Recently, Tim Leech asked this question in a LinkedIn post:
What should a CRO or CAE do if the board insists they still want a list of “top risks” plotted on a color risk profile; and soundly reject the ISO view “risk” is “effect of uncertainty on objectives”, and COSO position “risk” is “the possibility that events will occur and affect the achievement of strategy and business objectives.”
My comment in response was:
The roles of the CRO and CAE should not be mixed up like this.
If the company is managing a list of risks instead of the business, the CRO has a clear opportunity and obligation (IMHO) to show a better way.
Continue to provide a list of risks (it still has some value), but team with performance management to provide (as I explain in my books) a list of objectives, their current status, and the likelihood they will be achieved by the end of the period.
The CAE is in a very different position, unless they are also CRO (in which case, the above applies).
The CAE should not assess and provide an opinion on whether the company is in compliance with its risk management policies.
Instead, the CAE should provide an opinion on whether risk management practices meet the needs of the organization. That will entail pointing out how a list of risks fails to drive decision-making and…
