Risk Is Everywhere

Key Takeaways

• Risk Is Ubiquitous: Operational and strategic risks are not meaningfully distinct in impact, and both can materially affect enterprise objectives.
• Prioritization Is Essential: Organizations lack the resources to track or audit every risk, making focused attention on high-priority risks critical.
• Risk Registers Have Limits: Attempting to catalogue every possible risk creates unusable frameworks and dilutes meaningful oversight.
• Decision-Making Over Checklists: Effective risk management is grounded in informed decision-making tied to objectives, not static risk appetite thresholds.
• Audit Focus Drives Value: Risk-based auditing should prioritize controls over the most consequential risks, not attempt blanket coverage.

Deep Dive

In this article, Norman Marks explores a familiar but often misunderstood reality for risk and internal audit professionals—risk is everywhere, but not every risk deserves equal attention. Drawing on a reader’s challenge to conventional thinking, Marks examines the limits of risk registers, the pitfalls of overextending audit scope, and why effective risk management ultimately comes down to prioritization, judgment, and better decision-making rather than attempting to catalog or control every possible threat.

Why Trying to Manage Every Risk May Be the Biggest Risk of All

Last week, an anonymous individual made a comment that I want to discuss as it has implications for both risk and internal audit professionals. The comment was on my post about the need to focus audits on the controls over the more significant sources of risk to enterprise objectives.

They disagreed, saying, "Often (sometimes seemingly minor) operational issues or incidents (e.g. fraud, health and safety incident, non-compliance with a regulation, inappropriate expenditure, such as buying booze on the company credit card) can trip an organization up by causing reputational damage, public exposure, or criticism from the external auditor or other watchdog. These are not ‘strategic areas’, nor do they explicitly link to ‘enterprise objectives’, but they are important hygiene areas. Internal audit can have a valuable role to help ensure risks in these areas are being managed."

This is true. Risk is everywhere, as the comment says. Success comes from taking the right level of right risks at the right time. Even so-called ‘operational’ risks can have as much impact as so-called ‘strategic’ risks, which is why I don’t talk about operational vs. strategic.

Some of the ‘operational’ examples in the comment might well have a significant adverse effect on enterprise objectives.

A health or safety issue can lead to the closure of a major facility, impacting revenue and increasing costs such that profit goals are not achieved. Anyone who has worked in the oil refining business can attest to that.
Non-compliance with a regulation can not only bring major fines, but limits on your business operations.

But do all health and safety risks merit top management attention and/or an audit? Do they belong on a risk register? While they are possible, are they at least reasonably likely to have a devastating effect?

Is it at least reasonably likely that an inappropriate expenditure would threaten corporate success? Nobody has the resources to put every source of risk on a corporate scorecard expecting to discuss and act on it.

In addition to the risks that the comment listed, consider:

• The possibility that an individual driving on our property might cause damage that results in the closure of our facility, or even a loss of life.
• An electrician installing or maintaining our power supply and wiring could do something that would cause huge damage.
• Minor maintenance of our ERP could inadvertently shut it down.
• The CEO could make irrational decisions. (Just think of what some leaders in industry and government have done in the last year.)

Risks are everywhere and the idea that you are managing risks by reviewing a few of them is absurd, maybe insane. You cannot put every source of risk on a risk register unless you want it to run to hundreds of pages, and that makes it unusable.

There’s a reason that organizations limit their periodic attention to a few higher priority risks. That’s all they have time to discuss. It is better to focus the periodic review on those select few that clearly merit attention and, perhaps, action. Don’t attempt to list every possible risk.

Artificially limiting that selection to ten or twenty doesn’t make sense to me either. Review the ones that need to be reviewed.

It is better to consider each of your enterprise objectives and think about what needs to happen and not happen if they are to be achieved. It is ideal to know, given all the risks, what the likelihood of achieving each objective is, and then update it continuously—taking action when the likelihood is unacceptable.

By the way, considering whether there is an acceptable likelihood of achieving objectives is a better way to manage the business than considering, without context, how much risk is being taken.

I just saw a post that said that risk appetite is the foundation of risk management. I couldn’t disagree more. The amount of risk you should take depends on a lot of factors, including the level and possibility of reward. It is constantly changing.

The foundation of risk management starts with setting the right objectives and is then about informed and intelligent decision-making. Ensure the processes for making important decisions are effective, including the consideration of all related and significant sources of risk.

Effective risk management focuses on:

• Considering risk (and opportunity) in decision-making, and
• Periodically reviewing and addressing those risks (and opportunities) that merit special attention.

Similarly, we simply can’t audit everything. Nobody has the resources to audit every source of risk.

Risk-based auditing leads us to audit the controls over those sources of risk that are most important to the achievement of enterprise objectives, and where we deliver most value to our leaders on the board and in management.

Leave the rest for when you have surplus time and resources. Keep them off your audit plan and out of the scope of each engagement.

We can’t audit every low or even medium risk. In fact, sometimes we don’t have the resources to address every high risk—a fact that should be reported to the audit committee.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.