Norman Marks on Governance, Risk Management, and Internal Audit

I was pleased to receive a request from Peter Blokland, PhD. to share my views on how the global risk management standard, ISO 31000:2018, should be improved.

It’s a standard that I prefer to COSO’s 2017 Enterprise Risk Management Framework (although I prefer the principles in the ISO 31000:2009[1] version[2]).

I think the best way to start is to consider why we need a standard at all. (COSO may call their guidance a framework, but since people talk about complying with it, it is essentially a standard.)

My view is that a standard should establish the criteria for determining whether a minimum level of effectiveness has been achieved.

A risk management standard should help people understand what effective risk management is, and how it has value to an organization.

It can also provide a common language for management (including the board) and practitioners (of all stripes) to use.

That language starts with definitions of risk and risk management.

The ISO definition of risk is “the effect of uncertainty on objectives”.

I think this needs to be reconsidered, because:

1. There is generally a range (or distribution) of potential effects on the achievement of enterprise objectives, each with its separate likelihood.
2. A single source of risk may have a different level of effect on different objectives. They may even be in different directions! For example, the failure to complete an acquisition may hurt revenue but help cash flow and the ability to invest in product development or in compliance software.
3. It is not a lack of certainty or a lack of knowledge that affects the achievement of objectives. It’s the events and situations (sources of risk) that can have an effect on their achievement. I much prefer to talk about “what might happen” and its potential range of effects on objectives. The current wording is misleading.

By the way, I dislike the idea that “an effect is a deviation from the expected”. What does that mean?

So much simpler and easier to understand the effect on objectives as how it changes the likelihood (and possibly the extent) of achieving them. Simpler and clearer.

ISO 31000 defines risk management as “coordinated activities to direct and control an organization with regard to risk”. “Direct and control” sounds like management, decision-making, and more. I am not convinced that is the intent of the standard, nor that it should be.

I prefer something along the lines of “coordinated activities to provide decision-makers with the information they need about what might happen”.

Isn’t that the goal?

That leads me to the question of how risk management adds value to any organization. 31000 says that “The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives”.

I don’t think so. It doesn’t do anything itself; it helps management make the right decisions to create and protect value.

I prefer to see its value as enabling informed and intelligent decision-making that helps an organization take the right level of the right risks and achieve its objectives.

Maybe that’s a subtle difference, but it’s an important one. It makes very clear why we need risk management.

It helps everybody be (more) successful because they can make decisions based on complete, current, timely, and reliable information.

When it comes to the Principles, I suggest reconsidering the 2018 version and whether the 2009 ones were better. Also consider whether they are sufficient to lead everybody to effective risk management. I am not persuaded. For example, there should be a principle about helping leaders see the big picture, with all the risks relevant to a decision or situation. There should also be one about risk management processes being responsive to change – in the business, in the external context, in how it is run, and in the risks it faces. In addition, I would like to see more about integrating risk and performance reporting, helping leaders understand the likelihood of achieving objectives (as discussed in my books).

What is effective risk management? It is risk management that meets the needs of the organization. Those needs will vary not only from organization to organization, but also over time.

I am not going to get into a detailed review of the Standard, although I suggest that every practitioner becomes familiar with it.

However, some key topics merit considerable attention. They include:

1. Risks should not be managed individually, one at a time. Decision-makers need to see the “big picture”, all the risks (and rewards) relevant to a decision. This is not clear in the standard (IMHO).
   1. Any one event or situation can create or modify multiple risks, and the effects may materialize at different times.
   2. No organization has limitless resources. There is an opportunity cost to every investment in a source of risk – the inability to invest that resource in another source of risk.
   3. When considering the big picture, understand how to assess the likelihood that multiple effects will happen at the same time from different sources of risk.
   4. There is next to no guidance anywhere on how to gather all the risks and form a big picture. Adding this would be of great value.
   5. It is essential that every risk be assessed using measures that enable them to be compared or aggregated as necessary. Measuring cyber risk based on risk to information assets while credit risk is based on financial impact achieves little when trying to see the big picture and determine where to invest.
2. As I explain in World-Class Risk Management, there is a risk that risk assessments will be wrong or misused. There are multiple sources of that risk (I refer you to the book for a detailed discussion) that include:
   1. Bias among risk assessors and users.
   2. Incomplete information.
   3. Out-of-date information.
   4. Model errors.
   5. And more
3. There are multiple levels of risk management maturity in organizations today. It might be useful to include or suggest a maturity model (such as I have in Risk Management for Success).
4. How practitioners should communicate effectively with management and the board. Give them what they need to make decisions, lead, and govern the organization. It needs to be actionable Make it clear that a list of risks is suboptimal at best (whether it is called a risk register or profile, or whether it is shared in a heat map or other visual). Talk in the language of the business and assess risks in a way that is meaningful to the executive rather than the practitioner.

Then there is the question of whether the practitioner should be the sheriff in town, locking up the wayward risk-takers. Or should the practitioner be an enabler, supporting effective decision-making?

Finally, and this may be beyond the scope of the standard, should governance of risk management be separate from that of performance and the achievement of strategy? No. Risk committees can cause more harm than good.

Please share your views on the above and what should be changed in the ISO standard (and in the COSO framework).

[1] I find them simpler, and I like the fact that the 2009 version emphasizes decision-making more.

[2] COSO has gone overboard on principles. There are far too many.