How do we make decisions based on risk reward when the risk information is out of date? Traditional point-in-time reporting in risk management can result in an artificial view of how your organisation is doing. In this video, David Tattam talks about what you can include in a Risk in Motion report to create a dynamic risk profile of your organisation.
In a life prior to risk management, I was an accountant, a chartered accountant. And I guess all the time I was doing that it was of great interest to understand the measurement and the performance of an organisation.
The issue I always had was that the measurement we were doing was at a point-in-time, the period end balance sheet, the period end profit and loss account. And it seemed to give in many ways a slightly artificial view of how the organisation was really performing because it was a point-in-time.
I then moved into risk management, which was more interesting in the sense that it was more forward looking. But then I came across a similar problem, the period end view of risk. We have the risk register, which we report through a risk assessment now and again, and that gives us a snapshot of our risks related controls, the level of risk at a certain point-in-time. Sometimes those risk assessments might only be done maybe even annually, sometimes semi-annually, may be exceptionally quarterly.
Now three months, six months, 12 months is a very long time between snapshots in risk, so how do we make decisions based on risk reward when the risk information is really out of date?
I guess put very simply, badly.
Making your risk more dynamic
So how do we make risk more dynamic? The issue is really that risk is in motion, all the time it is dynamic, it's forever changing.
Unless we can furnish that outdated view to decision makers and management, it's very hard for them
to make quality decisions, and also to have up to date assurance that our risk is being appropriately managed. So this takes then to moving forward thinking about a more dynamic risk profile.
How do we get that? Well, the key, we believe, is to bring all the information that you have around a particular risk together in one snapshot.
Now, what information do we have coming out of a typical enterprise risk management framework system?
We have the traditional risk assessment, the once a year, once a period view, it does help us in some
manners, but static. That can be supplemented by incidents - what incidents that we had around that risk recently, also incidents that have occurred with external parties, external data.
What about controls assurance? Updating the level of effectiveness of our controls over that risk any point in time?
What about indicators? Tracking key risk indicators, key control indicators around that risk to give a more up to date view.
What about attestations? Where we might have people attesting to their external internal compliance requirements, particularly compliance around a particular risk that we might have?
And finally, what about issues and actions? Any issues outstanding for that risk, any actions on controls treatment methods that we haven't yet implemented. If we could bring that all together and use the most recent data we have on each of those and then paint a picture that is now an updated dynamic risk profile,
this would get away from this problem with static information.
Now at Protecht, we refer to this principle as Risk in Motion, reflecting that risk is constantly moving and it is dynamic and Risk in Motion is trying to give the updated real time profile view of risk.
If you'd like to know more, please please visit our website. Please feel free to join up with me on LinkedIn.
So see you later. And until next time, take care.