Category Archives: Risk Management

Original content about risk management. Yes – I have some different views on this topic. And they have obviously evolved over the years.

Accountability – the 3 lines of defense

If you have any connection to “risk management”, you have probably heard of the “three lines of defense” model.

  • The first line of defense (“FLD”) makes the risk decision at the point of its occurrence. Sweep the floor or don’t sweep the floor. Turn on the lights or don’t turn on the lights. Make the sale or don’t make the sale. Recruit this volunteer or don’t.
  • The second line of defense (“SLD”) sets policies regarding the risk. In many organizations, that’s a separate group with technical expertise. Maybe it’s the “Plant Safety Committee” that interprets and implements OSHA rules for the factory. Or it’s the “Information Security Group” that interprets and implements data security procedures.
  • The third line is the independent review, often by internal audit, to provide an independent and objective view .

Now let’s put this in the context of “goals”. As described in an earlier post, there really are only two kinds of goals within an organization. There are “mission goals” and “mitigation goals”.

As a reminder, mission goals are those that directly, intuitively, and obviously align with the overall mission. These goals are things like sales goals, production goals, brand recognition goals, financial reporting goals, cash management goals, etc.

Mitigation goals are the “anti-mission” goals. These detract from the mission goals, but in a necessary way. As an example – “Sure we want to maximize sales, but we will not do it in a deceptive manner.” “Sure we want to manage cash flow, but we won’t illegally hide funds in off-shore accounts.”.

If the organization is big enough, mitigation goals are owned by a separate unit with the right expertise. Maybe it’s the Legal Department, or Compliance, or Credit, or something similar.

And now we arrive at the point of this post – Accountability. Effective organizations thrive on accountability. Who are we choosing to entrust with that goal ? That’s accountability.

In the case of mitigation goals, these are always owned by a second-line-of-defense unit. It has to be their responsibility to assure that these bad things aren’t taking place. Part of the SLD’s responsibility is to define, and push down, procedures that will guide the first line of defense. The content of these policies and procedures must be clearly owned by the SLD unit. If they don’t achieve the mitigation goal, that’s SLD’s failure. They better be monitoring to determine if their strategy (policies, procedures) are achieving the desired results or not.

FLD, on the other hand, is responsible for executing those procedures. Period. If the procedures aren’t really very well-designed that’s not FLD’s problem. Remember, FLD’s primary role is to achieve their mission goals, not the various mitigation goals. But – to be clear – the FLD is responsible for following company policy – and that includes performing whatever mitigation procedures the SLD defines.

So, that’s it. It’s easy to assign accountability for mission goals. But mitigation goals will always create a tension – a push/pull – with those mission goals. That’s why it’s important to segregate these goals to a specific SLD group with the appropriate interest, expertise, and authority to make it happen. And they must understand that their role is “anti-mission” – and for good reason.

So what happens if the mitigation procedures are so onerous that they severely impact the mission goals? This is where FLD’s self-interest kicks in. If FLD is not achieving their goals and they contend that it’s due to onerous SLD mitigation procedures, it becomes FLD’s responsibility to raise the flag and ask for a reevaluation. But whether to comply with the mitigation rules? Not their option. They cannot pick and choose which mitigation rules they will recognize. If they choose to ignore the procedures, they have to pay the price for knowingly ignoring and acting contrary to policy.

One last point. If the mitigation procedures are negatively impacting a mission goal, and there’s nothing that can be done about it, FLD leaders have every right to petition for an adjustment of their particular mission goal. For example, let’s say that a food delivery service has the goal of delivering 500 free meals a week to the needy in their community. And they use volunteers to drive and deliver those meals. Subsequently, a mitigation procedure says that volunteer drivers may not have any driving infractions for the prior 5 years. That will obviously have an impact on recruiting volunteer drivers, perhaps making the mission goal impossible. Accordingly, it’s entirely appropriate for the individual who is accountable to deliver 500 meals to reopen that discussion and negotiate resetting the goal to, say, 300 meals per week. This illustrates the fact that mitigation always has a cost. That doesn’t make it inappropriate. But like any constraint it needs to be transparently considered in strategic planning.

Oh. My. God.

It’s happening again. And I’m pissed again.

I’m sitting in a webinar on some specific sub-topic of “risk management”. It’s from a major consulting firm. A good firm, no doubt. I don’t need to pick on them specifically, because it’s the same everywhere.

Here’s the problem.

Years ago, big companies were told they needed better risk management. Consultants were hired. Consultants convinced these big companies that this is complex and will cost a lot of money. Business executives responded that they have the money so go ahead – just don’t bother us because we’re busy and don’t really care about whatever it is you’re going to be doing as long as regulators don’t bother us about this “risk management” thing.

And just like that, a false assumption of complexity was born.

Who wants to fix this? Well, not the consultants. This false assumption brings in money. Not the executives at the really big companies. They can just write a check and their “risk management” problem goes away. And not the risk management professionals who got hired within those companies because this complexity gives them a career.

What a waste!

Here’s the irony. These consultants and specialists want to be loved and appreciated by the executives they try to serve. But they never will. And the reason is simple. The executives know that the real job of managing risk is something that they do. They always have. They don’t need an independent risk management department, who probably doesn’t even understand the business, to tell them where risks lie. Oh, sure, sometimes you want statisticians or other data professionals to collect, massage, and interpret raw data in order to inform an executive opinion about this or that. But to presume that executives need a separate risk management function to guide the company’s risk profile? Absurd.

Simplify! Simplify! Simplify! Let’s give risk management back to the executives and other leaders whether they want it or not. Truly, that’s their job and they should own up to it. Let’s just put the right language in place so that everyone, from the Board down to the shop-floor supervisor, understands what we mean by “risk” in the real world.

It’s simple, really. “Risk” is just the potential that a strategy, or process, or procedure may, occasionally, deliver unexpected (usually undesirable) results. Some strategies will naturally be “riskier” than others. Here’s an example – you want to increase sales. You could choose to hire 10 new salespeople. Or, you could choose to move into internet sales (something you’ve never done before) targeting consumers in North Korea. Which of these has a greater chance of delivering the results you want? And it’s easy to teach the handful of common techniques to make a given strategy less (or more) risky. This whole “risk management thing” should be a core management competency, not something you farm out to consultants.

This isn’t complicated.

Just don’t ask the consultants to explain it to you.

Goals and Strategies

Sometimes business conversations center around goals. Sometimes they center around strategy. It’s important to understand that there is always a one-to-one link between these two. You can’t talk about one without, implicitly, talking about the other. What’s your corporate strategy? Well, whatever it is … it directly points back to your corporate mission. Or, at least, it should. Your corporate mission is, simply, your organization’s top-level goal. 

Similarly, on the flip side if you’re talking about your organization’s mission it better be logically explained by your organization’s overall strategy. If there is any fog around this link, there’s a real problem that needs to be addressed. 

And here’s a subtle point that is one of the underlying foundations of risk management. If the goal is a “stretch goal” or something new to the organization, it requires a riskier strategy. Conversely, if the goal is “business as usual”, it requires a tried-and-true low-risk strategy. Understand this association – it’s fundamental to understanding risk management.

Tough Goal – needs a high-risk strategy

Easy Goal – needs a low-risk strategy

Get this wrong, and your odds of success are very low.

Weekly Tip #2 – Risk Management

Keep things simple to create a solid foundation.

“Risk” (singular) is another word for “uncertainty”. It means that there is some potential for things not going exactly as you planned. Maybe a lot. Maybe a little. Here’s my first tip for today – train yourself so that when you use the word “risk” you’re talking about uncertainty.

Always.

So what if someone uses the word “risks” (plural)? In this case, they are very, very likely talking about “threats”. Threats are the specific things that can go wrong and, somehow, cause you harm. A threat is a potential event. Here’s my second tip for today – train yourself to use the word “threats” when you mean “threats”. Don’t use “risk” as a synonym for “threat”.

Not ever.

And here’s why that’s important. If the word “risk” can mean two different things within a single conversation, you’re continually creating a bit of fog around an important topic. What you need is clarity. So train yourself. Make sure that you have an unambiguous, solid foundation. Insist on using these two words (“risk” and “threat”) in the right way.

Simplify. That’s what experts do.

High Value Auditing: Becoming an Executive Multiplier

This was published in Thomson Reuters – Internal Auditing magazine.
Volume 34, Number 4
July/August 2019 – page 28.

We perform audits. We prepare workpapers. We verify compliance with established controls. When we find control weaknesses (or even worse – “irregularities”) we propose stronger controls.

These are the things that auditors are trained to do. And these things provide value.

But what if …

Continue reading “High Value Auditing: Becoming an Executive Multiplier”

Risk Appetite and Risk Tolerance are Relevant Topics for Auditors

This was published in Thomson Reuters – Internal Auditing magazine.
Volume 33, Number 4
July/August 2018 – page 33.

Auditors live in the world of risk management. Two important – and often misunderstood – parts of current thinking around risk management are “Risk Appetite” and “Risk Tolerance”. We need to have a good understanding of these key concepts.

Continue reading “Risk Appetite and Risk Tolerance are Relevant Topics for Auditors”

The four levels of Risk Management Integration

People waste a lot of time trying to define what is, and is not, good risk management. But reading someone else’s opinion seems largely irrelevant. Everyone views it through their own lens of experience.

Some view it through the lens of regulatory oversight. You know – ERM began when this law was passed. And it fundamentally changed when that regulation was implemented. Well, that’s true for some industries.

Others view it through the lens of their profession. ERM is all about managing investment risk. Or it’s all about eliminating financial reporting fraud. Or it’s about buying the right insurance. Or it’s primarily about environmental safety. Pick one.

I grant that these are all legitimate ways to look at risk when you’re operating at a low level of risk management integration. I argue, though, that it’s a waste of time to debate these issues at the top of the organization. These are discussions that should be addressed by subject matter experts further down — within the context of their specific needs and expertise. The top of the organization should not be trying to sort out the details of a good risk management design. They should be focused on moving up the maturity level for risk management skills and integration. Everything else will take care of itself.

The four levels of risk management integration.

I refer to the lowest level of integration as “Stakeholder Management.” At this level, the organization’s goal is not to manage risk, it’s managing stakeholder expectations. If the CEO says “Give me some kind of risk management to get those auditors off my back” you know you’re stuck in a Stakeholder Management scenario. It’s all about appeasing those damned regulators, or auditors, or outside directors, or bankers. No interest whatsoever in actually improving the organization’s ability to manage risk.

The next level up is “List Management.” Here the focus is on gathering a list of risks. Management wants to do something with risk management and lists seem to be a good place to start. Management may not be entirely sure how these lists are to be gathered, or why. The focus is on the list itself and the ability to share it with other stakeholders.

Another step up along the integration path is “Risk Management.” At this level management wants to recognize and take steps to lessen exposure to threats. There are often clear processes to handle operational risk, vendor risk, financial risk, environmental risk, etc. Ownership of certain risks may be assigned. They may have a risk appetite statement. Management has read the literature and is doing what the experts suggest.

The highest level of integration is “Opportunity Management.”I created this phrase and it has a very specific identity. With Opportunity Management, management recognizes that risk is synonymous with uncertainty. And uncertainty exists in every strategy and process. Therefore, risk management is something that the organization does. It is not the responsibility of this or that person. It is an integral part of the organization’s culture … every bit as integral as doing performance reviews or sending out a company news letter. At this level, business line leaders are concerned about third party vendors because they represent a clear uncertainty relative to a strategy that they own and for which they are accountable … not because the Senior Risk Officer says so. Threats will be identified, but it is all in the context of developing strategies and overseeing operations. It is all focused on managing uncertainty so that the organization can deliver more predictable future results. Everyone is trained about the role that risk plays within the organization and within their individual responsibilities. Everyone understands why it’s critical to explicitly recognize key assumptions that they may not be able to control, and how those key assumptions could affect future performance. At this level of risk management integration, employees recognize these thought processes as a normal part of their high performance culture.

Focus on moving to a higher level of integration

At a board or executive level, the greatest benefit does not come from developing a risk appetite statement. Or reviewing a list of threats across the entire organization. These things come about as a natural outgrowth of simply moving up the maturity scale to a higher level of integration. But so do many other benefits. When an organization reaches the Opportunity Management level, everything simply falls into place. Threats are aligned with strategic assumptions. These assumptions are discussed and considered before a strategy is ever approved. Management monitors these key assumptions and knows exactly what to do when one turns from green to yellow to red. Management knows that its goal is not to reward past success. Its goal is to assure future success.

So if you’re in an executive leadership role, ask how your organization is moving toward Opportunity Management.

For more information go to https://opportunity.management.

 

 

 

 

 

Using a Risk Management Framework for Internal Audit

This was published in Thomson Reuters – Internal Auditing magazine.
Volume 31, Number 3
May/June 2016 – page 29.

This is the last of four articles intended to help audit executives understand, evaluate, and use practical risk management techniques.

Continue reading “Using a Risk Management Framework for Internal Audit”

Strategy, Risk, and Results: The Focus of the (Strategic) Internal Auditor

This was published in Thomson Reuters – Internal Auditing magazine.
Volume 30, Number 5
September/October 2015 – page 16.

This is the third of four articles intended to help audit executives understand, evaluate, and use practical risk management techniques.

Continue reading “Strategy, Risk, and Results: The Focus of the (Strategic) Internal Auditor”

Understanding the Risk Management Environment

This was published in Thomson Reuters – Internal Auditing magazine.
Volume 30, Number 1
January/February 2015 – page 13.

This is the second of four articles intended to help audit executives understand, evaluate, and use practical risk management techniques.

Continue reading “Understanding the Risk Management Environment”