A New Approach To Risk Oversight: A Lens To Look Through And Levers To Pull

Bruce McCuaig

Risk.1Risk management continues to fall short of expectations. Surveys show boards and senior executives believe risk management is important, but they also reflect an overwhelming dissatisfaction with the ability of boards and senior executives to effectively oversee risk management.

According to recent research by the NC State Enterprise Risk Management Initiative in a survey of companies:

“68% indicate that the board of directors is asking “somewhat” to “extensively” for increased senior executive involvement in risk oversight. That is even higher for large companies (86%) and public companies (88%).”

Recently, with my GRC colleagues at SAP, I’ve been experimenting with a new approach to risk oversight and strategy. Our approach provides a new lens to look though that allows companies to manage risks strategically.

We believe risks can be divided into four broad categories, each of which requires a unique primary strategy. This is the first in a series of blogs building on comments and feedback we received over the past 18 months as we developed this concept.

With this blog we’re introducing a new iOS app we have developed to categorize risks. Download your early version of the app .It contains a number of embedded videos that expand upon our conclusions about risk management and provide examples of a lens to look through and levers to pull.

In the next few weeks, we’ll introduce an updated version of the app, expand on the ideas and tools we’ve developed, and solicit your comments.

Beyond heat maps: A new lens for risk oversight

The diagram below outlines the basic concepts of the approach. The horizontal axis captures risk level as depicted on a traditional heat map. We suggest that risk levels can only be lowered to a finite degree by traditional controls. Beyond that point, risk management strategies must focus on avoiding the risk.

A simple example is that if one relies on fire extinguishers as a primary strategy for fire prevention, then implicitly, fires are an acceptable risk. If fires were spontaneous, unpredictable, and unpreventable because of that belief then such a strategy might make sense. But controls are a bad approach for fires and any other similar risk where the necessary precursor events and conditions are known and discernable. If a major risk can be predicted, it must be averted, not controlled.

Similar examples will be provided for each quadrant in future blogs in this series.

The vertical axis captures management’s willingness to accept a risk. Assessing Risk Level and Risk Acceptance Willingness results in risks being placed in an appropriate quadrant. Each quadrant requires specific risk management practices and specific information and solution capabilities.

Risk Quandrant

Risk management strategy today: One size fits one

Risk oversight requires the ability to differentiate risks in a meaningful way and to develop responses appropriate to the nature of the risk. Risk management practices today don’t make sufficient distinctions to provide the necessary diversity in responses.

Most risk management strategies today rely on the use of controls as a primary strategy. Heat maps just don’t tell you what to do. In fact, they are a major source of frustration to boards and many senior executives.

My questions to our readers

I will be exploring and explaining this concept in the next few weeks in this blog, and I’d love to hear from you.

My questions to readers are:

  • Does it make sense?
  • Does it make clear how technology can be used?
  • Is it possible to use these concepts to guide risk management practices and drive an integrated GRC strategy based on risk?
  • Is it useful from a board-oversight perspective?
  • What improvements can you suggest?
  • What are the flaws in this approach?

Want more business strategies that help you minimize risk? See How to Avoid the Risks and Challenges in Creating Services for Products.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.