I have said many times that decision-making is at the heart of risk management. Every decision creates or modifies risk.
Decisions are where risks are taken! Decisions determine how risks are "treated" (if you like that word; "modified," "managed," or "addressed" if you don't). So we should be concerned about the quality of decision-making.
But, let's first remind ourselves about the core principles of risk management. Then let's see where decision-making fits.
The ISO 31000:2009 global risk management standard has 11 principles:
1: Risk management creates and protects value.
2: Risk management is an integral part of all organizational processes.
3: Risk management is part of decision making.
4: Risk management explicitly addresses uncertainty.
5: Risk management is systematic, structured and timely.
6: Risk management is based on the best available information.
7: Risk management is tailored.
8: Risk management takes human and cultural factors into account.
9: Risk management is transparent and inclusive.
10: Risk management is dynamic, iterative and responsive to change.
11: Risk management facilitates continual improvement of the organization.
These are all very good. But I think they can be simplified and clarified. In
World-Class Risk Management, I have six principles:
- Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
- Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
- Risk management is dynamic, iterative and responsive to change.
- Risk management is systematic and structured.
- Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
- Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.
The very first sentence in COSO's 2017
Enterprise Risk Management: Integrating with Strategy and Performance is: "Integrating enterprise risk management practices throughout an organization improves decision-making in governance, strategy, objective-setting, and day-to-day operations."
Unfortunately, while COSO has 20 risk management principles, not one relates to decision-making.
Let me suggest that if the processes for making decisions are poor, that is a huge source of risk to any organization. It is highly likely that the wrong risks are being taken (or not taken) and this will significantly impact the achievement of objectives and the delivery of value. So achieving ISO's and my principles (arguably, they all relate to decision-making) is essential if risk management (in fact, 'management') is to be effective.
Here's an interesting fact. According to McKinsey, "60 percent of senior executives say that bad decisions were about as frequent as good ones"! That should worry us all.
The McKinsey piece (see link above) has some useful information on the causes of poor decision-making. I recommend reading it. The causes of poor decision-making, which I refer to as "risks to effective risk management," are also covered in Chapter 18 of
World-Class Risk Management.
Here are a couple of additional, useful articles on decision-making:
So what does this all mean?
For board members and the executive team:
- Do you have reasonable assurance that quality decisions are being made?
- Are the right risks being taken? Remember that risk is not taken only by the board or executive team. It is being taken through decisions made every day across the extended enterprise.
- If the wrong risks are being taken as a result of poor decision-making processes, when will you know?
- What is the risk of poor quality decisions?
- How can the incidence and effect of poor decision-making be reduced to acceptable levels?
For risk professionals:
- What is the level of risk of poor decisions?
- Is that acceptable?
- What can and should be done?
- Should there be guidance from risk practitioners on decision-making?
- Should the chief risk officer help management develop a decision-making framework?
For internal audit practitioners:
- Should the risk of poor decisions be included as a priority on the audit plan?
- Are there specific sources of risk to decision-making (such as poor information, lack of process and discipline, failure to work as a team and include all affected parties, and so on) that should be addressed in the audit plan?
- Should the chief audit executive facilitate a discussion with the executive team on this topic?
I believe this is a very important topic.
- Do you agree with me?
- What should be done and by whom?
- Is this something that should concern every practitioner?
I welcome your thoughts.