Backgrounder on Objective Centric Risk and Uncertainty Management

I have been researching how the public sector in Canada has responded to rapidly escalating expectations for governing bodies (i.e., audit committees and public accounts committees (PACs), equivalent to boards in the private sector) to oversee strategic planning and enterprise risk management (ERM)—the foundational elements of modern good governance.

My research indicates improvement in Canada has been slow and the type of risk centric ERM widely implemented in the Canadian public sector has not produced the benefits promised by an American private sector consortium called the Committee of Sponsoring Organizations (COSO), or International Organization for Standardization (ISO). Few public sector entities in Canada have moved to modern strategy/objective centric ERM and internal audit called for by the Institute of Internal Auditors (IIA) in its 2020 Three Lines Model¹. Canadian public sector entities that have implemented some form of ERM have generally created and periodically update risk registers—I call that approach “risk list ERM”. Risk list ERM, an approach predicated on creating an inventory of all possible risk (also referred to as “risk universe’), tells senior management and governing bodies little about risk, defined as the composite effect of uncertainty, on key strategic and supporting objectives and performance, as defined by ISO².

Although reliable data is not available, the number of public sector entities where management is the primary risk assessor/reporter (STRONG FIRST LINE) and risk is linked to key objectives is still small, despite management being in best position to assess, manage, and report upwards to governing bodies on risk/uncertainty status. As a result of how ERM has been implemented in many Canadian public sector organizations, management and governing bodies do not think that this approach will help them to manage uncertainty regarding key objectives. Major changes are needed.

Objective-centric risk & uncertainty management is an approach to risk management that centers around the organization's objectives and goals. In this methodology, risks are assessed and managed with a primary focus on their potential impact on the achievement of strategic, operational, and other key objectives. The process involves identifying and analyzing risks in relation to specific objectives, prioritizing them based on their potential impact and likelihood, and implementing measures to mitigate or capitalize on these risks to ensure the organization's objectives are met.

Objective-centric risk & uncertainty management integrates risk considerations into the overall strategic planning and decision-making processes, aligning risk management activities closely with the organization's mission and vision. This approach aims to enhance the organization's ability to proactively address challenges and uncertainties in pursuit of its objectives while optimizing the allocation of resources.

The benefits that could be derived from objective-centric management are numerous. They entail, among others, improving decision-making processes, enhancing ability to achieve strategic objectives, improving operational efficiency and governance, and increasing stakeholder confidence³.

An overview of five simple steps to implement this new approach is shown below:

About the Author

Tim J. Leech, FCPA FCA
Founder and CEO, Risk Oversight Solutions

Tim is founder and CEO at Risk Oversight Solutions. His focus for the past 30 years has been promoting the business case for, and helping organizations implement, strong management driven objective centric risk and uncertainty management. He has received awards for outstanding contributions from CPA Ontario, IIA, ACFE and OCEG. His work in the field of strategy and risk governance has been recognized by articles published by Harvard and Columbia Universities, London School of Economics, the IIA, Conference Board, and many others. In December 2019 Richard Chambers named Tim to his list of the top 10 internal audit and risk thought leaders of the decade globally.

Contact the author at:

timleech@riskoversightsolutions.com

This article outlines four significant change drivers that support implementation of a new form of governance, ERM, and internal audit: Objective Centric Risk and Uncertainty Management.

¹ https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf

² https://www.iso.org/obp/ui/fr/#iso:std:iso:31000:ed-2:v1:en

³ Albarraq A, Alkayyal A, Bawareth R, et al. (2023). “Risk Management Framework Analysis”. International Journal on Engineering Technologies and Informatics, 4(1):1‒8. Available here: https://skeenapublishers.com/journal/ijeti/IJETI-04-00047.pdf