An Excellent Article on Risk Management
I commend Marco Nutini for his recent LinkedIn post, Risk and decision: egg or chicken?
He asks:
In your opinion, which of the two alternatives best represents the Enterprise Risk Management process?
1) From an Objective >> Identify a Risk >> Analyze and prioritize >> Decide how to treat it; or
2) From the need to make a Decision >> Analyze the existing Options, weighing Risks and Gains >> Select an Option >> Monitor the risks taken to review the decision.
Marco suggests:
If you answered 1, you are being consistent with the main standards (ISO 31000 and COSO) on Risk Management and you are concerned about structuring of the system.
If you answered 2, you are thinking strategically and considering risk management (in lower case) as something natural that does not need to be very structured.
If you answered that 1 and 2 are important and simultaneous, your opinion agrees with mine, that is, people might drive you to a shrink.
ISO 31000 and COSO present the Risk Management process as a linear sequence, with no feedback loops, whose mission is to mitigate risk, one-on-one. Lenders, regulators and customers are demanding Risk Management in capitals, in compliance with these standards, as a basic matter of improving trust on companies.
While his questions are challenging, I prefer option 3:
3a) When setting objectives, goals, and strategies, consider the things that might happen (both positive, opportunities, and negative, risks) and set achievable (if a bit of a stretch) objectives that will achieve the purpose of the organization over time.
3b) For each objective, identify what might happen that could have a significant effect on achieving it, both risks and opportunities >> Assess the likelihood of achieving each objective >> If that is not acceptable, consider the options, which can include modifying one or more risks (changing their range(s) of effects and likelihoods, taking more, or taking less), modifying opportunities, or both >> Select an option >> Execute >> Monitor performance and changes to either risks or opportunities, and continuously assess the likelihood of achieving objectives >> Adjust as needed, including changing objectives were appropriate!
3c) Identify the need for a decision, which can be a problem or an opportunity, or something different >> Understand the current situation and whether action is needed >> Understand the things that might happen (good and bad) >> Understand and assess the Options >> Make the right Business Decision to achieve objectives >> Execute >> Monitor >> Adjust as necessary.
3d) For those sources of risk that are of special concern (for any reason, such as those that can have a major impact on multiple objectives or those that are getting board or regulator attention), continuously monitor and assess, taking action as needed. These are risks that are of such individual significance that they merit special attention by top management and perhaps the board. (It is not a top-ten list!)
IMHO, all four are needed! (Alexei, is this RM2+ or 3?)
By the way, I disagree with Marco on a few of his statements:
- The ISO 31000 standard may read as if it addresses one risk at a time, out of context with potential gains (opportunities), but that is not its intent. It also has a requirement for monitoring, which requires a feedback loop.
- Decisions are not the same as controls. Controls exist to provide reasonable assurance that people and systems will perform as desired – which can be to achieve gains as well as limit losses.
- Decisions can be made to limit or reduce losses, not just realize gains.
But these are quibbles that should not diminish the work Marco has done.
Where do you stand?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I’d like more understanding about the “monitoring” and “feedback loops”. These terms are vague and can mean a lot of different things to different people, but they seem like very key aspects.
It’s checking to see that assumptions made about the future hold true, and adjusting where things change.
Still need more practical guidance about this. The checking to see, monitoring, feedback loop, etc. What does this look like? Is it a Risk Committee the risk takers come to speak at? Would it take place over email where the Risk Manager requests this information? Or perhaps informal phone calls? I’m just curious because I see these terms literally all the time (monitoring, checking, etc.) but unless I’m auditing (which I’m not) I struggle with how to implement these types of things.
Thanks for the question. The objective is to know if and when you need to modify your decision. How you do that depends on the decision and what you are monitoring. It can be done with software (monitoring KRI) or people. Too much detail to explain in one blog post!
Hi Norman,
Quoting: “>> Monitor performance and changes to either risks or opportunities, and continuously assess the likelihood of achieving objectives >> Adjust as needed, including changing objectives were appropriate!”
following on the previous comment, how would you actually do this? Would it be through some kind of risk registers or KPI/KQI/KRIs?
Thank you for the great post.
As I said, it all depends on the objective and the source of risk. For example, if the source of risk is a change in the price of a commodity, that can be monitored by people. If its a change in government regulation, that can be monitored by people (perhaps an outside service). If its a change in the level of customer returns, that can be monitored with software.
Norman, Thank you so much for the commendation and the kind words, they mean a lot to me. Sometimes is hard to spare time for writing, since consulting is what brings the bread to the table… Your incentive keeps me going on, putting my ideas in paper.
I agree with your comments. The most important decisions is any organization are derived from strategy and all the others are a consequence of choices made based on past and present strategic assumptions.
I see what you describe as 3rd option as “Risk Management 3.0”, a top-down methodology and a logic way to run an organization. Somehow, this seems like a major challenge for everybody and I know very few organizations (in Brazil) that are close to that way of running a business (banks, basically).
You are right, I was a little bit too harsh on ISO 31000, confounded the intention with the “average” interpretation.
I also agree that a control can be used to increase gains and decisions can be made specifically to protect value and reduce losses. My text reduced too much the range of possibilities that exist in the real world.
Marco, thanks for your post and your comments. I truly believe this is something that any organization, even a family, can do. Try it!
It depends on whether you are considering a strategy or situation that could have both an upside or a downside (option 2), or whether you are trying to achieve a specific agreed objective, e.g. an IT project or construction where there is a defined scope, term and cost (option 1).
I agree with all 4 (3a-d) points and like both your summary and Marco’s original post, in my mind, all 4 points are RM2. I tried to summarise it in the article here https://riskacademy.blog/risk-management-2-is-both-a-control-and-decision-making-tool/