unfortunately, I was looking at a draft of the Executive Summary and only the second of these three survived the process of cutting down what was a 21-page summary to a much shorter final document.
I contacted some of the principals involved in producing the 2004 Framework. I asked whether they agreed with me that perhaps the omission in the Summary contributed to an omission in understanding that risk management must be continual, not a periodic event.
The consensus was that one of the most critical aspects of risk management is providing timely information so that intelligent decisions can be made. They also agreed that if the omission in the Summary had led people to believe that risk management meant taking the top risks and assessing them periodically, those people were mistaken. That is not risk management (per the intent of COSO).
Rick Steinberg, who is a former partner with PwC and is one of the primary authors of COSO ERM, told me: “I for one have joined you in working over the years to convince many that looking at the top 10 or 20 risks is a far cry from ERM.” Jim DeLoach, a managing director for Protiviti and a member of the Project Advisory Committee when the Framework was developed said: “ERM is much more dynamic than maintaining a list of risks.” (By the way, I love an expression coined by Jim to describe the practice of managing top risks on a periodic basis: he calls it ‘enterprise list management’.
If you look at the other primary risk management guide, the ISO 31000:2009 Standard, the linkage between risk management and effective decision-making is even clearer. For example:
Other risk management experts say it well. Grant Purdy chaired the group that developed Australia/New Zealand’s highly-regarded risk management standard 4360, and represented Australia in the working group responsible for ISO 31000:2009. He told me that “Risk management, like strategic management, must be dynamic and responsive. Annual or bi-annual risk assessments are just catching up exercises. Risk assessment as part of the management of changes (external and internal) is required.”
Felix Kloman is one of the most respected sages of risk management. His view is “managing risk is a continuous exercise, not a sporadic one. Daily, even hourly, we are cautioned to consider the effect on ourselves and our organizations of the changes, large and small that occur.”
So what does all this mean?
I have twice served as risk officer for a large, global corporation. The first time, I was responsible for starting the risk management program; the second time, I came into a program that was relatively well established. However, both relied on Excel for documenting risk assessments, identifying risk treatments (including controls and action items to reduce risks), and tracking completion of action items. I never want to do that again!
I probably spent 20-30% of the total time allocated to risk management (I also led the internal audit function) just making Excel work for me – updating information, consolidating assessments of the same risk from different managers, and producing reports for executive management and the board. (Other risk officers tell me they have similar experiences.) More of my time was consumed in calls and meetings to obtain updates on risk assessments and action items. I could scarcely afford that amount of time and, frankly, it held me back from making the desired progress in maturing the risk management program.
I was sold on acquiring risk management software, and was well along that path when Business Objects was acquired by SAP and I moved into my current role.
In hindsight, the product I was going to buy was not the right software. I now recognize that the value of risk management is not just in understanding and assessing risk periodically, and then ensuring that the risks are managed within tolerance, but in providing risk-related information to support intelligent decisions across the enterprise.
My criteria for a risk management product (and these also apply if you are looking at solutions for risk and compliance – what some call a GRC platform or enterprise GRC solution) include:
Do these products exist?Are there reputable vendors who I expect will remain committed to this space for the long term? I believe the answer to both is “yes”.
Do you agree with the above, including my criteria for selecting risk management (or GRC) solutions? Your comments are welcome.
For more on this topic, see my separate What do they say about the latest release of SAP’s solutions for GRC?.