Most risk managers think they are doing a great job. But how can you actually tell? To add to the challenge, despite the guidance provided in ISO 31000:2018 the concept of risk management effectiveness still remains a bit vague.
Who can audit or validate your risk management effort to say whether it’s good or not? I mean there are internal and external auditors, but they often look at all the wrong things and ask useless questions about risk appetite, policies, frameworks, risk owners, mitigation plans and risk profiles. All of this has nothing to do with the true effective risk management.
To learn how to audit/validate risk management effectiveness in non-financial companies in 4 simple steps register today. I will also talk about the upcoming risk management maturity model, an amazing tool to audit / validate risk management in any company.
Below is a quick sneak preview, in case you can’t make it to the webinar:
I. INTEGRATING RISK INTO DECISION MAKING
One of the most important tests of true risk management effectiveness is the level of risk management integration into decision making. My research shows that companies, capable of systematically integrating risk management into planning and budgeting decisions, investment decisions, core operational business processes and key supporting functions, achieve long-term sustainable advantage. Just consider an example of a large investment fund, which makes investment decisions only after an independent risks analysis and does simulations to test the effect of uncertainty on key project assumptions and forecasts. Another example is a large airline, which makes strategic decisions based on several alternatives with a risk assessment performed for each alternative.
II. STRONG RISK MANAGEMENT CULTURE
Human psychology and the ability of business managers to make decisions in situations of great uncertainty have a huge impact on risk management effectiveness. Nobel laureates, D.Kahneman and A.Tversky, have conducted some exceptional research in the field of risk perception, showing that most people, consciously or subconsciously, choose to be ignorant to risks. Robust risk management culture is therefore fundamental to effective risk management. Take for example a large petrochemical company, which used online and face-to-face training to raise risk management awareness and competencies across all staff levels. The company also allocated resources to integrating risk management principles into the overall company culture. Another example is a government agency, which documented transparent discussion and sharing information about risks as one of their corporate values, which were later communicated to all employees.
III. DISCLOSING RISK INFORMATION
Another criterion for effective risk management is wiliness and ability of an organization to document and disclose risk-related information both internally and externally. A mature company not only documents the results of risk analysis in the internal decision making processes, but also discloses information about risks and their mitigation to relevant stakeholders, where appropriate, in external reporting or on the company website. It is also important to note that since actual risk information may be sensitive and contain commercial secrets, the focus of disclosure should not the risks themselves but rather on risk management framework, executive commitment to managing risks and culture of the organisation. Many organizations tend to treat this formally, often copy pasting risk management information in external reporting from year to year without any update.
Remember that disclosure of risk management information allows companies to both make and save money. For example, the insurance market positively reacts to company’s ability to disclose information about the effectiveness of their risk management and control environment, offering a reduction in insurance premiums. Banks and investors also see risk disclosure in a positive light, allowing companies lower their financing costs.
IV. CONTINUOUSLY IMPROVING RISK MANAGEMENT
The final criterion for effective risk management has to do with the continuous improvement of the risk management framework and the risk team itself. One investment fund was able to do this with the help of regular assessment of the quality and timeliness of their risk analysis, annual risk management culture assessments as well as periodic review of risk management team competencies. For example, professional risk management certification helps to boost risk team competencies. One of the reasons behind the need for constant risk management improvement is rapid development of risk management discipline. The ISO 31000:2018 standard is currently being reviewed by more than 200 specialists from 30 different countries. Some of the suggestions for the new version of the standard include the greater need for integration of risk management into business activities, including decision making and the need to explicitly take into account human and cultural factors. These changes could have a significant impact on many modern non-financial organisations, raising questions about their risk management effectiveness.