Should Risk Managers Re-use Last Year’s Strategy?

Let me ask you a question. For 2013 planning, are you thinking of updating the 2012 annual audit plan or risk management plan? Alternatively, do you think major changes are required, and you need to start from scratch? While preparing 2013 strategy of plan, you cannot afford to just tweak your previous plan and get by. You need to do the whole works and start with a plain sheet of paper.

Exactly why am I making such a bold statement? Let me explain. You must have read various surveys in which business teams state that risk managers and auditors are not addressing the business concerns. The thing is risk management practice is changing at a much slower rate than the external and internal business environment.

Below is a simple graph. The lines in real world would not be straight; I have just used it for the sake of convenience to illustrate my point.

1.   External environment

The external environment is going through a rapid change. This includes the social, cultural, political, legal, economic, technological, financial and competitive environment. The speed of change is so high, that most organizations are failing to keep up to speed. Hence, there are a numerous upside and downside risks in the external environment that organizations are clueless about.

2.    Internal environment

Organizations attempt to make sense and adapt to the changes, however at a slower rate than the external environment. During a year, many organization changes take place. Changes occur in business strategy, objectives, policies, procedures, organization structure, roles and responsibilities, governance models, products, knowledge, processes, systems and technology. Due to these changes, the risks within the organization change. Numerous risks remain un-addressed when we do not consider the changes for preparing a risk management strategy.

3.    Risk management function

The risk management disciple as such is changing at a slow pace. If you recall, COSO issued “Internal Controls – Integrated Framework” in December 2011 for public comments. The internal control definition had not changed and only some areas were improved though this was the first revision issued after 1992. COSO received so many comments, that now it plans to issue the final version in 2013.

Within the organizations, the situation is the same. Risk management and audit functions are the last to change. While CEOs are demanding that they advise on strategic risks, very few are rising to the occasion. Even with five-year of financial crises and slow down of economy, the surveys show limited improvement in performance of risk management and audit functions. They haven’t leveraged the opportunity, leaped forward or made great strides. They are cribbing about the same old issues of lack of top management support instead of focusing on the changing business landscape.

Hence, the gap in knowledge of risk managers and auditors of business risks is huge. If they are not tuned into the internal business environment, they leave some risks unaddressed. If they haven’t focused on the external environment, they are a number of unknown risks that can affect the organization any time. Therefore, the annual risk management strategy and/or plan is ineffective if these aspects haven’t been considered.

Closing thoughts

The business environment risks can be best described in the words of Donald Rumsfield, the former US Defence Secretary. He had stated at a press briefing relating to the increasingly unstable situation in post-invasion Afghanistan: “There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don’t know.  But there are also unknown unknowns. There are things we do not know we don’t know.” Risk managers and auditors are in the same situation. Hence, strategy and plans have to be devised keeping this in mind. Start from scratch for 2013 strategy.

Watch this video and share with me, will your old strategy work?