Tim Leech and I have been sharing our own perspectives on this question and would like your views.
Tim's view is:
An "effective" risk management system is one that produces materially complete information on a timely basis on the organization's residual risk status. This system needs to be re-evaluated each time a significant risk materialized that wasn't foreseen. In cases where frequency and severity estimates were materially wrong, efforts need to be taken to see if the information system can be improved.
Norman's thinking is that whether the risk management process is effective should be measured by looking at results, not just the processes:
An "effective" risk management system is one where there is an appropriate risk culture, decisions (at all levels) are based on an understanding and consideration of risks, and risks that are either above or below risk targets are managed towards that target. This implies continuous monitoring of risk levels and adjustment of responses, with appropriate communication throughout the enterprise. Management's processes have to provide a reasonable level of assurance that risks are identified on a timely basis, fairly assessed, and appropriate actions taken. Obviously, a lot has to happen within the risk management processes/systems to support the above.
What do you think? We asked a group of experts and here are their answers:
- The institutional process and good business practices of minimizing possible losses to the organization's operations through collaborative and supportive efforts of management, staff, and customers in their planning, execution, and monitoring of their roles and responsibilities for the short-term and long-term welfare of the business. (Prof. Frederick Gallegos)
- An effective risk management system is embedded within formalized, mature governance and management processes. It is not a system to be externally applied. Organizational culture and formal processes in place promote understanding of risk, definition of appropriate risk appetite, and approval for decisions that exceed the risk appetite. Effective risk management systems are maintained by reporting that promotes a transparent view across the organization — of the formality within management processes, and the effectiveness of risk consideration and communication. (Dan Clayton)
- Effective risk management consists of repeatedly electing a course of action from available options (including the option of doing nothing) consistent with an accurate understanding of stakeholders' risk appetite and time horizon (which implies communication of expectations by stakeholders) carried out by competent (skilled and experienced) personnel with timely monitoring by those personnel and by the stakeholders or their representatives so that appropriate adjustments can be made as conditions change. (Charles Yates)
- Effective risk management is maximization of the company's potential-to-pain ratio. (Cass Brewer)
- Effective risk management is when each risk event identified is examined through the lens of both the direct loss to the firm and indirect losses that may arise because of damage to the firm's reputation associated with the event. (Deon Binneman)
- Risk management is about bringing a perspective to the management of complicated issues in complex organizations. It is about the management (and not the avoidance) of risk. It helps to prioritize your work and that of others in a fast-moving context with an approach that is better than simple intuition and which facilitates communication between people. It is a style of thought, and is definitely not a paper chase. (Richard Anderson)
We would love to get your views and perspectives.