5-WEEK CHALLENGE: integrating risk management into decision making

Let’s get started and make this learning experience fun. I call it the 5-week challenge. It started as a 5-day challenge, but obviously, it was impossible to implement in 5 days or even 10 days, so I renamed it 5-week challenge. Below is a series of challenges that take approximately 1 week each to help you integrate risk management into the decision making of your choice.

Week 1 – Choose the decision

  • review board or executive committee minutes
  • talk to the Board Secretary
  • talk to Internal audit or risk colleagues to identify problem areas
  • review management performance reports

Why do this? If you want to integrate risk management into decision making, you first have to choose a decision type or process where you will integrate into. Which decision is best? Something that you are familiar with, more importantly, something where you have a good relationship with the decision owner, who will let you pilot risk management. Preferably it should something with high visibility and something very material to the business.

Week 2 – Analyze the decision

  • review decision-making process (documented or informal)
  • review performance reports to see the results of decision making
  • speak to the decision makers
  • speak to internal audit
  • speak to the decision stakeholders

Why do this? Once you have selected a decision, you need to find substance. You need to find out how the decisions are supposed to be done, how they were actually done, what were the results. At this stage, you want to collect as much ammunition as possible to use it next week.

Week 3 – Develop the methodology

  • based on the selected decision choose the appropriate technique: decision trees (moderate), Monte-Carlo simulation (complex decisions) or scoring (simple decisions)
  • the tool selection depends on the decision complexity, materiality, availability of data and time frame available risk analysis
  • document the methodology
  • seek feedback and validation from key stakeholders

Why do this? Once you have selected a decision, you need to propose an actual risk management tool/technique to integrate risk management into that decision making. If there is enough data, if the decision is done in excel, then Monte-Carlo simulation is the best choice. Here is a short video on how to integrate MC into strategic planning: https://www.youtube.com/watch?v=__g8B-CxLcc

Week 4 – Pilot test the methodology

  • select 2-3 past decisions and rerun them using the new draft risk analysis methodology. I hope you have selected decision trees or Monte-Carlo simulations or something better
  • recalculate the pilot decisions
  • present the preliminary results to key stakeholders involved in the decisions at the time
  • adjust the methodology if necessary
  • document the methodology

Why do this? Once you have selected a methodology, you have to test it to see if it adds any value to the decision makers, not too time consuming and there is sufficient data to perform calculations.

Week 5 – Roll out the new methodology

  • once you updated the methodology based on the pilots, roll it out
  • get it endorsed by the Risk Committee, looked at by the Audit Committee and approved by the management
  • to roll out a methodology you will need to change existing business process procedures, train key personnel and provide ongoing support and quality control

That’s it! Well done! You’ve just integrated risk management into decision making.

 

Advertisements

3 thoughts on “5-WEEK CHALLENGE: integrating risk management into decision making

  1. Alex, what do you think of this integration in my “internal control improvement process”:

    1) Investigate control problems and vulnerabilities in the process.
    2) Establish the desired objectives or effects of the process (by process owner).
    3) Develop the alternatives of new controls and present scenarios with decision trees (or any other technique that is not risk matrix or risk registers). At this point, decisions needs to be made: act or not to the identified vulnerabilities.
    4) Once the decision is make, test, implement and evaluate the results.
    5) If the expected results are obtained, the processes are updated and the personnel is trained.

    Unfortunately, many internal auditors and internal control professionals present risk analyzes (high, medium, low) to decision makers. That’s what i’m trying to change.

    1. Do you think it’s material and highly uncertain decision to justify integrating risk analysis? You can definitely do it but it will be more like a toy project for yourself rather than company wide initiative. That being said why not, do it, start with yourself

      1. You’re rigth, it’s not justify when doing internal control improvement.

        When we performe risk analysis it’s when we are establishing new internal controls, most of the time in small and medium size companies (10 to 50 workers). What we are trying to do is changing from qualitative risk analysis to quantitative risk analysis. Any advise?

        Thanks for the feedback.

        Some examples of risks to internal control: The risk of inventory theft or the risk of not reporting all the sales (dumb examples)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.