Quick Reaction to” OnRisk 2020: A Guide to Understanding, Aligning and Optimizing Risk”

Refreshing and powerful new insights from the IIA

This report, available here,  is a must read for anyone interested in scaling and sustaining risk management to drive business value. Its not necessary to agree with the reports approach or conclusions. The question is can we build on and refine practices from this starting point? The answer to that is yes. Even its flaws have virtue.

Top 3 Things to Like

1. A Fresh Perspective

According to the report “Managing risk is the art of building value while understanding what can be gained or lost from action or inaction, the foreseen or the unforeseen, the planned or the unplanned”.

With that kind of statement, I was hooked. Recognizing the dual nature of risks is essential but, in my experience, this has not been a belief widely associated with internal auditors. It opens all kinds of possibilities and directions.

2. No Risk Heat Maps

The standard medium for risk conversations has for years been risk heat maps. They are refreshingly absent. You will find very little dogma here. In its place is much needed intelligence and fresh perspective.

3. Innovative Methodology

The report was based on quantitative and qualitative surveys and provides interesting, original and innovative graphics to present its conclusions. The “alignment triangles” should prompt discussion and progress.

Top 3 Areas to Explore Further

1. Better Categorization of Top Risks

There are many ways to define top risk categories. The report lists 11 risks from among the vast assortment likely to be experienced in organizations. I’m a bit of a stickler for taxonomy. Some categories seem to describe the nature of the risk (Cybersecurity), some seem to describe the area of impact (Data Protection), some seem to reflect where the risk occurs (Third Party) and some seem to describe “controls” (Talent Management). In my experience it helps to have a common standard for defining risk categories. Its important to keep the list short while making it inclusive.

One way to do that is to define categories of risk drivers or risk sources. For example, Digital Innovation is a category of risk drivers that causes a wide variety of risks. Other broad categories might be competition, consumer behavior, employee engagement etc. The number of risks that can occur is almost infinite. The factors that drive those risks are far more finite and possible more useful to start with and study.

2. More Risk Views

The report captures the views of the Board, the C suite and the CAE. I think it would be extremely useful and informative to add the views of the CRO, the CCO and the 1st line of defense to gain a richer understanding.

3. Tools for Managing Risk Stages

Auditors are typically charged with assessing the effectiveness of internal control. The report identifies and defines 4 constantly evolving stages of risks and describes the characteristics of each. Let’s think through some guidance for all GRC professionals in approaching each stage. Is it the role of GRC professionals to guide the business through these stages? Are there existing tools and technology capabilities that could assist?

Congratulations to the IIA. In his introduction Richard Chambers President and CEO describes this as the inaugural edition of an exciting new report from the IIA. I am looking forward to seeing more of this kind of research. Kudos to the IIA.

In the words of Russell Ackoff

The righter we do the wrong thing, the wronger we become. When we make a mistake doing the wrong thing and correct it, we become wronger. When we make a mistake doing the right thing and correct it, we become righter

Visit my website at http://www.riskrevisionist.com

Bruce McCuaig

Published by Bruce McCuaig

I'm interested in all aspects of risk and compliance management. I want to make it work for business executives, the practitioner community and the business.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: