According to Norman Marks, an authority on corporate governance, risk management and internal audit, how a company makes decisions is at the heart of effective risk management. Whether an organization is large or small, whether decisions are made by a board of directors, a small group of officers or managers, or one owner with outside advisers, the quality of decision making can determine success or failure.
In a recent post (https://normanmarks.wordpress.com/2019/07/17/how-to-assess-the-effectiveness-of-risk-management) Marks lists his four top questions on how management and directors make decisions about risk.
- Do decision makers believe there are reliable processes to support decision making – current, reasonably complete and reliable information about the options they are considering?
- Do decisions involve the disciplined weighing of risks and benefits of each option?
- Does the decision process help set and execute strategy?
- Do the organization’s processes and practices provide reasonable assurance of success?
Carol Williams builds on Marks’ questions. In her post https://www.erminsightsbycarol.com/gauging-risk-performance-management/ she offers three additional questions:
- How involved is management in defining behavior in the organization?
- Has management reached an agreement on how much risk to take, and does the board agree with it?
- What methods does the organization use to understand risk before making decisions?
When developing specific questions for your organization, Williams recommends deliberately choosing each word in a question. Preferably questions should be as open ended as possible.
Use these questions in your decision making process.
ABOUT THE AUTHOR
Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.