Norman Marks on Governance, Risk Management, and Internal Audit

I congratulate José David Pino for his brave attempt to call attention to ineffective risk management in his article for the IIA’s magazine, On the Frontlines: How Mature is Your Risk Management?

He correctly reports something I earlier shared in a blog post:

In the 2023 report, The State of Risk Oversight: An Overview of Enterprise Practices, published by the American Institute of Certified Public Accountants and NC State, only 29% of risk leaders surveyed say their organization’s risk management oversight processes are mature, while 35% describe them as evolving, 21% say they are in the development stage, and 15% indicate they are very immature.

It’s important to note that these answers came from more than 400 organizations, including large organizations (with revenues greater than $1 billion), publicly traded companies, financial services entities, and not-for-profit organizations.

Further analysis reveals that 17% of the respondents say they have no structured risk management processes for identifying and reporting top risk exposures to the board. An additional 18% of respondents indicate that they mostly track risks by individual silos of risks, with “minimal reporting of top risk exposures to the board.” Additionally, 25% responded that they mostly have informal and unstructured risk management processes, with “ad hoc reporting of aggregate risk exposures to the board.”

He lists several of what he considers “red flags that may arise in situations with poor risk management practices or where ERM initiatives are not as effective as planned”.

• Poor involvement of the organization’s tone at the top in ERM initiatives.
• Risk culture not reflected in the way an organization is doing its business.
• Risk incidents occurring continuously, and the root cause is not identified.
• Risk management not integrated in strategic planning.
• Reactive rather than proactive approach.
• Key personnel unaware of the extent of risks, given significant changes in the size or operations of the organization.
• Absence of internal control structures and personnel ownership of risk and control responsibilities.

I believe there are more red flags. These are more important and often easier to see:

• When you ask leaders about risk management, they don’t know what to say. Perhaps they talk about managing or mitigating risks, but without any confidence because it’s not something that means a great deal to them.
• Risk management is not seen as helping them run the organization for success. They do it because they have to rather than because they want to.
• Only downside effects of what might happen are considered in risk management.
• Management believes compiling a list of risks is sufficient, even if they are reviewed frequently.
• Risks are managed in silos using different assessment tools, measures, and language.
• They are managing risks instead of the achievement of objectives.
• Risks are assessed based on the likelihood of a single potential effect instead of a range of effects.
• Risks are assessed based on their potential financial impact, i.e., quantified using dollars or similar, rather than on the effect on objectives.
• Some risks are assessed based on their effect on information assets, rather than business objectives.
• Risks are evaluated and decisions made on addressing them one at a time, instead of looking at all sources of risk (the big picture) together.
• The board has separate committees for risk and strategy. The risk committee only talks about downside risks.
• Risk is not considered in setting objectives, goals, or strategies.
• Risk is not included in performance reporting.
• Everybody gets the same risk reports.
• …and yes, there are a lot of surprises (a.k.a. risk events) that indicate a lack of thought about what might happen, not using the information available, or poor decision-making processes.

What other red flags are there?

Do you like my list?

I welcome your comments.