5 Minute Risk Audit

by Rick Nason, PhD, CFA

Partner, RSD Solutions Inc.

www.RSDsolutions.com

info@RSDsolutions.com

Met with a senior risk manager last week for breakfast.  They have a very hectic job.  Lots of reports and analysis to do for the quarterly report for senior management and then an annual report for the Board.  Lots and lots of reports and analysis.  Templates to fill in, data to collect, charts to be drawn, results to be collated, definitions to be defined and disseminated etc. etc. etc..  24/7 job.

What if things change?  What if a paradigm changing event happens whereby management and / or the Board needs a risk status now?  Can your firm do a 5 minute risk audit?  Will your firm know where it stands on a real-time basis, or do you need to wait to see the quarterly report (or perhaps even the annual report)?  What is in the 5 minute report?  Will your 5 minute risk audit be up to the task?

Rejigging COSO (Vicente Series Part 6)

by Rick Nason, PhD, CFA

RSD Solutions Inc.

www.RSDsolutions.com

info@RSdsolutions.com

I have never been a huge fan of the COSO framework (or any framework for that matter – see my presentation Get Creative or Take the Risk, which was presented at the 2008 Treasury Management Association of Canada’s annual conference  http://www.rsdsolutions.com/rick-nason039s-presentation-slides-tmac-annual-conference-2008 ).  Despite that, the COSO framework is still the basis for most Enterprise Risk Management systems. 

Admittedly, the COSO framework is one of the best frameworks out there, and it certainly is comprehensive.  (That tends to happen when a system is designed by a committee of consultants who do not have to worry too much about implementation.)

We are all familiar with the three-sided COSO cube.  One side of the cube of course has the delineations of; 1. Entity Level, 2. Division, 3. Business Unit and 4. Subsidiary, for which each of the functions of risk management are to be examined and implemented.

In the Human Factor, author Vicente offers up what he calls the “Human-Tech Ladder”, which are the ways that humans interface with technology.   Vicente’s steps are; 1. Physical, 2. Psychological, 3. Team, 4. Organizational, and 5. Political.  I propose that these are much better delineations for consideration for the COSO framework than the ones presented in the previous paragraph.

A risk system should be usable (Physical), deal with the individual (Psychological), deal with group interactions (Team), and organizational factors (Organizational), and as well incorporate factors from the broader aspects of the marketplace and society (Political). 

For most organizations this is a much more effective conceptual framework of risk units, and much more implementable.  Perhaps it is time to form another working committee.

Low Tech or High Tech (Vicente Series Part 5)

by Rick Nason, PhD, CFA

RSD Solutions Inc.

www.RSDsolutions.com

info@RSdsolutions.com

We all have seen high tech risk management systems (and processes).  Every risk conference has software vendors all putting forth the latest and greatest in terms of systems that will put your firm in complete control.  These systems are truly impressive in terms of their scope and their attention to the state of the art in risk management.

We also know firms that manage their risks through “low-tech”.  Very simple systems that are perhaps captured solely on a sheet of paper, perhaps in an Excel template, or in the simplest cases perhaps in a senior executive's head (and with significant gut-feel).

Many firms have a hybrid form of risk management system.  They have a high-tech system, but rely on the low-tech decisions of senior managers.

As Vicente puts forth in his book, perhaps it is time that we spent more time thinking about Human Tech risk management systems.  That is, risk management systems and processes that use the best of technology and techniques, but also engage the people who have to implement them, and make decisions based on their output.  These are the types of risk management systems that are not only practical, but also efficient and effective.

Which type of risk management system does your firm use?  Which type of risk management system should it use?  How many people in your organization have considered that question?