GRC Tuesdays: Is the Future of Risk Management Out of Control?
I have worked as a risk management practitioner and consultant around the world for many years. I have watched as risk management tools, technologies, and practices focused on defending business against operational risks in business processes and from human failure.
I have reached the conclusion that risk management now adds little value in defending against operational risks. The vast majority of potential risks in mature business processes are known and predictable. I believe the limits of control effectiveness have been reached and further advances will depend on the application automation of today’s practices and the use of intelligent technology to drive transformational change. Effective internal control (and many would be disappointed in how that term is defined) should be turned over to business management and risk managers should get out of control.
The Future of Risk Management
For several years, SAP has sponsored the North Carolina State Enterprise Risk Management Round Table Summits. This event is produced by the NC State Poole College of Management Enterprise Risk Management Initiative and is held biannually in Raleigh, North Carolina.
I have had the pleasure of attending many of the recent events to represent SAP. The audience consists of 200 or so senior leaders of risk, audit, and compliance functions of Fortune 500 companies. The Round Tables are designed around case study presentations by these leaders.
If you are interested in watching risk management out of control, you need to attend.
The real value of risk management goes well beyond deciding what controls are necessary. The real value of risk management lies in its potential for providing insight and to educate and enlighten.
My personal method for evaluating risk management how risk management is getting out of control is to do a simple word count on the number of times risks and controls are mentioned in a document or presentation. These presentations are about risk management, not control management. The absence of a focus on internal controls suggests to me that these organizations have recognized the limits of control effectiveness and are now moving forward toward more fertile ground.
What I consistently find at this event are innovative tools and creative use cases. Here is a small sample from recent Round Table events.
Risk and Strategy at GM
Recently GM presented their approach to risk management titled, “A Peek Under the Hood: GMs Toolbox for Managing Strategic Risks”.
As a representative of a solution provider, I was keenly interested in the tools part. At SAP, of course we provide powerful tools to document, monitor, and assess as well as test controls. How could a toolbox for managing risks not contain tools for managing controls?
At the end of the GM presentation, I asked those at my table if they had noticed the word “control” was not even mentioned. I opened my copy of the presentation to confirm my memory and did a search for the word “control.” Not once in 44 pages did that word appear. Yet the presentation was a fascinating depiction of an extremely innovative and diverse approach.
- Technologies/Tools used: Wargaming, Scenario Analysis, Game Theory
Risk and Corporate Purpose at Hilton
At the most recent round table event a few weeks ago, I listened to a presentation from Hilton on how their risk management approach supported their vision, mission and values and how the risk management team supported the business in achieving the purpose statement articulated by the company founder. It went well beyond control.
Word count score: Risks 32, Controls 0
- Technologies/Tools used: Surveys, interviews, Key Risk Indicators
Risk, Risk Appetite, and Performance at Suntrust Banks
Another fascinating presentation at the most recent event was from SunTrust Banks titled, “Cracking the Code on Risk Appetite.. It told the story of optimizing risk and reward by managing within risk appetite.
Word count score: Risk 86, Controls 2.
- Technologies/Tools used: Risk aggregation, stress testing, Key Risk Indicators
My purpose here is not to diminish the value of and need for sound and effective internal controls in a business. It goes without saying that the right level of the right controls are necessary. Hint: When it comes to internal control, more is not more.
But for risk management practices to add value, I think they need to “get out of control.” As much as I am an advocate of the kind of innovative risk management presented at these Round Table events, I am an equal advocate for advanced thinking in control management.
Unlike risk management, thinking around control management has not evolved in spite of the enormous advances in technology and enormous changes in business practices.
Please let me know you what you think in the comment section below.
Join the Conversation at These Upcoming Events
Visit us at these upcoming events:
- SAP Conference on Internal Controls, Compliance and Risk Management March 12-12 in Barcelona
- SAP GRC Insider in Las Vegas March 19-21
- We are also planning to be at several of the major IIA events in 2019 starting with the General Audit Management Conference March 11-13 in Dallas
My colleagues and I hope to see you soon.
- Read our other blogs in our GRC Tuesdays series.