What do international standards, several best practices and a multitude of frameworks over risk management have in common? Certainly, their aim and objectives. But a little less obvious is their approach. They intend for us to be systematic, disciplined, meticulous, orderly, comprehensive, end to end and wholesome in our approach to getting the desired results. But do we really understand what this means?
Is it the randomness of our intellectual ability that was feared to undermine any risk management approach that requirements for being systematic and detail oriented were spelt out? Could have been so if the standards, best practices and frameworks were not intellectual property to begin with!
Or was it the intellectual prowess of a few individuals involved in developing standards, the best practices and frameworks intended to be a guiding light for the profession so that those others practicing it do not have to think deeply and just apply.
Certainly, one would argue that it is about the conduct of the process that’s the subject of efforts we see in these standards, best practices and frameworks. And the conduct of the process needed to be guided to accomplish the desired objectives of risk management.
Let’s first be clear about the objectives of risk management. It’s not managing the risk, because that’s only the means to an end. The end is fulfillment of the entity’s objectives and even identification and adoption of new objectives that become known as upside risks while managing the risks.
So, what is more significant, the objectives or the conduct? Certainly, means and end both matter and sometimes the means might matter more simply because through these we can be sure about the fulfilment of objectives or more so when it is the means that define the objectives.
But would the means still matter if the entity ends up losing its objectives? If a well-thought out and an equally well-laid out risk management process fails to accomplish the objectives, would the approach of the process still be important? Well, yes it will be, for the sole purpose of evaluating what went wrong and most likely this evaluation will end in stretching the already detailed process a bit further!
Thus, is the risk management process conduct such a significant issue that requires a multiverse of approaches, such that one could easily get bogged down in these rather than the objectives of process one aims to accomplish?
It is and it is not! Let’s then come to terms with the conundrum.
It is significant,
- to the extent of being detailed enough to provide assurance that all activities underlying the process have been undertaken.
- To the extent of being complete such that all relevant risks emanating at all processes and hierarchical levels have been covered.
- To the extent of being accurate so that all assessments of significance and insignificance have been correctly assigned.
- To the extent of being objective so that the process could be easily traced to a formally adapted methodology.
- To the extent of being robust to enable the entity to absorb shocks that remain within the risk capacity and tolerance should a risk materialize.
It is not significant,
- When it is so detailed that it requires inclusion of even those activities that do not contribute to the process being examined.
- When it documents even those risks that are not relevant to the process or are recorded as separate risks when in fact they represent failure of controls for already documented risks.
- When it even quantifies risks that are qualitative in nature and when assessments are strictly mapped to the pre-defined heat maps without incorporating the margin of change.
- When it only emphasizes upon the mathematically determined and not regularly reviewing and tweaking the underlying assumptions, estimations and judgements as well.
- When only the process is being emphasized upon without correlating it with its objectives.
- When the risk capacity and tolerance thresholds remain static.
- When only downside risks / negative risks are considered.
So how do we go on having a risk management process for the entity which is as pivotal as the objectives it aims to achieve? By reviewing if the process is working as designed and as desired!
How do we do that? Have faith in internal auditors. The work that they can do in this regard will inconclusively include the following:
- Testing the process by allowing risks to materialize and checking if controls execute mitigating their effects.
- Evaluating if the entity’s targets and objectives are being consistently achieved.
- Checking if the process adjusts or is timely adjusted for changes in the objectives and the entity’s operating environment.
- Assessing if the process is all pre-defined and automated or if it also allows intervention by human intellect and foresight.
- Determining if the process is regularly self-assessed by custodians by going back to its base sketch and retesting the continued validity of core inputs and variables.
- Identifying if the process leads to identification of previously unknown objectives and growth avenues.
Put simply, the risk needs to be managed and not just seen to be managed. The risk management process need not be designed in a manner that highlights the process rather than what the process accomplishes. More importantly, it should not be laid out in a way that gives an illusion of risk being managed and not being actually managed.
And what constitutes the actual management of risk?
For starters, it is about staying afloat, the entity’s sustainability in times of turbulent operating environment. Growth follows sustainability and it is surely Governance, Risk Management and Controls that lead to growth after securing sustainability with internal audit championing the cause!
Remember the risk management process ought not always be about the bigger picture; it is mostly about the one clear picture! Let’s not lose sight of the objectives by being consumed in the process.