This is a trick question. The answer is that theoretically it isn’t, yet I’ve seen very senior, very bright and very experienced clients struggle with the basics. Why is this?
I think the answer lies in the lack of differentiation between issues and risks. Risks have an element of uncertainty in them. They have an element of the unknown and in some cases the unknowable. They relate to the future. They are not proximate. They may or may not occur. Issues are the complete opposite. They are known, they are not just proximate, they are the here and now.
If we think about how managers are measured, promoted, rewarded and recognised it is always in relation to the tangible here and now activities they undertake. How much has been produced, how often has a process occurred. What income has been generated. Rarely is a management team rewarded for how much the future has been influenced, how many negative items have been avoided, how much better are the outcomes now than could have been the case.
If we think about boards, they are comprised generally of people who have come from management backgrounds. Thus people with a similar outlook and generalised experience as the senior managers they oversee, direct and control.
The auditor, risk manager, long-term planner, if there are any on the board, are on the audit committee. Even if there are enough of these types of people on the audit committee then it is unlikely that the audit committee will hold sway in the full board. This is even more the case where a unified audit and finance committee is in place as the ‘important’ work of this committee is likely to be making ‘current’ finance decisions and approvals or reviewing past or current financial performance of the organisation.
Is it any wonder, therefore, that boards very easily slip into ‘issue management’ than risk management? It is so much more satisfying to deal with the here and now. Yet boards ignore risk management at their peril. Issues, left long enough, become more and more proximate. The grow in likelihood over time. All things being equal they should become more moderate in impact. For example a change in government policy can appear catastrophic when first envisaged as a risk, yet as the policy goes through shaping and development by pressure groups, legislators and other forces, the net reality is often much smaller. Yet on average in my experience, strategic risks, left long enough become moderate, proximate, risks.
The ultimate proximity is for the risk to become an issue. Then it is ‘managed’. By this point the quantum of effort required to manage it is much magnified as changes and responses need to be quick, more immediately effective and take up more time as co-ordination of a response across the organisation is challenging in a short period. Take regulatory changes. These can be built into procedures as risks, software, processes and systems can be re-designed at leisure and cost effective options explored. With immediate issues this is not the case. In other words it is inefficient to manage risks as issues. It is far more expensive to pay for breakdown repair of a car than a routine service.
For the board particularly an obsession with issue management often oversteps the mark into management rather than governance. Directing and control is about frameworks and policies, not actions and procedures. Yes some decisions are specific and managerial in nature which boards will need to take, but in broad terms these should be the exception.
A good internal audit function should encourage the proper role of risk management to be one of risk, not issue, management. It should push the management and board’s horizon outwards. It should encourage a longer-term view of the external world and the strategic position of the organisation, rather than overseeing current management activity. After all there should be an assurance, financial and audit framework to deliver that on their behalf.
Has your board fallen into the ‘issue management trap’?