“Conventional risk management practices primarily serve compliance purposes”

MARINUS DE POOTER, CONSULTANT

After a long career in auditing, finance and consulting Marinus de Pooter is now an independent professional based in The Netherlands. At the IFACI conference he is going to speak about the topic: “Is risk management redundant?”*. Marinus seriously challenges the current practices.

Could you summarize your professional background for us?

Marinus de Pooter: I have worked as an independent interim manager, consultant and trainer for the past 10 years. I started my career as an external auditor. After that I was director of finance and director of internal audit. Prior to being self-employed I was ERM Solution Leader at EY Advisory.

Without revealing too much could you share some insights from your presentation with us?

M.d.P.: Sure. For many people, including internal auditors, risk management is imperative. However, our insights about dealing with uncertainty have changed considerably during the past years. In the conventional approach the focus is on inventorying what is bad. On what isn’t good for your money, for your health, for your reputation and so on. Recent risk management standards use a neutral definition of risk: there are ‘upside risks’ and ‘downside risks’, ‘good risks’ and ‘bad risks’. Nevertheless, numerous professionals are still trained to ask what-can-go-wrong questions, to produce lists of risks and to come up with controls to mitigate them. In turn the internal auditors then are supposed to assess the effectiveness of these controls. 

The conventional approach is first to create a separate risk management system and then to try and squeeze that into regular business management. Instead, it makes more sense to start from the perspective of the colleagues who are in charge. The managers at the various levels in your organisation have to deal with the competing needs, interests and expectations of different stakeholders. For example, stakeholders can attach value to creating and preserving physical safety, animal welfare and dividends. This implies that decision-makers always have to make trade-offs. Future-proofness depends on how satisfied your core stakeholders are with your performance.

In essence, dealing with uncertainty requires asking basic questions, such as: Which value do we want to create and protect for which stakeholders? How do we define our success? What can happen that affects our performance and conformance? What are the potential positive and negative effects of that for our stakeholders? Will we be able to take advantage of our opportunities and to cope with our threats? If not, what should we do differently? Realizing that it is about making choices shifts the focus to consequence conscious decision-making.

What are the implications for internal auditors? 

M.d.P.: Conventional risk management practices primarily serve compliance purposes. Supervisory authorities are mainly interested in avoiding trouble and misery. Maintaining lists of risks can be useful to demonstrate to them that you have thought about potential issues and that you’ve taken some actions. The sad thing is that the commonly used risk registers are not going to help you to make balanced decisions when facing dilemmas. 

In my view internal auditors should focus on helping management to increase the likelihood of success. The level of success is dependent on the quality of decision-making. If auditors want to add value they should assess to which extent the decision-makers are committed, competent and honest. Mentality is a key driver when making decisions. I look forward to discussing with the attendees to which extent risk management as a separate discipline is redundant.

* Outils & méthodes - Is Risk Management redundant ? | Mardi 29 novembre 2022 09h50 10h50