Governance, Risk and Compliance

This is the second in a series of blog posts examining the three basic risk assessment approaches used by internal audit (Context risk), compliance (Behavior risk) and risk management (Event risk) professionals. All three professions perform risk assessments. All three approaches are fundamentally different with largely offsetting strengths and weaknesses.  To improve GRC processes, it is important to understand and exploit those strengths to reduce loss events and near misses.

I’ve used the following analogy a number of times so apologies if you have heard it before. The intent is to contrast the Event risk approach with the Context risk approach.   Auditors use a Context risk approach with the objective of assessing where “fires” can occur or where they would cause great harm if they did occur, and they use their assessment results to place fire extinguishers, e.g. controls in the right places.  I spent a few years as a volunteer fireman, and took some training in fire safety and fire inspection practices. You might think fire inspectors focus on fire extinguishers when they do fire safety inspections. That’s only partly true. Firemen know that fires require a source of ignition, a combustible material and the presence of oxygen. Remove any one of those three ingredients and fires will never happen. Firemen and fire inspectors spend most of their time looking for sources of ignition and combustible materials. If you know what can cause a fire, it’s better to remove the cause than rely entirely on extinguishing the fire.

In comparison, Event risk professionals have as a basic assumption that risk events are predictable, seldom truly random, and the more you understand about risk, the more likely you can prevent or avoid them. Alternatively, if you are a financial professional, you may wish to assume risk, but if you know and understand your risks better than your competitors you can design your products to avoid risk, or at least price your product to include the cost of the risk exposure you intend. There are all kinds of methods for identifying, assessing and managing Event risks. Basel II is the framework for most financial and operational risk in financial institutions. COSO ERM provides tools and guidance on Enterprise Risk. ISO 31000 is about to be released as a generic risk management standard. These risk frameworks all share the premise, unlike Context risk assessment, that risk can be reduce or eliminated and that controls are secondary and possibly even superfluous. (Try talking to an Event risk person about the importance of COSO controls.) More importantly, I believe that Event risk frameworks factor out human behavior as an element worth considering.

What specific tools can Event risk people contribute to reduce GRC failures? I believe their use of risk indicators, performance indicators, root cause analysis, loss event tracking, incident tracking and quantitative tools are essential and valuable to the GRC cause.  Event risk professionals are also some of the most proficient and effective users of enterprise technology. None of these tools are required by audit standard setters and few are used by audit professionals.

Although some emphasis on the Context risk approach (fire extinguishers)  is a good business practice, I would assert that to truly impact business performance, GRC professionals must embrace the disciplines of Event based risk (ignition sources) as part of their overall enterprise risk management charter.