One of the lessons from Sarbanes-Oxley was the sheer waste of time and energy for those organizations that tackled it the wrong way. Admittedly most organizations tried to be thoughtful and creative in addressing SOx. Some recognized that SOx requirements were not significantly different from what they were (should have been) already doing. However, given the relatively small amount of time for implementation and the very large downside, it was often approached as a ‘compliance’ issue rather than a ‘management information’ issue. It should have been approached as a relatively easy re-design of management reporting to include existing organizational knowledge about the internal control environment.
Public accountants and other consultants bear substantial blame for this. The CPAs were feeling pressure from their governing bodies to assure ‘compliance’ with SOx. This sometimes meant that they were in a less-than consultative mood with their clients. And third-party consultants, of course, were ready to accept fees and help assure that these public companies satisfied the requirements imposed by their public accountants.
Now let’s move forward a few years.
Many organizations are moving, in some way, into risk management. The reasons can vary … regulators are becoming more insistent, the governing board has indicated that they want it. Or, perhaps, executive leadership is intrigued by what they imagine risk management can provide to help them better run their organization.
One thing that organizations need to avoid is treating risk management implementation like they may have treated Sarbanes-Oxley implementation. There is a natural temptation to presume that risk management is a side-project that the organization simply must accomplish and move past. There may be a presumption that there is a checklist that, once completed, will provide a risk management environment. In fact, there is … but only at a very high level. There are specific objectives that need to be achieved in order to implement risk management. But each of those objectives needs a strategy that is specific to each organization.
For those organizations considering a more formalized approach to risk management, there are three options:
- Spending: Creating a risk management program that provides little value beyond the fact of its existence.
- Waiting: Doing nothing formal and continuing to rely on the management team to manage risk in an ad-hoc manner.
- Investing: Thoughtfully design and implement a risk management environment that will continually pay dividends in better organizational information and decision making.
The worst of these options is the first – spending money with little or no payback. The biggest damage is the illusion but no substance of risk management that is often created through a weak program.
The other two options are simple cost/benefit. If management believes that the organization can’t afford to improve its ability to make better decisions and achieve its objectives, it may be better to wait and not invest in risk management. However, if executives believe that the organization needs to perform better and achieve results faster then risk management is definitely a tool that they need to consider.
My advice – executive leadership should firmly reject any weak risk management process. Spending money with no clear payback is irresponsible.
Instead, executives must consider carefully the cost and benefit of risk management. Bring in advisers who can guide management in understanding, at a business level, the costs and benefits of risk management. Then make a decision of either waiting or investing.