The other day, I was working on an article about assessing risk management and looked to the COSO ERM Framework for quotes. Specifically, I looked at the Executive Summary for language concerning the need for decisions to be based on timely, current, and reliable information about risks. I found these excellent observations:
- “Value is created, preserved or eroded by management decisions ranging from strategy setting to operating the enterprise day-to-day. Inherent in decisions is recognition of risk and opportunity, requiring that management considers information about internal and external environments, deploys precious resources and recalibrates enterprise activities to changing circumstances.”
- “In sum, it helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
- “Enterprise risk management considers activities at all levels of the organization, from enterprise-level activities such as strategic planning and resource allocation, to business unit activities such as marketing and human resources, to business processes such as production and new customer credit review.”
Unfortunately, I was looking at a draft of the Executive Summary and only the second of these three survived the process of cutting down what was a 21-page summary to a much shorter final document.
I contacted some of the principals involved in producing the 2004 Framework. I asked whether they agreed with me that perhaps the omission in the Summary contributed to an omission in understanding that risk management must be continual, not a periodic event.
The consensus was that one of the most critical aspects of risk management is providing timely information so that intelligent decisions can be made. They also agreed that if the omission in the Summary had led people to believe that risk management meant taking the top risks and assessing them periodically, those people were mistaken. That is not risk management (per the intent of COSO).
Rick Steinberg, who is a former partner with PwC and is one of the primary authors of COSO ERM, told me: “I for one have joined you in working over the years to convince many that looking at the top 10 or 20 risks is a far cry from ERM.” Jim DeLoach, a managing director for Protiviti and a member of the Project Advisory Committee when the Framework was developed said: “ERM is much more dynamic than maintaining a list of risks.” (By the way, I love an expression coined by Jim to describe the practice of managing top risks on a periodic basis: he calls it ‘enterprise list management’.
If you look at the other primary risk management guide, the ISO 31000:2009 Standard, the linkage between risk management and effective decision-making is even clearer. For example:
- The Introduction to the Standard says that “the management of risk enables an organization to… establish a reliable basis for decision making and planning.”
- The Principles for effective risk management include:
- “Risk management is part of decision-making”, and
- “Risk management is dynamic, iterative, and responsive to change.”
Other risk management experts say it well. Grant Purdy chaired the group that developed Australia/New Zealand’s highly-regarded risk management standard 4360, and represented Australia in the working group responsible for ISO 31000:2009. He told me that “Risk management, like strategic management, must be dynamic and responsive. Annual or bi-annual risk assessments are just catching up exercises. Risk assessment as part of the management of changes (external and internal) is required.”
Felix Kloman is one of the most respected sages of risk management. His view is “managing risk is a continuous exercise, not a sporadic one. Daily, even hourly, we are cautioned to consider the effect on ourselves and our organizations of the changes, large and small that occur.”
So what does all this mean?
I have twice served as risk officer for a large, global corporation. The first time, I was responsible for starting the risk management program; the second time, I came into a program that was relatively well established. However, both relied on Excel for documenting risk assessments, identifying risk treatments (including controls and action items to reduce risks), and tracking completion of action items. I never want to do that again!
I probably spent 20-30% of the total time allocated to risk management (I also led the internal audit function) just making Excel work for me – updating information, consolidating assessments of the same risk from different managers, and producing reports for executive management and the board. (Other risk officers tell me they have similar experiences.) More of my time was consumed in calls and meetings to obtain updates on risk assessments and action items. I could scarcely afford that amount of time and, frankly, it held me back from making the desired progress in maturing the risk management program.
I was sold on acquiring risk management software, and was well along that path when Business Objects was acquired by SAP and I moved into my current role.
In hindsight, the product I was going to buy was not the right software. I now recognize that the value of risk management is not just in understanding and assessing risk periodically, and then ensuring that the risks are managed within tolerance, but in providing risk-related information to support intelligent decisions across the enterprise.
My criteria for a risk management product (and these also apply if you are looking at solutions for risk and compliance – what some call a GRC platform or enterprise GRC solution) include:
- The ability to gather, update, and share risk information on a continuous basis (including sharing with decision makers). Risk owners can update risk levels and other risk attributes as often as risks change. Decision makers can obtain risk information as needed, drill down into detail as needed, and explore scenarios to determine how risks might affect their various choices.
- Automated monitoring of risk drivers and updating of key risk indicators. This is critical, increasing the timeliness of risk information and enabling risk-intelligent decisions. I would need to be convinced that there is sufficient integration with other enterprise applications (including ERP) or enterprise business intelligence applications, to support continuous risk monitoring.
- Workflow to:
- Remind risk owners to review and update risk information if they have not done so recently, and
- Notify owners of action items that their attention is needed to complete assigned tasks, together with the ability to identify past-due items for follow-up (again through workflow) and reporting.
- The ability to provide risk information to the right people, at the right time, wherever they are. I want to understand how the software will enable an executive to review risk information while he is literally making a decision on the run – while he is waiting at the airport in Singapore for his next flight.
- The future. Risk management, in time, needs to be built into routine business processes if it is to be part of the fabric of the culture and of decision making. While most software is stand-alone, I want to understand how risk management capabilities will be integrated with business processes for vendor selection, customer sales pricing, inventory management decisions, and more. I recognize that this is the future rather than the present for risk management, but I want to buy software that will develop with me over time and provide this functionality.
Do these products exist?Are there reputable vendors who I expect will remain committed to this space for the long term? I believe the answer to both is “yes”.
Do you agree with the above, including my criteria for selecting risk management (or GRC) solutions? Your comments are welcome.
For more on this topic, see my separate What do they say about the latest release of SAP’s solutions for GRC?.