AuditNet
Resource List
Audit
Programs
AuditNet Virtual
Library
AuditNet
Newsletter
Ask
the Auditor
AuditNet
Mailing Lists
Audit
Jobs
Travel
Career Links
Partner
Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising
Opportunities
About AuditNet
About Jim
Kaplan
AuditNet Seminars
AuditNet
Home Page
Faster, easier, more
natural risk management
7 time saving ideas
All around the world there are organizations in the public and private sector doing risk workshops and writing risk registers. The techniques used have only just begun to develop and there is still vast scope for improvement.
In particular, most organizations can do their risk management in faster, easier, more natural ways, yet still get the same or better results.
The key to the value of risk management workshops is that they help people overcome their usual tendency to suppress uncertainty, not talk about it, not manage it, and eventually fail because of it. Once people are able to admit they're not sure the next step is to help them think about what to do without getting entangled in over-complicated analysis of the many permutations of events that might happen.
There are plenty of different ways to do that and the most common approach is not the only one, or the most time-effective. Here's a description of the usual approach and later I'll suggest 7 time saving ideas that refine this approach for better results in less time.
The familiar formula
The most common approach is a blend of control risk self assessment and risk management. In the workshop participants are asked to suggest "risks" and these are rated subjectively for their probability of occurrence and impact if they did occur. The risks that are rated highly enough are considered further to identify risk responses, sometimes called "treatments", and assign owners.
This thought process is carried out in the same way at every level of management involved, including the top level. The idea is to identify gaps in controls/risk responses and initiate remedial actions.
Risks or sets of risks?
The method assumes that what is called a "risk" is a single outcome, something like losing a bet, which has a probability and an impact. Take a look at almost any entry in any risk register and you will see that this is not the case, and for very good reasons. The "risks" are really sets of risks. For example, "Risk of losing market share" is a set of risks, each being a different degree of market loss. People often suggest as "risks" things that are wrong now, by which they mean all the risks flowing from the issue they have identified. Sometimes risk register items even give a list of risks.
Time saver #1: To get more done in a workshop try to control the level of detail of the risk sets. Start with big, broad sets and then decide which to unpack into smaller ones. This way you can cover more ground and go into detail where it matters most. Ask people for "areas of uncertainty" rather than "risks".
Instead of going into, say, 50 rather small risk sets like this...
...try to start with overview risk sets and dig into details where you think it matters most. Here are 50 risk sets done in this way and you can see that the coverage improves dramatically.
Time saver #2: Don't waste time on bogus ratings. Use simpler methods to focus on key areas.
Bogus ratings? That needs explanation. It makes perfect sense to rate an individual outcome for its probability of occurrence and impact if it did occur, but it makes no sense at all to do the same for a set of risks. For example, "Risk of losing market share" could perhaps be rated for probability of losing at least some share, but what about impact? It depends on how much market share is lost. Check the math and you will learn that describing the likely impact of a set of risks requires a probability distribution for impact.
So if the usual ratings are logically meaningless how much is lost by not doing them? Here are some simpler, quicker alternatives that are logical too:
- Exploit the fact that people normally mention early the areas of risk that concern them most. The areas mentioned first and about which people talk most tend to be the most important ones. The ritual of assessment and ranking adds less value than you might think.
- Ask for very simple ratings such as "Is this a critical area or not?" or "Please rate the importance of this area from 0 to 5".
- If time is running out but people are still suggesting areas of uncertainty ask them to list them without discussing actions and details so you can check there is nothing else important still to come.
- When deciding if gaps in responses exist, simply ask people to run through the areas identifying those where they think more thought about risk responses is still needed.
- When deciding if a risk response is justified, summarize the related impacts of all risk areas the response addresses, and only do this for costly responses where there is doubt about justification.
- Only do more rigorous risk ratings when it is justified, such as when expensive actions might be needed to cover it.
Read corporate governance regulations and risk standards carefully and you will usually find that separate probability and impact ratings are not mandatory, even though they are often described as a good approach.
Analysis vs. action
Typical risk management workshops are heavily biased towards risk analysis at the expense of action. Both are important but usually it is risk responses that need more attention. However, thinking up responses is harder than wallowing in your problems, so people need more help.
Time saver #3: Prompt participants with types of response.
When people first attend a risk management workshop they often struggle to come up with responses. They can't even think of things they have already done let alone new ideas. With time and experience they learn a repertoire of responses that are often useful in their work and productivity improves.
Help them along the learning curve by suggesting responses. For example:
- When facilitating ask if particular responses have been done or might be appropriate. Don't be afraid to suggest responses, especially when people are new to risk management and internal control.
- Distribute a list of response types or have it on your projector/flip chart. It is increasingly common to see risk "treatments" listed as "avoid, transfer,..." which is progress in the right direction but not enough. More detail than this is helpful as these headings in themselves are rather abstract and people have to work too hard to think what they really mean.
- In describing the approach try to encourage people to think about things they can do that address uncertainty specifically. If you have been successful in reducing uncertainty suppression and people start to recognize they are unsure of things then new actions are easier to think of.
- Train participants beforehand, if possible.
Time saver #4: Work by modifying a generic scheme of responses.
A more advanced way to prompt people with responses is to start with a complete but generic model of the control system and use the workshop analysis to tailor it to the project/process/company under consideration. This is close to the thought process followed by experts.
With experience it is possible to develop generic models that reflect the typical risks and responses the team usually faces. The marketing department will then have a different generic model from the IT projects group, who will have a different starting point to the IT operations group, and so on.
Time saver #5: Accept "more risk management" as a response.
Time quickly runs out in risk management meetings, especially when uncertainty has been suppressed for a long time and there is a backlog of issues to sort out. Often there is far more thinking about risk responses still to do, so accept "further analysis" as a response, while encouraging progress.
For example, it may be that completing a project involves constructing a building and you are doing a risk workshop at an early stage in the project, while architects are still being selected. Prior to construction a very detailed analysis of risks during construction is needed, but now is not the time for attempting that analysis. The risk response should identify that a further analysis is needed and be more specific about when and how to do it, and who will be involved.
Even if a satisfactory set of responses is not devised it is important that participants decide how to take forward the matters discussed.
Audit vs. management
The typical risk management approach has been heavily influenced by past audit techniques and so tends to be a snapshot assessment rather than a method of initiating action. The regulatory pressure has tended to be for evaluation of effectiveness rather than improved effectiveness.
For senior executives this means they are expected to carry out an analysis of risks and controls, looking for current gaps and remedial actions, when they would be much more comfortable leading by looking to the future and directing resources to meet new challenges in good time.
Time saver #6: Let senior people do what they're used to instead of trying to turn them into auditors.
By looking at planned and potential future events and deducing their consequences for risk and controls it is not hard to see where resources need to be directed to ensure controls are revised in good time. Though many senior executives need expert help with details and to get started, this is something they will find more familiar and satisfying than grinding through the details of remedial actions.
Embedding
Risk management initiatives have often started with infrequent workshops held with very senior people in order to meet regulatory requirements with minimum "interference" to the business. You can visualize it like this, with the red box representing a workshop.
One way to extend the impact of risk management is to repeat those workshops more often and with more people, using the same thought process.
But that makes little sense. People sometimes respond crossly saying they don't see what value it adds and "I do risk management all the time." They do, so rather than acting as if risk management is not happening properly unless it is by those standard workshops we need to recognize and cultivate what is already there.
Time saver #7: Spend less time trying to convince people the standard workshop approach is useful to them and spend time instead working out tailored alternatives. Look for risk management that is already in place and cultivate it using many different techniques.
You could visualize it like this. A range of different, more streamlined techniques used in different parts of the organization.
In effect, this expands the concept of an internal control system to include many more intelligent and risk smart activities, done by managers as well as accounts clerks.
This is one reason why auditors and others with a strong knowledge of internal control systems have so much to offer in enterprise risk management. Though some of our techniques currently lack impact the core knowledge of auditors has the potential to create much more change.
Summary
Put all those ideas together and your risk management approach will feature tailored workshops that rapidly get to actions on critical areas of risk, pulled together by executive leadership that anticipates problems before they happen and directs resources in good time, where each group in an organization gets and appreciates help managing more effectively instead of fighting something they see as regulatory bureaucracy.
Matthew Leitch
matthew@internalcontrolsdesign.co.uk
For more ideas on this subject visit www.internalcontrolsdesign.co.uk and www.managedluck.co.uk.
