Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

Risk Management Standards Graphic

A first step towards successful risk management standards

by Matthew Leitch, 6 March 2007

Broadening the support for risk management standards
Why this would help
Where the standards need changes
What changes are needed and why
- Risk identification
- Risk rating
- Risk appetite
What should be done to each standard
Other helpful changes
Final words
Further reading

Broadening the support for risk management standards

There is one simple step that would dramatically broaden support for risk management standards and similar authorative guides such as these:

That simple step is for them to acknowledge the existence and value of more sophisticated risk management practices than they currently describe, making them acceptable alternative methods of compliance. In this article I will explain how easily this could be done, usually with only small revisions.

Why this would help

Currently, the main standards and similar authoritive guides are inconsistent with the thinking behind more mathematically oriented approaches to risk. Consequently they exclude support from financial risk managers, operational risk managers in larger banks, actuaries, decision scientists, scientists looking at food and other chemical safety issues, statisticians, and mathematicians.

This means that the world's most knowledgeable risk specialists think in ways that are not consistent with the standards.

It also means that an organisation interested in moving towards more sophisticated approaches can find it would become non-compliant with the standards as a result, discouraging progress and innovation.

If the existing standards were amended to just acknowledge the existence of more sophisticated approaches so that they were also considered compliant then the standards would gain more support and cease discouraging improvement.

Where the standards need changes

Changes are needed in the following areas:

What changes are needed and why

To illustrate the simplicity of the changes needed to bring about this minor revolution here's how key phrases in some well known standards could be amended.

Risk identification

Most standards refer to "identifying" risks without mentioning others ways to create a sensible set of risks. This does not encompass all the good practices currently in use around the world. These include, for example:

Only the first of these examples easily fits the description "risk identification." The others create a view of risks as a by-product of a wider analysis.

The more inclusive wording I suggest is "risk identification or derivation." For example, in "A Risk Management Standard", published by AIRMIC, IRM, and ALARM jointly, the text often mentions risk identification. For example, it includes this statement:

"Risk identification sets out to identify an organisation’s exposure to uncertainty."

This would be better as:

"Risk identification/derivation sets out to identify, or derive a view of, the organisation's exposure to uncertainty."

(Arguably the authors' real intention is more derivation than identification as this sentence from the standard implies:

"Risk identification should be approached in a methodical way to ensure that all significant activities within the organisation have been identified and all the risks flowing from these activities defined.")

Risk ratings

Most standards refer to considering the "probability and impact" of risks. This wording naturally fits techniques where a rating for probability is given, and a separate rating for impact. However, it does not naturally fit techniques where a probability distribution of impact is used, or some set of distributions that are or could be combined to create a probability distribution of impact or approximation to it.

This is a pity since almost nobody argues that separate probability and impact ratings are superior to the more sophisticated mathematical approaches. The argument in favour of Probability Impact grids is nearly always that they are familiar and convenient, whereas doing something more rigorous would be hard.

The alternative wording I suggest for this is to say "probability distribution of impact, or some simplification of it."

For example, COSO's ERM framework includes, in the executive summary, the statement:

"Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed."

This would be better as:

"Risks are analyzed, considering the probability distribution of impact or some simplification of it, as a basis for determining how they should be managed."

Risk appetite

Most of the standards refer to deciding some kind of "risk appetite", usually in the form of a level of risk beyond which things are not acceptable and something must be done. Quite often this is applied risk by risk.

A more sophisticated alternative that is used by many is to consider the net benefit of alternative courses of action and choose the best, having made some kind of allowance for risk. In this kind of analysis there is no set level of risk that is tolerable, but there is usually some way that risky courses of action are penalised for the risk they carry.

The wording change I suggest is to replace "risk appetite" with "risk appetite or other means of weighing risk in decisions." For example, the UK government has produced several guides to risk management, one of which is called "The Orange Book: Management of Risk". It includes the statement:

"An important issue in considering response to risk is the identification of the “risk appetite” of the organisation."

This would be better as:

"An important issue in considering response to risk is the identification of the “risk appetite” of the organisation or another means of weighing risk in decisions."

What should be done to each standard

Some standards need less amendment than others. Here is a table of some of the most frequently cited standards showing what would be worth doing to each to implement the above suggested changes. Where I have written "Substitute phrases throughout" this means use the suggested replacement phrases and should be taken to imply some editing to correct the English. Often there is a need for some other small word changes so that a standard/guide does not put forward one crude method as if it is the only possible good practice.

StandardRisk identificationRisk ratingRisk appetite
Easy to change - either high level or contains some sophisticated material already
"A risk management standard"
published jointly by IRM, AIRMIC, and ALARM.
Substitute phrases throughout.Substitute phrases throughout. It would also help to acknowledge more fully the existence of good alternatives to the grids described.No change needed. The standard does not mention risk appetite, but does include material on cost effectiveness. However, there is a section on risk evaluation that is probably a watered down version of risk appetite.
"Internal Control: Guidance for Directors on the Combined Code" otherwise known as the Turnbull report
issued by the ICAEW.
No change needed.Substitute phrases - but there's hardly anything to do.No change needed.
"RAMP: Risk Analysis and Management for Projects"
published by the Institute of Actuaries and Institution of Civil Engineers.
Substitute phrases. This is quite a prescriptive guide with its own method of breaking down risks that very nearly amounts to derivation, but not quite.Substitute phrases and amend the bullet points that discuss separate ratings of likelihood/frequency and consequences.No change needed.
"Briefing Paper - Providing Assurance on the Effectiveness of Internal Control"
issued by the UK's Auditing Practices Board
Substitute phrases throughout.Substitute phrases throughout. An illustration of an alternative to the example probability x impact matrix would be welcome.Substitute phrases throughout.
"Guidance on Internal Control and Risk Management in Principal Local Authorities and Other Relevant Bodies to Support Compliance with the Accounts and Audit Regulations 2003"
issued in the UK by CIPFA
Substitute phrases.Not mentioned.Not mentioned.
"Enterprise Risk Management - Integrated Framework"
published by COSO
This uses the phrase "Event identification" instead of "risk identification" but otherwise the substitute required is the same.Substitute phrases.Substitute phrases.
"Successful IT: guidelines on managing risk"
published by the UK's OGC
Substitute phrases.Substitute phrases."Risk tolerance" is used instead of "risk appetite", but otherwise the substitution is as usual.
Harder to change - lots of prescriptive detail about less sophisticated methods
AS/NZS 4360:2004 Risk ManagementSubstitute phrases.Substitute phrases throughout and amend wording that implies probability impact grids are the only method available so that it is clear they are one method that may be used, among others.Uses the phrase "risk evaluation" in a similar way to "risk appetite" instead of it. A similar substitution to recognise alternative approach could be made.
"The Orange Book: Management of Risk"
published by the UK government
Substitute phrases.Substitute phrases and acknowledge techniques other than probability impact grids clearly.Substitute phrases.

Other helpful changes

The phrase substitutions and related tweaks described above would be a great step forward because at last the best methods would be allowed into consideration.

However, there are many other changes that would be helpful. In time it would be good to see more positive statements about more sophisticated methods and even some discouragement of the crudest ideas, in particular the probability x impact matrices.

It would also be a great step forward to include more material about the design of controls, such as how to go about managing and doing the design work. Currently this takes up a lot of time for people but gets little or no coverage in standards and guides.

Final words

Imagine that the board of a television company looked at viewing figures and then issued the following instruction to its employees: "We have noticed that many people watch TV shows that feature celebrities and telephone voting. Therefore, henceforth all TV shows we produce and show will feature celebrities and telephone voting."

What a frightening thought! But this is analogous to the situation we have with standards for risk management. Because one rather crude approach is popular the standards are written so that only that approach is consistent with them.

The first step out of this is for the standards to acknowledge the existence of more sophisticated alternatives and this can be done very simply using the substitute phrases described in this article. In time this could open the way for more thorough reforms.

Further reading

When the British Standards Institute began to test interest in a new standard they held events to gather views. I was one of the presenters at those events and outlined some areas that existing standards tended to cover poorly in"Problem areas for current risk management standards."

The familiar model of risk identification, rating, and risk appetite comparisons has at its heart a single mistake I call the Single Risk Fallacy. This is the belief that the items on a risk register are single things that exist already and are a property of the world. The logic and implications are discussed in "What's on your risk registers?"

For a flavour of just some of the alternative ways of thinking about and managing risk try "Risk modelling alternatives for risk registers." This article contains helpful ideas on how to decide which methods are right for you.

© 2007 Matthew Leitch
New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr