Most Companies are wrong about risk management

Companies spend considerably more energy to control their risks than to identify them. These are, however, two equally important activities in terms of effectiveness in controlling risks and activities.

The internal audits I have carried out have often enabled me to note that when companies do not master their major risks, its because they often do not know them well enough. Deficiencies in control action come only second. It is difficult to prove this, but by only looking at the statistics of business failure it is clear that high and rapid mortality rates can only reveal poor risk management. Companies that are over 30 years old are very rare. On average, 50% of companies disappear in their first 5 years of existence. These bankruptcy filing statistics are worse in reality, as they do not include entities that would have disappeared if they had not been financed by a Group or bought back by another company. It seems logical to think that a company aware of its major risks must be able to survive longer, even if it reorientes its activity if necessary. These high mortality rates and their rapidity thus seem to be explained by the ignorance or bad appreciation of the major risks.

Entity managers have little genuine involvement in identifying and mapping entities’ risks, while their involvement is essential. Often these mappings are only fueled in bottom-up by the compilation of risks going back from intermediate management levels or quality systems. It often lacks a top-down implication of management to complete / filter and make this work more reliable. Management has an erroneous perception that risk management is an administrative exercise: on the contrary, it is a complex exercise that can not be entrusted to people who do not have a global vision of the issues. This is all the more true given that there is no robust method to identify major risks. They are of very varied origin: technology, regulation, competition, performance, etc. It is possible that the management also feels deprived of method, whereas it regains confidence once a list of risk is established: the Cartesian systems can start and the feeling of control returns through definition of action plans, managers, deadlines, etc.

For instance, it is striking to note that digital is a major risk (and also an opportunity) that is (or was until recently) often misidentified in spite of a continual increase of the threat: the total dependence of operational activities on the computer tool, the development of cybercrime, massive change Consumption habits allowing the very rapid emergence of competitors (Uber …), recurring difficulty to control the cost of IT projects. The management is often uncomfortable with this digital risk and often adopts the policy of the ostrich …

Internal Auditors are faced with the same difficulty.
They can not formally prove that a major risk is missing or badly weighed since there is no method guaranteeing the completeness and relevance of the result.
They also tend to remain cautious in their recommendations on the identification of major risks: since they are not the “knowing” of the trade, they consider themselves fragile in their legitimacy vis-à-vis the operational ones to identify the risks. Yet, with the external view and the important time spent by an audit engagement to observe the entity from the perspective of risks, it seems obvious that an audit is a privileged moment to challenge the identification of risks.