The four levels of Risk Management Integration

People waste a lot of time trying to define what is, and is not, good risk management. But reading someone else’s opinion seems largely irrelevant. Everyone views it through their own lens of experience.

Some view it through the lens of regulatory oversight. You know – ERM began when this law was passed. And it fundamentally changed when that regulation was implemented. Well, that’s true for some industries.

Others view it through the lens of their profession. ERM is all about managing investment risk. Or it’s all about eliminating financial reporting fraud. Or it’s about buying the right insurance. Or it’s primarily about environmental safety. Pick one.

I grant that these are all legitimate ways to look at risk when you’re operating at a low level of risk management integration. I argue, though, that it’s a waste of time to debate these issues at the top of the organization. These are discussions that should be addressed by subject matter experts further down — within the context of their specific needs and expertise. The top of the organization should not be trying to sort out the details of a good risk management design. They should be focused on moving up the maturity level for risk management skills and integration. Everything else will take care of itself.

The four levels of risk management integration.

I refer to the lowest level of integration as “Stakeholder Management.” At this level, the organization’s goal is not to manage risk, it’s managing stakeholder expectations. If the CEO says “Give me some kind of risk management to get those auditors off my back” you know you’re stuck in a Stakeholder Management scenario. It’s all about appeasing those damned regulators, or auditors, or outside directors, or bankers. No interest whatsoever in actually improving the organization’s ability to manage risk.

The next level up is “List Management.” Here the focus is on gathering a list of risks. Management wants to do something with risk management and lists seem to be a good place to start. Management may not be entirely sure how these lists are to be gathered, or why. The focus is on the list itself and the ability to share it with other stakeholders.

Another step up along the integration path is “Risk Management.” At this level management wants to recognize and take steps to lessen exposure to threats. There are often clear processes to handle operational risk, vendor risk, financial risk, environmental risk, etc. Ownership of certain risks may be assigned. They may have a risk appetite statement. Management has read the literature and is doing what the experts suggest.

The highest level of integration is “Opportunity Management.”I created this phrase and it has a very specific identity. With Opportunity Management, management recognizes that risk is synonymous with uncertainty. And uncertainty exists in every strategy and process. Therefore, risk management is something that the organization does. It is not the responsibility of this or that person. It is an integral part of the organization’s culture … every bit as integral as doing performance reviews or sending out a company news letter. At this level, business line leaders are concerned about third party vendors because they represent a clear uncertainty relative to a strategy that they own and for which they are accountable … not because the Senior Risk Officer says so. Threats will be identified, but it is all in the context of developing strategies and overseeing operations. It is all focused on managing uncertainty so that the organization can deliver more predictable future results. Everyone is trained about the role that risk plays within the organization and within their individual responsibilities. Everyone understands why it’s critical to explicitly recognize key assumptions that they may not be able to control, and how those key assumptions could affect future performance. At this level of risk management integration, employees recognize these thought processes as a normal part of their high performance culture.

Focus on moving to a higher level of integration

At a board or executive level, the greatest benefit does not come from developing a risk appetite statement. Or reviewing a list of threats across the entire organization. These things come about as a natural outgrowth of simply moving up the maturity scale to a higher level of integration. But so do many other benefits. When an organization reaches the Opportunity Management level, everything simply falls into place. Threats are aligned with strategic assumptions. These assumptions are discussed and considered before a strategy is ever approved. Management monitors these key assumptions and knows exactly what to do when one turns from green to yellow to red. Management knows that its goal is not to reward past success. Its goal is to assure future success.

So if you’re in an executive leadership role, ask how your organization is moving toward Opportunity Management.

For more information go to







The essence of strategy management

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about strategies.

Strategies are the foundation of risk management. That’s right – strategies, not risks. All so-called risk management is (or at least should be) performed within the context of strategy management. We don’t manage risk for its own sake. We do it to help us develop and execute strategies. So let’s put a different spin on risk management.

First, people own objectives and associated strategies. By “strategies” I simply mean the processes that we use, or steps that we take, to accomplish the objective. People own strategies, not risks. See my prior post on risk ownership for more explanation.

Here is why it makes much more sense to focus on strategies. No organization is in business in order to “manage risk”. It is in business in order to accomplish something. In our personal lives, we don’t design our day around “managing risk”. Instead, we have goals – things we want to accomplish. We develop a plan (strategy) either intuitively or explicitly to accomplish our goal.

So where does risk come in? Risk is the variability in that strategy. It is the potential that this strategy may not lead to the results that we want. We manage risk for only one reason – to improve the odds that our strategy will deliver a favorable result.

Virtually any strategy has some set of potential risk events that could cause problems. Risk management is the process of understanding and addressing those potential risk events. There are two types:

  1. Controllable: Some risk events can be controlled if we choose to invest appropriate time, money, and energy. We can put additional procedures in place (internal controls), we can buy insurance, we can create and test prototypes, or any number of other potential options. These are all ways that we can prevent potential risk events from derailing our strategy by investing additional time, money, or energy. Now it becomes a strategy decision – do we  want to strengthen our strategy by investing the time, money, and energy to make it a bit more predictable?
  2. Uncontrollable: Some risk events we cannot control. The economy could falter. New unforeseen regulations could be harmful. Weather patterns could change, impacting company logistics. One way to address this is by thinking of these as “strategic assumptions”. Simply put, what assumptions are we making as a foundation for this strategy? What operational, financial, legal, compliance, etc. assumptions are we making? Although we may not be able to control these assumptions, we can typically monitor their potential existence. We can set up a Key Risk Indicator that monitors the economy. If the economy declines, it turns our “KRI” from green to yellow to red. Now we know that we need to revisit any and all strategies that were based on those economic assumptions. Simply put, those assumptions are no longer valid so the strategy is no longer optimal.

The essence of strategy management is to recognize it as the focus of risk management. Strategy management is the sole reason that we spend any time or energy focusing on risks. Keep “risk management” in that perspective.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (

The essence of risk ownership

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk ownership.

Many organizations try to implement risk management in a way that includes the idea that individuals own risks. Examples that I’ve seen include the CFO owning “Financial Statement Reporting Risk” or the Chief Counsel owning “Compliance Risk”.

This concept of risk ownership is based a weak foundation. People really don’t understand what it means to “own” a risk.

When you say that someone owns a risk, you’re really implying that the person owns an objective. The CFO owns the objective of issuing financial statements according to professional standards. The Chief Counsel owns the objective of reasonably complying with laws and regulations. From a purely psychological sense, most people are more comfortable with the concept of owning an objective rather than owning a risk. We know how to own and embrace an objective.

Another problem with the concept of risk ownership is that real risks, rather than broad generalities, are often obviously outside the control of an individual. That’s what makes them “risks”.

For example, if an organization is planning on expanding into a new service line the strategy may depend on hiring experienced staff – a reasonable assumption. The clear risk is that it may not be possible to hire enough experienced people with a required skill set. How does the concept of “ownership” fit in here? Someone owns the objective of expanding into the new service line. That person also owns the strategy that will attempt to deliver that goal by hiring experienced staff. The risk that there might not be experienced staff to hire is simply an inherent part of the strategy; it is one of the things that can go wrong with this strategy. If the risk materializes, the strategy may need to be revisited and modified to incorporate the new, more complete, set of facts.

Here’s another illustration. Using the prior example, another risk might be that the economy will decline over the next 2 years. That would clearly impact the strategy associated with moving into the new product line. But, this same risk would also impact other strategies – perhaps dozens of other strategies. It might impact a plant expansion strategy. It might impact a compensation strategy. So – who would “own” the risk of an economic decline?

The essence of risk ownership is that no one can own a risk. People can own objectives and strategies. Risks are the things that you are not controlling within your strategy. Don’t waste your time identifying (and often negotiating) ownership of broad, general risk categories. In the end, it’s simply not actionable. Instead, spend that effort identifying which strategies are dependent upon outside factors that either you cannot, or choose not to, control – like the ability to hire experienced staff or a continuing improvement in economic conditions. Then, put a system in place to to alert you when those uncontrolled risks are taking a turn for the worse. This allows you to quickly attend to the strategies that need to be revisited and reconsidered.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (




Performance Risk Management for Auditors

This article was published in Thomson Reuters’ Internal Auditing in May/June, 2013 …


Charles D. Schrock, CPA, CIA CRMA
Senior Vice President
Inland Bank and Trust, Oak Brook, IL

Daniel J. Gaffney, CPA, CFF, CIA, CISA
Daniel Gaffney & Associates LLC, Chicago, IL

Auditors understand the fundamental value of risk management. Although ‘formal’ risk management may not be our day-to-day job, it’s always a part of what we do. That’s probably true for your executive management team also. We know that Audit Committees are vitally interested in risk management, even if they don’t know precisely what it is. (reference for the following)

According to the 2011 Annual Corporate Director Survey issued by PricewaterhouseCoopers, LLP, risk management remains at the top of the list of stakeholder concerns. Only 19% of directors measured their board as very effective at monitoring a risk management plan that mitigates corporate exposure. In an effort to enhance this performance, 57% of respondents reported they would like to increase their focus on risk. (reference for the following)

Survey findings from our latest KPMG Roundtable Series in more than 25 cities are telling: Only 39 percent of the 1,200-plus directors and senior management polled during the series said they are satisfied that their company’s governance activities are appropriately focused on the greatest risks to the company’s reputation and brand. Less than a quarter said they are satisfied that key governance activities are aligned with the company’s risk hot spots, and that the company’s governance activities are integrated into the strategy and add “real value” beyond simple compliance. (reference for the following)

As highlighted by the conference dialogue, internal audit can be most effective when focused on the critical risks to the business, including operational risks and related controls. Among the keys to fully leveraging internal audit:

  1. Challenging internal audit to take the lead in coordinating with other governance, risk, and compliance functions within the organization to limit duplication in coverage and, more importantly, to prevent gaps
  2. Maintaining a direct, open line of communication between internal audit and the audit committee
  3. Ensuring that internal audit has the resources, skills, and stature within the organization to succeed

Organizations want to manage risks. They want internal audit to be a part of the risk management process. The most common sources of guidance for risk management come from COSO and ISO. While both of these sources are strong on theory, they tend to fall short on practical guidance for implementing risk management. They provide even less guidance to us, as auditors, as we try to use risk management as a tool for our own purposes.

Performance Risk Management (PRM) is a new approach to risk management. It was developed in order to bridge the gap between theory and implementation. PRM is based on the sound fundamental ideas within the COSO and ISO models. PRM brings ERM into the real world. It aligns ERM with the way that organizations truly function.

Performance Risk Management is a process for addressing risk in a straight-forward and practical way that works for both management and auditors.  As auditors, we can use Performance Risk Management to develop the audit plan, the audit program, and the audit steps. By using risk management as a foundation for our own activities, we can help our organizations start to develop a risk management emphasis that our boards of directors want. Additionally, we can serve as a force for change within our organizations as the expert advisors to help implement practical risk management more broadly.

Performance Risk Management was developed as a tool for management. However, it also helps auditors in three ways:

  1. It helps auditors discuss objectives and risks in ways that are relevant to auditees, executives, and Audit Committee members;
  2. It helps auditors set high level audit plans and budgets by identifying what’s important to the organization and, accordingly, what areas most need assurance from internal audit; and
  3. It helps auditors design better low-level tests because it requires auditors to focus on specific risks within a particular process.

Before going further, it’s important to identify the three foundational ideas that make Performance Risk Management unique. It will then be easier to discuss in greater detail how it helps us as auditors.

  1. Objectives, not risks, are the most fundamental component of PRM.
  2. Each person in the organization ‘owns’ one or more of these objectives.
  3. Risks exist within the context of people trying to accomplish their objectives.

These foundational ideas help us, as auditors, in the following ways:

First, PRM provides a very straight-forward entry point for incorporating risk management into your audit activities. Without PRM, simply getting started with risk management can require a large top-down project to brainstorm and identify risks. PRM, on the other hand, does not require a global organizational initiative. It can be used in a focused way to understand the risks within a specific area. Because PRM focuses on objectives that are owned by a specific individual, you can choose which individual (and his/her objectives) you want to address. If, for example, you want to perform an audit of your Regional Accounts Payable function, you can begin by using PRM to focus on the objectives of the Regional Accounts Payable Manager.

Second, as auditors we want to assure that we are spending our time (and our audit budget) in the best possible ways. PRM supports this. As the Regional Accounts Payable Manager’s objectives are identified, PRM incorporates the idea of assigning an impact level (i.e., a rating) to each objective. In our example, after a little prompting, the Regional Accounts Payable Manager might tell you that her objectives are: i) paying the right vendors, ii) paying the right amount, iii) posting expenses to the right general ledger account, iv) paying within the right time frames, v) preparing management summary reports of accounts payable operations, and ,because she recently received a memo from HR as a reminder to all managers, vi) assuring that all human resource policies are fairly applied to her employees.

Each of these objectives may not be equally critical to the Regional Accounts Payable Manager, or the organization overall. The assignment of an impact level can help. PRM suggests assigning a factor (1 to 10, with 10 as most critical) to each objective. Together, the auditor and the AP manager might assign the following tentative values:

i) paying the right vendors – 6 (if you pay the wrong vendor, the money may be gone forever; however, the amounts involved won’t break the company)

ii) paying the right amount – 5 (not so critical – the company can typically make adjustments with a vendor later)

iii) posting to the right general ledger account – 4 (again, not so critical; the AP clerk can only post to a certain subset of general ledger accounts)

iv) paying in the right time frames – 6 (if not done in the right time frames, there may be a minor impact on either cash flow or discounts taken)

v) preparing management summary reports – ?? (as auditors, we may not be sure – how is this report used by senior management?)

vi) application of human resource policies – ?? (we know it’s important, but how important is it among this manager’s responsibilities?)

Understanding this relative ranking of the auditee’s objectives can help the auditor focus the audit on the more critical activities. What’s interesting is that this specific exercise yields two initial uncertainties that may need to be discussed with more senior people. Let’s consider the management summary reports. Unless we go through an exercise like this, the management summary reports may seem like an insignificant component of this person’s day-to-day activities. And that may be true. But, after discussing this with more senior executives, the auditor may learn that these reports are forming the basis for a major strategic vendor pricing initiative. Incorrect data could cost the organization $millions. If the auditor fails to specifically consider each task or objective owned by this Regional Accounts Payable Manager, he might miss the single most important activity that he needs to review. And, perhaps even more important, the Regional Accounts Payable Manager will now have a better understanding of the importance of this task.

Third, as auditors we need to design and execute audit tests.   PRM helps with this as well. From the prior step, we can determine what general areas should be the focus of our audit testing. Now, we can formulate specific tests. Part of the PRM process is to identify specific real-world risks that may be associated with these objectives. We can do this through several techniques.

First, we should simply ask the manager “what can go wrong when you are determining who to pay?” We typically get very solid answers like “The approved invoice copy that I receive is sometimes unclear on the ultimate payee.” Of course, as auditors, we follow up with the question “if you’re uncertain, or if there is an error in the named payee, how would you catch that?” and “how often does that occur?” The goal is to understand what the risks might be and how likely they are to occur.

The second way that we can identify risks is to use standard frameworks, if such frameworks exist for the area under review. Examples of a framework might be the COBIT or ITIL frameworks within the information technology realm. Another helpful source of information might be existing internal control questionnaires. As auditors, we should not use these documents to simply take someone else’s list of risks. Instead, we use these frameworks and questionnaires to help assure that we remember to discuss major areas where risks might lurk.

Finally, the third way to identify risks is to simply consider the typical high-level categories. We should ask our auditees “are there any risks that might impact financial reporting? compliance? the company’s reputation? what about internal or external fraud? etc.” Again, the goal is to assure that we haven’t inadvertently skipped over entire categories of risk.

Once we have a reasonable list of real-world risks and identified their likelihood of impacting the success of the associated objective, we can determine how best to test. As auditors, we have training, experience and professional guidance to help us design tests. What PRM provides is a clearly documented rationale behind which risks are worthy of our testing.

In Summary

This article begins to touch on the value that Performance Risk Management can bring to an organization and, more specifically, to internal auditors. The main benefits to us, as internal auditors, are:

  1. We are speaking with the auditees in ways that are relevant to their day-to-day activities. We build rapport when we can step away from “auditor-speak” and talk about what is really happening in their department.
  2. We have a systematic process (and associated documentation) to support our audit program and specific audit tests.
  3. Audit recommendations are linked to specific risks which, in turn, are tied to specific (and agree upon) objectives that exist within the audited area.

But there is one more benefit that demonstrates the value that internal audit can provide. You can become a model for organizational improvement. Through your use of PRM you are demonstrating the value that a straight-forward implementation of risk management can bring. Through your experience, you can help articulate the benefits of risk management as part of the organization’s overall risk management environment.

This article has described only some of the benefits of PRM. Additional benefits accrue when you add other well-integrated concepts such as Key Performance Indicators (KPI), Key Risk Indicators (KRI), risk assessments, and clear linking of individual objectives to higher level strategies. You can read more about Performance Risk Management at

© 2013 Thomson Reuters/RIA. All rights reserved.

A practical approach to reputation risk

Every organization has some desirable public image. Does it want to be perceived as environmentally sound? Family friendly? Political activist? A ‘high roller’? Cutting edge? Traditional? Or, perhaps it simply wants anonymity in the public eye.  Reputation risk results from strategies or actions that conflict with the desired public image.

Rather than wait for reputation risk issues to arise, it is important to be proactive. Let’s take a step back. Organizations are constantly developing strategies at all levels. Whenever someone is assigned a new task or objective, a strategy needs to be developed to accomplish it. The process of selecting or creating a new strategy can include the evaluation of whether that strategy is consistent with the organization’s public image.

In risk management, I use the term “risk attitude” to describe which strategies management would, or would not, feel comfortable with. A “low risk” attitude indicates that management expects assurance that the proper results will be achieved. A “high risk” attitude indicates that management is willing to take its chances and would be comfortable with a strategy that might deliver results ranging anywhere from wild success to total failure. Neither is necessarily good or bad and can vary not only from one objective to the next, but also with different components of a single objective. It’s possible, for instance, to develop a desirable strategy that is high risk in some areas (e.g. financial returns) while low risk in others (e.g. worker safety). But nearly every organization wants very low risk when it comes to protecting its public image. If that’s the case, then it’s reasonable to have a specific question that needs to be answered as part of every new strategy — is it consistent with our public image?

Of course, this assumes one very critical component. The organization needs to define and be able to describe its preferred public image. If that’s not the case, then reputation risk is increased simply because it may be unclear what to embrace or avoid during strategy development. If employees don’t know that the organization is cultivating a worker-friendly image, then a cost reduction initiative may include a strategy that includes massive worker layoffs.

That’s the first part — making sure that the organization understands how to develop appropriate strategies that will, at least initially, be consistent with your public image.

There is another part. An organization needs to be generally perceived as trustworthy and competent. For example, while an organization may not be explicitly cultivating a public reputation for good customer service, excessively poor customer service will still create a public image problem. The same would be true for any normal business activity if it is executed poorly to the level where the public perceives the organization as being incompetent. Even something as mundane as an inability to pay its bills accurately could grow to the extent that it creates a public perception of incompetence.

To avoid this, an organization also needs a general performance and risk management environment where expected performance levels are defined. Performance levels that don’t meet reasonable expectations need to be elevated to management long before such “incompetence” becomes a subject of public discussion.

Please share some stories about how your organization is addressing reputation risk.

COSO 2013 moves in the right direction

Many organizations base their Sarbanes-Oxley (SOX) documentation on COSO’s Internal Control – Integrated Framework. This publication was originally issued in 1992 and significantly updated in 2013. In the next year these organizations must update their financial reporting internal control documentation and testing to match the newly updated framework.

This major update adds 17 newly articulated principles which support the 5 already-existing components of internal control. These new principles must all be present, functioning, and working together in order to achieve an effective system of internal controls.

In my view, an organization cannot accomplish 12 of these 17 new principles without a functioning performance and risk management environment. That’s a good thing – it seems that COSO is now heading in the right direction. Internal control isn’t simply about having a certain set of control processes. It’s about having an environment that assures an organization is meeting its performance and control objectives.

Having an effective  performance and risk environment is a little bit like having a good exercise program. Everyone knows that it’s a good idea. Sometimes we’re too lazy to do what we know we should do. But there is no doubt, once it’s in place, that we’re extremely better off because of it.

It’s time to think of COSO 2013 like a doctor’s “wake up” call. Let’s stop paying lip service to managing risk and performance; let’s actually do it.  The group at Risk Leader ( has a new approach that links risk management with performance management. They call it, not so surprisingly, Performance Risk Management and their idea is that risk management is not a separate stand-alone activity. It has a clear and distinct purpose as part of an organization’s normal management activities — to help an organization achieve its objectives better, faster, and more completely. It seems to me that a system like this solves two issues for COSO 2013:

  1. It is a risk and performance environment that, by its very existence, directly supports the organization’s ability to meet 12 of the new principles relating to organizational performance and risk management, and
  2. Because it is a risk and performance environment, it can be used to identify, assess, and monitor financial reporting risk

So is this (or something like it) the way to go for COSO 2013? I think that the accounting and investing communities expect an organization to have a real performance and risk management in place. COSO 2013 is merely reflecting this. Good job.

Performance Risk Management – the practical approach

Performance Risk Management is my new and immensely practical approach to integrating performance management and risk management. This is the breakthrough that finally allows the “good ideas” behind enterprise risk management to shine through.

I have written about many aspects of risk management in the past. I find the topic fascinating because it offers such great promise to help organizations of all types accomplish their goals better, faster, and more completely. Unfortunately, for years, I was frustrated by all of the static surrounding risk management. This static has made it virtually impossible to convey a clear picture of the benefits of risk management.

The static

I have spent many years thinking this through. I have always known that the core message of risk management is profound. It just seemed that there was so much static surrounding risk management that the message was always hidden in irrelevancies. I needed to understand which pieces of risk management theory were creating this static. What did I need to strip away for this message to come through loud and clear? I have come to the realization that much of this static resulted from two fallacies:

  • An improper primary focus on risks, themselves
  • Useless attempts to categorize risks; focusing on the artificial differences between risks rather than finding the universal similarities

As I started recognizing these two ‘static generators’, I was able to develop an approach to risk management that suddenly accomplished two things.  

First, risk management could be intuitively aligned with an organization’s performance objectives. More than that – risk management works only if it is aligned with performance objectives.  It suddenly started making obvious, practical sense to executive leadership. It’s not just a “nice theory”; it can help achieve bottom line results in a real and practical way.

Second, it became clearer why so many organizations have prematurely abandoned their risk management implementation projects. I understood that the mind numbing real-world complications that these organizations experienced were, actually, irrelevant.

Eliminating the static

The first clear realization was that risk management starts with objectives, not risks. It’s always about accomplishing objectives. Managing associated risks is simply an additional technique to help accomplish your goals. Everyone knows this intuitively. The problem was that risk management theory made, at most, a passing reference to objectives. That’s why risk management never felt right. It never actually aligned with what we knew to be true. An organization doesn’t want to expend efforts to “manage risks”. It will, however, expend effort on better techniques that help it accomplish its objectives better, faster, and more completely.

The second clear realization came to me when I recognized the waste in categorizing risks among “Strategic Risk”, “Compliance Risk”, “Legal Risk”, “Financial Reporting Risk”, etc., etc., etc. Risk management theory loves to focus on these categories. This disguises a lack of deeper understanding – the similarity among all risks. This similarity flowed from the first clear realization – a focus on objectives, not risks. While there may be many types of objectives, there is only one type of risk – an inability to effectively execute.

When you logically extend these two clear realizations, the results are profound. Once you do away with the process of classifying risks, you can focus on actually identifying the risks. Not only that, you actually have a practical framework to identify those risks – real world things that could go wrong relative to a specific objective. Useless theory melts away and practical understanding takes its place. It has allowed me to better communicate not only how an organization benefits from risk management,  it has also allowed me to develop a practical way to (i) initially implement risk management within an organization, and (ii) enhance management processes to deliver results better, faster, and more completely.

These are the two basic components of Performance Risk Management. Many benefits flow as a result which I will continue to address in subsequent posts.