Decision-based Risk Management
WARNING: This is likely to be a controversial post!
I have been talking (OK, preaching) about the need to manage the likelihood of achieving objectives (i.e., success) rather than limiting yourself and the organization by managing or mitigating risks. You need to take risks if you ever want to achieve objectives; the key is taking the right level of the right risks. I especially dislike managing individual risks, or a silo of risks, absent the context of what we are trying to achieve as an organization.
To repeat: we need to take the right level of the right risks for success.
That’s a top-down approach to risk management.
But there is another dimension to risk management.
Both ISO 31000 and COSO ERM talk about the need for intelligent decision-making, where leaders understand:
- Where they stand
- Whether that is a problem
- What might happen going forward, both risks and opportunities
- The best path to follow, balancing or weighing risks and potential reward
I recently did a video presentation on this topic that will be shown as part of the RAW 2022 conference in a couple of months.
The idea is that if risk practitioners want to help people make informed and intelligent decisions, they must:
- Understand what decisions (especially crucial decisions for success) are to be made, both strategic and tactical
- Make it easy for decision-makers to find and then use the information they need about what might happen
- Help them have all the important information they need for their decision, not just threat assessments or information from a silo perspective (like cyber, supply-chain, compliance, etc.)
- Help them see the big picture and weigh the pros and cons of each option
Decision-makers won’t find the actionable information they need if all they have is the same huge list of risks everybody has. They need something designed to help them make the smart decisions they need to make at the speed of the business; something tailored to them and their needs.
The information must be:
- Relevant
- Reliable
- Complete
- Current
- Timely
- Easy to find and use
Those risk functions that have changed the name to “decision support” or similar are going to be ahead of the game in this respect.
But practitioners have to satisfy the need for both dimensions: decision-based and top-down (also known as success management or objective-centric risk management – see the work of Tim Leech).
Some might add a third dimension: bottom-up.
This is where somebody identifies a risk (or opportunity) by reading a paper, hearing from a board member of a concern, or as the result of a silo risk management function’s work.
In order to properly assess the bottom-up risk, it needs to be added to the big picture. Given all other sources of risk, how would it, affect the achievement of enterprise objectives?
For example, a board member reads an article that talks about risks to the supply chain if you are importing goods from Taiwan. (A purely hypothetical situation.) In order to assess the risk, you need to know what you might be importing from Taiwan and how any disruption might affect your revenue or other aspect of the business. It has to be put into context and considered alongside other related sources of risk.
You add it to the top-down dimension to see a revised big picture.
In my books, I mentioned the concept of a tipping point[1]. While from a siloed perspective (in this case, supply-chain risk management) the risk may seem low and acceptable, when added to the big picture it may take the whole past the tipping point. While it was previously seen as acceptable, adding one more source of risk makes it unacceptable.
But there’s another dimension. That supply-chain risk might also potentially affect decisions, so it should be added to those pictures as well.
Yes, risk criteria (my preferred language, from ISO 31000) may exist and be used to evaluate risk. That’s OK if the criteria or risk limits are derived based on the achievement of objectives and updated as conditions change. But its not OK if they are based on risks to the silo instead of to the whole business and its success.
One word of caution.
Risk practitioners don’t have to provide all the information themselves. It’s perfectly fine, even desirable, if management is able to find and use the information they need to achieve success through informed and intelligent decision-making by themselves.
The risk practitioner, in my opinion, should be an enabler and an aide. If management doesn’t need your help, step aside – your job is done, at least for now.
But often, the information needs to be gathered from sources across the extended enterprise. It needs to be brought together to see the big picture. That can be hard when different methods are used (such as when the CISO insists on reporting risk to information assets in his silo rather than to the business objectives).
The risk officer can be the linguist and translator, the big picture painter. (They should fight for risk assessments that are apples to apples, even from diverse sources.)
Sometimes, the information may appear to be in conflict, requiring facilitation by the risk practitioner. Bring people together to resolve these conflicts, and help everybody involved.
The risk practitioner should collaborate with performance management and the finance team for management and board reporting, so they can see the big picture likelihood of achieving objectives.
In other words, there remains a role for the risk officer, but the primary role is to help management see the big pictures and make informed and intelligent decisions on the path to success.
The risk team needs to talk to and (especially) listen to leaders and decision-makers.
- Understand their needs (and that may mean changing their perception of what they need if they are not managing the likelihood of success, or are satisfied with making decisions based on the rumbling of their gut)
- Make sure their needs are met
- Stay alert to changes in those needs
- Help them (individually and together) be successful
What do you think?
[1] Made famous by Malcom Gladwell in The Tipping Point, How Little Things Can Make A Big Difference (2006)
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman:
Great post. Lots of great insights. Focusing on likelihood of achieving top value creation and preservation objectives with a level of risk acceptable to the CEO and board should be the end game.
I particularly like the attributes the information produced should have to be relevant/valuable for decision making.
Tim
Tim Leech FCPA CIA CRMA, Managing Director
Risk Oversight Solutions Inc.
416-720-0392 | timleech@riskoversightsolutions.com timleech@riskoversightsolutions.com
http://www.riskoversightsolutions.comhttp://www.riskoversightsolutions.com/
Twitterhttps://twitter.com/riskoversight | LinkedInhttps://www.linkedin.com/in/tim-leech-01950013/
[A picture containing drawing Description automatically generated]https://www.riskoversightsolutions.com/
This text is to addressed to boards and top management, and only after to risk practitioners)
Why do you say that? Risk practitioners earn their keep by satisfying the needs of boards and top management.
I just read and only thoroughly enjoyed, with a sense of state of art rather provocation with something controversial.
Hi Norman. As so often before, I fully agree although I do believe you mean RAW 2022.
Thanks, Hans – corrected
Like some, I fail to see anything controversial about your comments. Your four points at the end will be answered as the risk practitioner conducts the initial and annual top-down review of the program.
Great insights here, Norman. Doing ERM at a relatively small shop (<500 employees) that is heavily outsourced, I often find myself towing the line between the top-down and bottom-up approaches. I spend a lot of time working on bottom-up type risks, which helps build my confidence in our top-down approaches. In fact, you might say I've made a career out of doing that. I believe being a trusted advisor to both is the sweet spot in many small to medium-sized businesses.