Risk Assessment: Why Is Everyone Making Such a Mess?
There is no shortage of guidance on risk management, much of which – such as COSO, ISO 31000 and ISO 27005 – has been around for some time and is generally accepted as sound good practice. So why is everyone making such a mess of risk management? Why didn’t G4S manage the risk of failing to supply sufficient security staff for the London 2012 Olympics, why didn’t Sony protect itself against theft of customer information and why didn’t NatWest ensure the accuracy and availability of its systems following a software update problem. Less well publicised failures to manage risk are happening every day across the world and causing serious financial and reputational damage to the organisations concerned.
The answer is simple – risk management is difficult to implement and poorly implemented risk management programmes don’t provide the actionable intelligence on which decisive risk management decisions can be taken. As a result senior management lose confidence in the programme and without their support the programme dwindles into a box ticking exercise to keep the auditors happy.
These are some of the symptoms of a poorly implemented risk management programme:
· Risks are measured and ranked using an apparently arbitrary scale which nobody really understands and doesn’t relate to business targets or indicators
· Risk owners can identify and classify risk but have to take an educated guess at the important residual risk assessment which takes account of efforts to mitigate the risk
· Risk mitigation actions aren’t given priority because action owners don’t have confidence in the risk assessments
· Risk reporting is inflexible and often out of date
· Risk information based on human input, judgement and bias varies across the organisation making comparison and prioritisation difficult
· There is little confidence that the risks declared on risk registers are a true reflection of the risks facing the organisation.
A secondary problem ties with the technology used to support risk management programmes. These often start with in-house spreadsheet developments which invariably fail due to a lack of scalability, user management, work flow and the manual effort required to provide reporting.
The second step is to look for a Governance, Risk and Compliance (GRC) software solution but automating a weak risk management framework will always fail, no matter how good the technology.
The answer is to define a solid risk management framework based around one of the several credible guidelines and standards and then look for a configurable GRC tool to support implementation of the risk management programme, such as Acuity’s STREAM Integrated Risk Manager. In addition to being highly configurable to support the chosen framework, key capabilities of a GRC tool should be the ability to: enforce consistency across the organisation; assist with automatic calculation of residual risk, and; provide flexible, easy to understand reporting.
Simon Marvell is a Partner of Acuity Risk Management LLP and has been working in the risk management industry for nearly 30 years. Acuity provides the GRC software solution, STREAM Integrated Risk Manager, which is available as a free download from the Acuity website www.acuityrm.com .