Norman Marks on Governance, Risk Management, and Internal Audit

I want to thank the 102 people who responded to my survey. The results are quite interesting.

First, there is an inherent bias in the responses. These are all people who are reading my posts and are therefore more likely (I believe) than the general population to agree with what I have been advocating.

Having said that, there is still a lot of room for improvement in practices.

=====================================================================================

The 102 identified as:

• Board members – 4
• Management – 10
• Risk practitioner – 33
• Internal audit – 41
• Information security – 2
• Consultant – 6
• Compliance – 2
• Other – 4

When it came to assessing the maturity of their organization’s management of risk, the responses were:

• There is no formal risk management activity. We rely on individuals – 19
• It’s a compliance activity and doesn’t affect decision-making – 24
• Risk management is fully integrated with strategic planning – 10
• Risk management is fully integrated with strategic planning and tactical decision-making – 17
• Risk management is recognized as helping us make timely, informed, and intelligent decisions – 28
• Risk management provides us with a competitive advantage – 8

79 said they maintain a list of the more significant risks, updated:

• Annually – 20
• Quarterly – 36
• Monthly – 5
• Continuously – 18

22 said their program addresses both positive and adverse effects, while 26 said they are limited to adverse.

When it comes to whether each source of risk is quantified:

• 17 said they quantified a single effect and its likelihood
  • 4 in dollars
  • 13 in terms of the effect on objectives
• 24 quantify a range of effects and their likelihoods
  • 4 in dollars
  • 20 in terms of the effect on objectives
• 46 don’t quantify, using a risk register or heat map to communicate
• 12 don’t have a formal enterprise-wide risk assessment. (Curious that this is less than the 19 who said there is no formal risk management activity. The other 7 must have chosen a different response to this section, one of those above.)
• 3 responded, “Other”

When it comes to whether risks are aggregated in some way to inform an objective or decision, the answers were:

• Yes – 36
• No – 52
• Maybe – 13
• Other – 1

=====================================================================================

For 43 of the 102, risk management was either a compliance activity or they relied on individuals rather than a coordinated activity.

That’s not good.

Of the 79 who maintained a list of the more significant risks, 20 only updated annually.

That’s not good.

46 use a list of risks or a heat map.

That’s not good at all.

28 said risk management is recognized as enabling informed and intelligent decisions, which shows progress.

Just 8 said it provided a competitive advantage.

There is some good news:

• More people recognized that the level of risk is a range and not a point (24 vs 17).
• 22 said they addressed positive effects, nearly as many as the 26 who said they are limited to adverse effects.
• 8 said that their risk management activity provides a competitive advantage. Not enough, but something.
• 18 are updating their risk assessments continuously, and that is progress..

I was curious to see whether the risk and audit practitioners would answer differently. They were very much in line with each other.

I welcome your thoughts.