mirror  in grass  reflecting a  bird  flying in the sky

How Will Risk Management Change as We Emerge From This Crisis?

April 28, 2020 Information Management
Norman Marks
By Norman Marks

People, especially consultants, are not only telling us how to address the pandemic but also what we should look for when it’s all over.

In his latest post, my good friend Michael Rasmussen makes some good points. He is always worth listening to and this post is no exception. "Keep Calm & GRC On!" reminds us, first, what GRC is all about. I like the OCEG definition that he quotes as it makes sense. GRC is “a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and act with integrity [COMPLIANCE].”

He spells out his vision of what risk management (in particular, although he also touches on contingency planning and policy management) will look like once we are done with COVID-19. But I have a different perspective.

It's Time for Risk Managers to Prove Their Worth

It’s a tough line, but we need to face reality.

Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure, which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations.

These same leaders should now be asking whether the risk management program they had in place prepared them for the crisis, and whether it is helping them navigate through it now.

If risk practitioners (and internal auditors) are setting their prior practices, frameworks and standards aside and doing what the organization needs right now, they will earn recognition and respect from the board and management.

But if they insist on doing what they always have done, sharing heat maps and performing audits of what used to be risks, they are going to be seen as getting in the way of the management team. They are not helping in a time of crisis, when people need to make rapid and critical decisions.

Now is the time to prove our worth. Find out how we can help and then do it.

Related Article: Risk Practitioners Should Be Asking 'How Can We Help?'

Our Risk Management Future: From Push to Pull

Later, we should change from what I call (in Lean terminology) a "push" approach to one that is more of a "pull" approach. What I mean is that we should figure out what the organization needs from us if they are to be successful, and then deliver it (pull) — instead of doing what we think is right (based on industry or professional standards) and hoping that once we push it at them they will see some value.

I explain this and more in a recent video call I did with Alex Sidorenko. (I join the call a few minutes after it starts.)

I welcome your comments.

About the Author

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.

Tags

Featured Research

Related Stories

bird feeding out of a person's hand, suggesting trust and care

Information Management

Why Responsible AI Should Be on the Agenda of Every Enterprise

Two dogs in robber masks

Information Management

Insider Risk: What Hybrid Companies Need to Know — and Do

tandem skydiving with what looks like a very tiny parachute

Information Management

Can You Trust Zero Trust Networks in the Remote Workplace?

Join Top Industry Leaders at the Most Impactful Employee Experience and Digital Workplace Conference of 2023

Reworked Connect