Norman Marks on Governance, Risk Management, and Internal Audit

Nick Sanna, the CEO of RiskLens, a software company specializing in cyber risk management, recently issued a wake-up call for risk managers in a presentation at a Professional Risk Managers’ International Association (PRMIA) conference. It was covered in an article by Jeff Copeland: How to Integrate Cyber Risk Management with ERM.

He “encouraged risk managers to rise up against the status quo of cyber risk management”.

“Let’s be honest and talk about the state of most risk management programs,” Nick said. “The state is not great.” Among the problems:

• • Reliance on qualitative, red/yellow/green risk ratings based on no formal risk measurement model.
  • Risk registers that are a “dumping ground” of issues and concerns, with “most of the entries not really risks.”
  • Inability to communicate to the rest of the organization in terms the business understands – not just “trust me.”

I agree. (NIST advocates should note his point about risk registers, which are where NIST suggests cyber risks should be listed.)

But I don’t agree with his next comment:

“Risk models matter,” Nick said. They should generate analysis in a consistent, quantifiable format that enables business decision-makers to prioritize among risks based on loss exposure and justify investments in mitigations to reduce risk.

I keep saying: it’s not about mitigating or managing risk. It’s about knowing which risks to take, and that can include taking more risk.

Every dollar spent on mitigating a source of risk is a dollar that can’t be spent on upgrading your product or service, bringing it to market, delivering it to customers, upgrading systems to cut costs, and so on.

Risk management should be about helping decision-makers run the business for success, informing decisions and optimizing performance.

Michael Rasmussen ‘gets it’. I congratulate him on the risk maturity model he has shared on his web site, Five Stages of Risk and Resilience Maturity.

In his description of the highest level of maturity in his model, Agile, he says:

• At the Agile Maturity stage, the organization has completely moved to an integrated approach to risk and resilience management across the business that includes an understanding of risk and compliance in context of performance and objectives.
• Agility is the ability of an organization to move quickly and easily; the ability to think and understand quickly. Good risk and resilience management is going to clearly understand the objectives of the organization, its performance goals, and strategy, and continuously monitor the environment for 360° situational awareness to be agile. To see both opportunities as well as threats so the organization can think and understand quickly and be prepared to move to navigate to seize opportunities while avoiding threats/exposures to the organization and its objectives.
• But that is not enough. We need agile organizations to avoid and prevent events, but we also need agility to seize on opportunities and reliably achieve (or exceed) objectives. Agility is not just avoidance of hazards, threats, harms. Agility is also the ability to understand the environment and engage to advance the organization and its goals. Organizations need to be agile and resilient. Risk and resilience management needs to be an integrated part of performance, objective, and strategy management to achieve this capability to enable situational awareness for this organization so it can seize on opportunity as well as avoid exposures and threats.

In Risk Management for Success (my most recent book on risk management), I included a more complete maturity model that includes, for example, how risk is integrated into the setting of objectives and strategies. But Michael’s model is first class and I recommend it to you.

However, I join Nick in a wake-up call for risk managers.

PLEASE:

• Focus on helping people at all levels make the informed and intelligent decisions necessary for success, taking the right level of the right risks.
• Recognize that risk registers (or profiles) and heat maps do not consider the effect of risk on objectives. They lead to managing the list of risks instead of the business.
• Recognize that there is always a range of potential effects (not a single point), each with its own likelihood.
• Get everybody to assess risk the same way! While sometimes expressing the risk in financial terms may suffice, remember we are talking about the effect on objectives (see both ISO and COSO definitions). I prefer talking about how all the risks and opportunities combine to affect the likelihood of achieving objectives.
• Make sure opportunities are assessed the same way as risks!
• Help the business succeed instead of being the department of “No, we can’t do that because of the risk”.

I welcome your thoughts.