Companies spend considerably more energy to control their risks than performing risk identification. These are, however, two equally important activities.
When companies do not master their major risks, its often because they do not know them well enough.
Only looking at the statistics of business failure it seams clear that high and rapid mortality reveal poor risk management. Companies that are over 30 years old are very rare. On average, 50% of companies disappear in their first 5 years of existence. A company aware of its major risks must be able to survive longer, even if it has to reorient its activity.
Entity managers have little genuine involvement in entities’ risk identification. Setting-up controls is more easy.
Management has an erroneous perception that risk identification is an administrative exercise. On the contrary, it is a complex exercise that can not be entrusted to people who do not have a global vision of the issues. Often these risks mappings are wrongly fueled in bottom-up by the compilation of risks identified at intermediate management levels or quality systems. It often lacks a top-down implication of management to complete / filter and make this work more reliable.
It is possible that the management also feels deprived of method, whereas it regains confidence once a list of risk is established. The Cartesian systems can start and the feeling of control returns through definition of action plans, managers, deadlines, etc.
Internal Auditors are facing the same difficulty as managers. They can not prove that a major risk is missing since there is no method for proper risk identification.
Auditors tend to remain wrongly cautious in their recommendations on the identification of major risks since they are not the “experts of the activity they are auditing”. Therefore they consider themselves fragile in their legitimacy to identify the risks. Yet audit is a unique moment to challenge the identification of risks. Auditors should go further and express a clear advice on risks identification.
The next post dedicated to management will be focusing on adjusting controls on risks level.