Risk convergence is quite the buzz-phrase in the world of risk. People are flying around attempting to model operational risk against enterprise risk curves. Some folks are still trying to crack the useful “risk metric” nut. Disparate groups in the same company that do risk assessments in different context are beginning to collaborate. I work in a large company where risk convergence is occurring.
As to be expected, it is year end at the “big company” and time for some risk reflection. Executives – and I somewhat use that word loosely – love to pimp “accomplishments” – and I use that world loosely as well. The crown jewel risk convergence accomplishment for this year was a common risk vernacular. Now, there was some hard work that went into this accomplishment that involved a lot of inter-department politics, egos and who knows what else. There is a lot of value in having a common risk vernacular – I do not argue that. But having a common risk vernacular does not really contribute much to decision making when it comes to risk.
In most large companies, risk issues or control that are found by Internal Audit teams usually get reported to the CEO and the Board. It is reasonable to assume that some of these findings are actually read by the CEO or the Board or other interested parties that have a C at the beginning of their title. But I have seen IT-related Internal Audit findings numerous times and none of them have ever articulated exposure the company faces by having the identified “risk issue” or “control issue”. I have seen some that there is probably some significant exposure and have seen others where there is little if any exposure.
The frustration I have is that information risk management issues are being treated differently then risk issues found by other risk groups. This can result in the following (and this is more through the lens of information technology):
1. There are numerous times where risk groups will write issues for the same IT area. Thus, from a mitigation stand point – there is competition for the same resources. Issues that have more visibility from a leadership level usually get prioritized above issues that have less visibility.
2. Some risk groups are able to articulate exposure in terms of dollars. Other groups articulate in terms of levels of bad. So, a not-so-bad issue (little if any monetary exposure) that has more visibility from a leadership perspective can get prioritized above a risk issue where expected annualized loss is significant.
Maybe I have unrealistic expectations when it comes to risk convergence – or maybe I am being too eager. What I want to see and continue to reinforce to those that will listen, is information that is actionable:
1. Risk issues that have dollar values.
2. Equal treatment of risk issues.
3. Consistent classifying of risk issues (from a qualitative label perspective)
I do not believe that risk convergence is really that radical where it should take years in a big company to achieve. I think there is unwillingness by the functional risk groups to give ground. I think there is unwillingness by leadership to tackle some tough risk-related obstacles– and choose instead to focus on common language that quite frankly a small groups practitioners that make far less money could have done.
I am professionally and personally excited for 2009. This post is really a venting but should not be taken as an indicator as the norm of where I work at. There are some really super cool risk convergence efforts I am participating in as part of my job. I hope I can share some information about them in the coming months – even if vaguely.
What are your thoughts on risk convergence? Have others observed these frustrations? Can anyone share some success stories?
Have a great weekend and thanks for reading the post!