What do you think is the best gift or advice someone can give?
Personally, my answer to this question is constructive criticism. Some people you encounter just enjoy criticizing, which is unfortunate but true.
However, when done from a sincere desire to help someone improve, constructive criticism can be one of the best gifts you can receive. The positive impacts of this gracious act can spread in ways we can only imagine.
So I was therefore quite heartened to see one of my cornerstone articles on enterprise risk assessment being critiqued by none other than Norman Marks. A dynamic background in audit, governance, and risk management coupled with a voluminous number of books and articles makes Norman a go-to resource for practitioners worldwide.
As for his review of the (updated) risk assessment article, Norman’s points can be broken into 3 distinct sections. Below are screenshots of each of these 3 points with my comments following.
What Norman is saying here is, before you can determine what to do about a risk, you have to understand where you are right now, or your current situation.
From a strategy perspective, this makes total sense since you have a number you are targeting and working toward achieving. Once you reach it, you’re there, and can move on to another goal. But when you have a metric, you first must capture today’s actual numbers.
In the day-to-day work of running the company, it’s a slightly different perspective. Instead of reaching a goal and then figuring out the new goal, leadership also has to figure out how to reach the goal PLUS how to maintain that threshold.
Examples can include customer wait times or producing a certain number of widgets or units per minute.
What this amounts to is a shift in the business context, which as you can discern from our example, consists of customer service and production. Once the initial goal is reached, the questions then shift to risks to maintaining the threshold.
And this gets us to one of the core value propositions ERM can provide – monitoring change to the business context.
Circling back to Norman’s initial point: yes, you absolutely have to understand where you are now to identify risks to achieving the future goal.
I highlight identify because “understanding current state” should be handled in the identification phase. It’s only from this perspective that you can identify the risks from moving from today’s state to achieving a specific objective. Once you know the risks, then you assess impact and likelihood, which is what we explore in-depth in the article Norman is reviewing.
Of course, once this is understood, the next step is to analyze the objectives and risks against each other to determine the appropriate response. From here, the focus then shifts to monitoring.
It’s possible that Norman thought this article was all-inclusive when in fact it is just a sliver of the whole ‘process.’ Many people tend to consider ‘risk assessment’ the whole cycle when it is not.
Below is a snippet of Norman’s next point:
I don’t disagree with what Norman is saying here – it’s certainly better to have a range of impacts as this better reflects the real world.
It wasn’t my intention to promote a ‘single point,’ but what I often run into is that many companies are simply not equipped to handle this level of quantitative assessment when they’re first starting out.
They’re just getting used to the idea of assessing something and using some criteria.
I’m a proponent of taking things slow and making incremental progress toward the ideal situation Norman discusses in his review.
Making progress toward the capacity of capturing a range of potential impacts doesn’t require fancy modeling capabilities. As Graeme Keith and I discuss in this interview, it is possible to provide a range and then ask executives and/or business units to rank the chances of a particular likelihood along that scale.
One challenge of collecting multiple impacts and likelihoods is that many ERM software systems simply do not support this functionality, which is something I hope can improve in the years ahead. Another issue is the sheer amount of data to capture and subsequently manage on an ongoing basis.
What Norman is describing here is something I would LOVE for all companies to be able to do. However, we also need to keep the practicality in mind and meet companies where they are so as not to overwhelm them.
And now on to Norman’s final point, which is:
In addition to the parameters in the bullet list, Norman provides two additional ones for companies to consider.
His suggestion on ‘risk clockspeed’ – how fast you can get the information to respond – is interesting, and can certainly be helpful, especially for consequential decisions. In some situations, this can make all the difference. My one request: before you start a risk assessment, ask yourself one question – how many data points are your stakeholders willing to sit down and talk through for each risk? Pick the most relevant for the context and be prepared to facilitate the discussion.
As for risk capacity – similar to understanding current state and context, this element is really a part of determining risk tolerance, which is outside the “scope” of the risk assessment stage. If companies had my ideal practice for risk tolerance and capacity, they would be using existing key performance indicators to gauge where they are, where they want to be, where their threshold (tolerance – willingness), and where their limit (capacity – the absolute most they can take) is depicted.
I’m thrilled and grateful to Norman for providing such extensive thoughts and feedback on this important article. He was kind to recommend my blog to his readers. I certainly want to return the favor, plus recommend his books. I found his one on technology risk to be particularly useful, plus his guide for executives is great for communicating the value ERM can provide to company leaders.
It’s through exchanges like this where the richest insights on any topic can be found in my opinion. I look forward to future exchanges with Norman, Tim Leech, and anyone else interested in improving organizations’ decision-making.
What points would you add to Norman’s?
Click to join the conversation on LinkedIn to share your thoughts.
If your company needs some help to ensure it delivers the insights needed for making a decision quickly, please reach out to discuss your specific situation today!
