The Clear Lines on Audit and Risk lead to meeting the assurance demands of the boss. Corporate risk specialists may drive ‘risk management’ as a prescribed set of steps, regardless of assurance demands.
The Clear Lines on Audit and Risk only support ‘managing risk’ for the right reasons.
The how-to steps in this guide meet your need to assure the boss about your unit’s prospects, and the need to live up to those assurances. You must particularly understand and act on the potential for unintended consequences from unit activities and failures.
The Clear Lines on Audit and Risk understand the centre of work unit risk management as the conversation with the boss. The boss may not be asking for assurance today, but might at some time in the future. It is also about protecting your own interests.
The Clear Lines also say that risk management is about understanding what matters, how surprises can happen, and acting on that understanding to deliver what matters.
In this view, the risk specialist helps you, and challenges you, on the way to assuring the boss. The specialist works for you, and may also work for your boss. Something is very wrong if you feel that both of you are working to satisfy the risk specialist.
Risk specialists in organisations may have a different driver.
Their driver for risk management may be that ‘risk management’ is a good thing to do, or makes someone look good. Someone at a high level believes that the organisation should be better at ‘risk management’, and the specialists agree with enthusiasm. You may hear words like ‘best practice’, ‘framework’, ‘maturity’, or even ‘competency’. These words are fine, but they aren’t a reason to care about risk.
In some industries, a demonstration of ‘risk management’ may be mandated and regulated, with no escape available. In the worst case, you may be made to create a benign ‘risk management’ paper trail to cover up secretly aggressive or negligent business practices for short term gain. In that world there will be a lot of focus on process rules, and not much on reality. This kind of driver puts the motions of ‘risk management’ in front of achieving real assurance for real people who want and need it.
The Clear Lines on Audit and Risk insist that risk management should be done to achieve assurance based on good decisions and actions. Risk management processes and steps are only a means to that end. And the International Standard ISO 31000 says exactly that.
If there is an overwhelming demand to look good by going through prescribed motions for ‘risk management’, then go ahead to meet that demand. But also understand risk in the right way, and deal with it for the right reasons. If necessary, maintain two sets of documents. The contents of each set of documents should be consistent when they talk about the same things. Even if there is some doubling up in the paperwork, your overall effort will not be doubled.
If you are required to fill out risk paperwork according to rules, and that’s all you do, you’re making the same mistake as your organisation. Like thousands before you, you’re seeing ‘risk management’ as filling paperwork, and not as delivering confidence.
|New to this||Version 3.0 Beta|