Norman Marks on Governance, Risk Management, and Internal Audit

I like this review of the guidelines published a couple of years ago by internal auditors in the Nordics.

Guest blogger Marinus de Pooter highlights some good points and areas of weakness.

====================================================================

A steering group drawn from the Institutes of Internal Auditors for the Nordic and Baltic countries issued the ‘Good practice guidelines for the Enterprise Risk Management function’ in 2020. The target group is organizations that would like to establish an ERM function or develop their existing risk management function further.

The aim of this document is to set a common benchmark and to facilitate the Internal Audit function when evaluating the effectiveness of risk management processes. When reading the Guidelines I asked myself this question: To which extent do they help a business manager to run his or her organization(al unit) better?

What I like is that they authors talk about the management of positive and negative uncertainty [p. 1]. Contrary to many approaches, according to them risk management is not only about mitigating events with undesirable consequences.

I agree that the emphasis should be on assisting decision-makers with dealing with meaningful uncertainty. Risk management’s field of expertise is in evaluating and communicating the uncertain elements so that there is a fully informed basis for taking a decision. [p. 9]

The focus on value for the stakeholders is promising, too. Through the identification and proactive evaluation of threats and opportunities an organisation can protect as well as create value for its stakeholders. [p. 18] However, the reader gets the impression that ‘value’ mainly refers to money than to the many other things in life that stakeholders attach value to, such as safety, environmental protection, social contribution, beauty, customer friendliness and so on.

The authors use the undisputed assumption that risk management is indispensable. The same goes for an independent ERM function. To ensure the operation and implementation of sound risk management in a holistic fashion it has been found necessary to have a person or function dedicated to this activity. [Executive Summary]

The Guidelines state: The organisation should appoint one person with the overall responsibility for the Enterprise Risk Management function. [p. 14] Why do organisations  need such a function to start with? Many family-owned businesses for example are pretty successful without having a risk management function. Apparently they are capable of benefiting from their opportunities and facing their threats.

The Guidelines are mainly about how to run an ERM function. Appendix 1 contains a 17-point plan for the establishment of a risk management function. It lists the typical paraphernalia such as: separate policy, risk appetite statements, implementation plan, job descriptions, risk owners, IT application, risk reports et cetera. Conventional risk management thrives in a compliance-driven context. If not mandated by regulators, would entrepreneurs, directors and managers still create all these risk management phenomena?

The focus of the Guidelines is on dealing with risk. It is not primarily focused on helping management to increase the likelihood of their success through the reconciliation of strategic and operational dilemmas. It states: Executive Management regularly reviews reports showing the development of significant risks as well as the status of actions taken to treat the risks. [p. 18] As a business manager I would rather receive reports expressing the estimated likelihoods of my team underachieving, meeting and overachieving our key performance indicators in the coming period.

The Guidelines state: The objective of ERM is to ensure the correct amount of risk exposure. [p. 2] However, there is no unit of measure to determine the ‘amount of risk’. If you try to express it in financial terms you will soon find out that what you value the most in life cannot be monetized.

ISO 31000 defines ‘risk’ as the ‘effect of uncertainty on objectives’; ‘effect’ being ‘deviation from the expected’. The Guidelines do not address the essential notion that it is all about managing the expectations of your core stakeholders. As a decision-maker you should focus on creating and protecting value for them. Life is not primarily about identifying, assessing, treating and monitoring risks. The future-proofness of your organisation is dependent on whether your core stakeholders remain satisfied with your performance.

Different stakeholders have diverging interests, needs and expectations. Hence, as a decision-maker you always have to reconcile dilemmas. The Guidelines do not address balancing the pros and cons when analysing your options and making your decisions.

According to the Guidelines: Executives should ensure that the risk management process is fully integrated across all levels of the organization and is strongly aligned with objectives, strategy and culture. [p. 3] The typical ERM pitfall is first creating a separate risk management system and then trying to squeeze all these concepts and tools into your regular business management. I don’t know any success story of this myself.

Maintaining risk lists mainly serves compliance purposes. Risk registers aren’t consulted when people have to make important decisions. Approaches for dealing with the uncertain future should start from the perspective of the decision-makers and help them to face their challenges. How can they best be supported to make balanced choices?

The Guidelines promise that ERM becomes a tool for the balanced prioritisation of resource utilization. [p. 4] Do you need separate risk management for the allocation of your scarce resources in order to able to deliver products and services that meet requirements and expectations? Looking ahead and asking questions like ‘what-if?’ and ‘what-can-happen?’ are part and parcel of just (capacity) management.

The ‘three lines of defence’ model is embraced [p. 11] The Guidelines address the common issues of the delineation of the responsibilities of ERM versus other support functions such as Compliance and Internal Audit. [p. 1] The document also talks about the application of a holistic perspective and about avoiding ‘silo’ thinking’. [p. 3] The reality is that the ‘three lines’ model causes lots of fuss about who is part of which line. And particularly about what these colleagues are supposed to do and to refrain from doing.

Does the 2^nd line comprise of all business enabling functions or only of those that control and monitor risks (risk oversight)? Are the support functions primarily advisors, policy makers and challengers? Or are they internal inspectors, too? Do they even have the right of veto? These questions warrant a separate discussion.

The regulators in the Financial Services industry require an independent (sheriff-type) Risk Management function aimed at holding down their colleagues in commercial functions. An inspectorate rather than a decision support function. This background presumably has led to the guideline that it is a prerequisite that the function does not perform or have responsibility for operations or make decisions which affect the business operations. [p. 14] Instead of creating another Compliance or Internal Audit type function I would rather emphasize the benefits of the role of the ‘critical friend’ for decision-makers.

The Guidelines state that employees in the ERM function shall respect and contribute to the organisation’s legitimacy and ethical objectives. [p. 15] However, the ethical dimension in decision-making is not emphasized in the document. Take for example dilemmas associated with the cost implications of employee safety, environmental protection and animal welfare. In addition, the document does not underscore the importance of biases. The same goes for our serious limitations to comprehend the complexity of the future caused by too many actors and factors.

The Guidelines use a deviant meaning for risk tolerance. They state that it is more of a given based on the organisation’s financial robustness, the enforcement by authorities, or other external factors determining the impact when a risk materialises. They refer to it as the level of risk an organisation is able to absorb without significantly impacting the achievement of its strategic objectives. [p. 31] The latter resembles COSO ERM’s definition of risk capacity: The maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives.

The risk profile is featured in the document, too. The conventional risk diagram is presented stating: The green area defines the desired performance and given risk appetite. [p. 32] It has already been discussed in detail elsewhere that the ‘heatmap’ is a misleading tool.

The document mentions a couple of creative additions to the ever expanding risk vocabulary such as risk gaps, risk picture and risk landscape. My recommendation is to try to avoid risk jargon at all costs. The more words you use starting with ‘risk’ the more people are inclined to think that it is all about something different than ordinary management.

Appendix 1 contains an impressive list of 26 reasons for failure in the establishment of ERM. [p. 22-25] It recommends curative actions for each of these items. However, in my view the solution is not to try to fix ERM. Considered closely, it is not about managing risk, but about managing expectations.

• Risks (opportunities and threats) are not an end in themselves; they help arrive at appropriate (hard and soft) controls.
• Controls are also not an end in themselves; they help create more robust business processes.
• Processes are not an end in themselves; they help achieve objectives in a structured way.
• Objectives are not an end in themselves; they help clarify which value you need to create and protect for your core stakeholders in order to keep them satisfied.

Regardless of the sector in which your organization operates the lasting satisfaction of your core stakeholders is the pre-eminent condition for your future-proofness.

Is it worth following the Guidelines presented in the document? I welcome your thoughts.

Marinus de Pooter is owner of MdP | Management, Consulting and Training. Previously he worked as Director of Finance with Ernst & Young Global Client Consulting, as European Director Internal Audit with Office Depot and as ERM Solution Leader with EY Advisory.