mirror  in grass  reflecting a  bird  flying in the sky

How Will Risk Management Change as We Emerge From This Crisis?

April 28, 2020 Information Management
Norman Marks
By Norman Marks

People, especially consultants, are not only telling us how to address the pandemic but also what we should look for when it’s all over.

In his latest post, my good friend Michael Rasmussen makes some good points. He is always worth listening to and this post is no exception. "Keep Calm & GRC On!" reminds us, first, what GRC is all about. I like the OCEG definition that he quotes as it makes sense. GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

He spells out his vision of what risk management (in particular, although he also touches on contingency planning and policy management) will look like once we are done with COVID-19. But I have a different perspective.

It's Time for Risk Managers to Prove Their Worth

It’s a tough line, but we need to face reality.

Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure, which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations.

These same leaders should now be asking whether the risk management program they had in place prepared them for the crisis, and whether it is helping them navigate through it now.

If risk practitioners (and internal auditors) are setting their prior practices, frameworks and standards aside and doing what the organization needs right now, they will earn recognition and respect from the board and management.

But if they insist on doing what they always have done, sharing heat maps and performing audits of what used to be risks, they are going to be seen as getting in the way of the management team. They are not helping in a time of crisis, when people need to make rapid and critical decisions.

Now is the time to prove our worth. Find out how we can help and then do it.

Related Article: Risk Practitioners Should Be Asking 'How Can We Help?'

Our Risk Management Future: From Push to Pull

Later, we should change from what I call (in Lean terminology) a "push" approach to one that is more of a "pull" approach. What I mean is that we should figure out what the organization needs from us if they are to be successful, and then deliver it (pull) — instead of doing what we think is right (based on industry or professional standards) and hoping that once we push it at them they will see some value.

I explain this and more in a recent video call I did with Alex Sidorenko. (I join the call a few minutes after it starts.)

I welcome your comments.

About the Author

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.

Tags

Featured Research

Related Stories

a pile of branded IBM Boxes

Information Management

IBM Taps AI for New Workflow Automation and Data Migration Tools

woman staring pensively out toward a body of water with a backdrop of land overlooking the water.

Information Management

What's Top of Mind for Chief Data Officers in 2021?

person sitting on a sofa working on a laptop with their feet up on a table

Information Management

How to Protect Employee Privacy and Ensure Data Security With a Remote Workforce

Register Now: Digital Workplace Experience Spring Session

Register for the DWX21 conference! Register Now.

DWX21 - Q1