Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Very Useful Guidance on Risk Management Best Practices​

Comments Views

​I​​ want to congratulate IIA–Norway for their recent publication, Guidelines for the Risk Management Function (PDF). A group of practicing risk practitioners developed this guide with the aim of describing best practices regardless of industry.

I like a lot of what they say, for example (emphasis added):

  • The taking of risk is a natural part of running any enterprise, but it is often not explicitly stated in the formulation of business decisions. The expression "risk" has often been exclusively associated with unwanted events, and risk management has been defined as analyzing and restricting the probability and impact of unwanted events. This is only one dimension of the total picture. Evaluating positive outcomes is just as important an element of ERM as evaluating the downside as ERM is concerned with the whole picture enterprisewide and evaluating risk strategy in relation to a portfolio of risks.
  • The objective of ERM is to maintain risk at an acceptable level and ensure the best balance possible between threats and opportunities — in line with the risk appetite and business strategy of the board and executive management. It is concerned with ensuring the achievement of goals as the enterprise develops and appropriate management of the organization's assets, including avoidance of losses as a result of unwanted events.
  • A prerequisite for being able to exercise sound risk management is therefore that there are clearly defined goals at the strategic level, to which goals at other levels in the organization may be linked. In this way risk evaluations at all levels will be linked to a hierarchy of objectives which supports the enterprise's overall strategy.
  • In practice this means ensuring the best possible basis for arriving at decisions at the various levels of the organization, so that the decisions made will support the overall objectives. Subsequently it is important to have a sound mechanism to ensure the achievement and monitoring of the decided activities.
  • Risk management may be defined as systematic, coordinated, and proactive activities aimed at the evaluation and treatment of uncertainty and events which can impact the achievement of goals. This includes amongst other things the organization's ability to: 
    • Influence the probability and positive or negative impact of events. 
    • Understand/exploit correlation between various types of risk. 
    • Monitor development of the risk profile over time. 
    • Initiate activities which align the path of development with the required direction. 
    • Build a culture which ensures the implementation of activities and leads to sound risk management.
  • ERM means taking a holistic perspective, not just of the enterprise's status at a given moment, but also probable positive and negative developments in the future. In this way it becomes a tool for the balanced prioritization of resource utilization. For this reason, this work should also be harmonized with other management activities such as performance scorecards.
  • It is important that defined risk appetite can be translated into operational practice. There should be a common thread going through an organization's various objectives, management limits, authorities, and scope of action which accords with the total risk appetite and strategy. In those organizations where it is difficult to quantify risk appetite, it is especially important to devise suitable guiding principles delineating who as a decision maker can decide what should be the acceptable level of risk based on the relevant qualitative evaluations.
  • Risk management and decision making are interconnected. When making any major strategic decision, executive management should require a set of scenarios to be presented detailing impact and alternative actions, especially in the situation where there may be a high level of uncertainty.

There is a lot more useful information, including guidance on the roles of the various parties charged with managing risk in the pursuit of objectives.I leave you to read the paper in full.

What do you think of it? Do you agree? Is it practical to expect that potential positive effects to be evaluated with the same discipline as adverse consequences?

I welcome your comments.

Please join the conversation and subscribe to this post by clicking on the button below.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3