Refreshing and powerful new insights from the IIA
This report, available here, is a must read for anyone interested in scaling and sustaining risk management to drive business value. Its not necessary to agree with the reports approach or conclusions. The question is can we build on and refine practices from this starting point? The answer to that is yes. Even its flaws have virtue.
Top 3 Things to Like
1. A Fresh Perspective
According to the report “Managing risk is the art of building value while understanding what can be gained or lost from action or inaction, the foreseen or the unforeseen, the planned or the unplanned”.
With that kind of statement, I was hooked. Recognizing the dual nature of risks is essential but, in my experience, this has not been a belief widely associated with internal auditors. It opens all kinds of possibilities and directions.
2. No Risk Heat Maps
The standard medium for risk conversations has for years been risk heat maps. They are refreshingly absent. You will find very little dogma here. In its place is much needed intelligence and fresh perspective.
3. Innovative Methodology
The report was based on quantitative and qualitative surveys and provides interesting, original and innovative graphics to present its conclusions. The “alignment triangles” should prompt discussion and progress.
Top 3 Areas to Explore Further
1. Better Categorization of Top Risks
There are many ways to define top risk categories. The report lists 11 risks from among the vast assortment likely to be experienced in organizations. I’m a bit of a stickler for taxonomy. Some categories seem to describe the nature of the risk (Cybersecurity), some seem to describe the area of impact (Data Protection), some seem to reflect where the risk occurs (Third Party) and some seem to describe “controls” (Talent Management). In my experience it helps to have a common standard for defining risk categories. Its important to keep the list short while making it inclusive.
One way to do that is to define categories of risk drivers or risk sources. For example, Digital Innovation is a category of risk drivers that causes a wide variety of risks. Other broad categories might be competition, consumer behavior, employee engagement etc. The number of risks that can occur is almost infinite. The factors that drive those risks are far more finite and possible more useful to start with and study.
2. More Risk Views
The report captures the views of the Board, the C suite and the CAE. I think it would be extremely useful and informative to add the views of the CRO, the CCO and the 1st line of defense to gain a richer understanding.
3. Tools for Managing Risk Stages
Auditors are typically charged with assessing the effectiveness of internal control. The report identifies and defines 4 constantly evolving stages of risks and describes the characteristics of each. Let’s think through some guidance for all GRC professionals in approaching each stage. Is it the role of GRC professionals to guide the business through these stages? Are there existing tools and technology capabilities that could assist?
Congratulations to the IIA. In his introduction Richard Chambers President and CEO describes this as the inaugural edition of an exciting new report from the IIA. I am looking forward to seeing more of this kind of research. Kudos to the IIA.
In the words of Russell Ackoff
“The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter“
Visit my website at http://www.riskrevisionist.com