Should Risk Managers Re-use Last Year’s Strategy?

Let me ask you a question. For 2013 planning, are you thinking of updating the 2012 annual audit plan or risk management plan? Alternatively, do you think major changes are required, and you need to start from scratch? While preparing 2013 strategy of plan, you cannot afford to just tweak your previous plan and get by. You need to do the whole works and start with a plain sheet of paper.

Exactly why am I making such a bold statement? Let me explain. You must have read various surveys in which business teams state that risk managers and auditors are not addressing the business concerns. The thing is risk management practice is changing at a much slower rate than the external and internal business environment.

Below is a simple graph. The lines in real world would not be straight; I have just used it for the sake of convenience to illustrate my point.

1.   External environment

The external environment is going through a rapid change. This includes the social, cultural, political, legal, economic, technological, financial and competitive environment. The speed of change is so high, that most organizations are failing to keep up to speed. Hence, there are a numerous upside and downside risks in the external environment that organizations are clueless about.

2.    Internal environment

Organizations attempt to make sense and adapt to the changes, however at a slower rate than the external environment. During a year, many organization changes take place. Changes occur in business strategy, objectives, policies, procedures, organization structure, roles and responsibilities, governance models, products, knowledge, processes, systems and technology. Due to these changes, the risks within the organization change. Numerous risks remain un-addressed when we do not consider the changes for preparing a risk management strategy.

3.    Risk management function

The risk management disciple as such is changing at a slow pace. If you recall, COSO issued “Internal Controls – Integrated Framework” in December 2011 for public comments. The internal control definition had not changed and only some areas were improved though this was the first revision issued after 1992. COSO received so many comments, that now it plans to issue the final version in 2013.

Within the organizations, the situation is the same. Risk management and audit functions are the last to change. While CEOs are demanding that they advise on strategic risks, very few are rising to the occasion. Even with five-year of financial crises and slow down of economy, the surveys show limited improvement in performance of risk management and audit functions. They haven’t leveraged the opportunity, leaped forward or made great strides. They are cribbing about the same old issues of lack of top management support instead of focusing on the changing business landscape.

Hence, the gap in knowledge of risk managers and auditors of business risks is huge. If they are not tuned into the internal business environment, they leave some risks unaddressed. If they haven’t focused on the external environment, they are a number of unknown risks that can affect the organization any time. Therefore, the annual risk management strategy and/or plan is ineffective if these aspects haven’t been considered.

Closing thoughts

The business environment risks can be best described in the words of Donald Rumsfield, the former US Defence Secretary. He had stated at a press briefing relating to the increasingly unstable situation in post-invasion Afghanistan: “There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don’t know.  But there are also unknown unknowns. There are things we do not know we don’t know.” Risk managers and auditors are in the same situation. Hence, strategy and plans have to be devised keeping this in mind. Start from scratch for 2013 strategy.

Watch this video and share with me, will your old strategy work?

4 comments on “Should Risk Managers Re-use Last Year’s Strategy?

  1. It is mind bugging and a wake-up call which we have to take in our hands and move along with. Indeed the improvement in technology is fast moving and a more assertive approach must be adapted in order to be on par with the changing times. Therefore I agree that overhauling and not adjusting should be the mind of the auditor in developing the plan for 2013. This will enable us to avoid missing out so much on the “unknowns” too often we are comfortable with the known possible risks.

  2. Thank you Sonia for this insightful article, l have taken a particular interest in the subject of Risk Management because of its impact on business performance and importantly because of the visible role that Internal auditors should be playing that area. l am also concerned by the huge knowledge gap that exists of Internal Auditors with regards to business risks; the graph that is included in your presentation is quite telling! l work in an environment where risk management has not been embraced at all and where it is viewed in the same light as loss control. The spirited attempt that we have done to introduce Risk Management is apparently stalling due to a number of factors such as slow buy-in into concept and a rigid mindset that strives to maintain the status quo. In our case two years down the line since the Risk Management was adopted by the Board not much ground has been covered to ensure that it is fully operational. This has without doubt, affected our Internal Audit Function directly in that our risk focused audit plans tend to operate in a vacuum, as we are simply not at the same wave length with the rest of the organisation when it comes to Risk Management! Its a unique challenge that we are faced with here!

Comments are closed.