Norman Marks on Governance, Risk Management, and Internal Audit

The world in which we live is turbulent, with so much happening all the time.

That applies to our business as well as our personal lives.

Naturally, we try to simplify the complex. Hard to survive otherwise!

Our brains are (at least for most of us) unable to fully grasp everything that is happening, so when we make decisions we often set aside some things and focus more on others. Maybe we then cross our fingers and hope those things we set aside don’t come back to hurt us.

Understanding risk, with all the interconnectivity and complexity it demands, so that you can make an intelligent and informed decision, is not easy.

Risk practitioners can help us see the big picture, all the things that might happen with a significant effect, both positive and negative.

But even risk practitioners simplify – whether deliberately or not. They may:

• Forget that there is a range of potential effects of both a risk and an opportunity, each with its own likelihood. Instead, they represent the level of risk as a point.
• Assess risks singly, ignoring the fact that multiple things can and do happen.
• Think it’s about minimizing risk instead of taking the right level of the right risks.
• Leave the assessment of upsides to others (undefined and often non-existent).
• Ignore the fact that some risks can happen multiple times each year, not just once, and with different effects.
• Ignore the risk that risk data and/or assessments may be incorrect.
• Fail to understand and take bias into account.
• Provide one report to management, even though different decision-makers require different data.
• Ignore the fact that risks and their levels change frequently, yet they assess them monthly or less frequently.
• Only consider a tiny percentage of all the risks that might have a significant effect on objectives. This is because management says they only want to review the top ten or twenty risks, or because they simply don’t have the bandwidth to do more.
• Don’t consider whether information needed to assess and respond to new risks will be sufficiently timely (the “risk clockspeed” issue, as explained by Keith Smith).
• Don’t give sufficient consideration to issues like the duration of any effects of an incident, or how extensive reputation damage may be.

A recent publication by software vendor Origami Risk, 2022 Mid-Year State of Risk Report, talked about both risk complexity and risk velocity. (Risk velocity is the speed of onset of a risk event, and risk clockspeed is the time that it will take to get the information you need.)

So, risk is complicated. But the human brain doesn’t always work well with complexity.

We don’t want to overcomplicate things, because:

• The extra analysis takes time, and sometimes the information is needed at speed.
• It may actually make the information harder to digest and apply to the situation, for example if an aggregation of multiple risks comes up with a single number or assessment.
• Sometimes, simpler information is enough.

You also don’t want to oversimplify things, because:

• You might miss some important information.
• The information might be misunderstood.
• People can get into the habit of seeking easy answers to complex situations.

Where is the balance?

I suggest that we always ask whether the decision-makers have sufficient and reliable information to make a quality and timely decision, given time, cost, and other constraints.

I also suggest that practitioners don’t fall in love with their own tools and black magic, making a simple situation complex.

I welcome your thoughts.