Working In Uncertainty

Results of a survey on embedded risk management

by Matthew Leitch, first published 27 May 2004.


Thank you

First, thank you to everyone who responded to this survey. This is only the start of an investigation that will have to move on to another phase to get answers to more questions, but this has been an intriguing start.


Most people think that embedded risk management sounds like a good idea. They feel it should be part of ordinary work, not something added on. It should be natural, easy, and helpful. What it should not be is a form filling exercise driven by a calendar schedule piled on top of their existing work. Embedded surely does not mean ‘bureaucracy done so often that it now seems like part of my normal job.’

This simple survey asked people to make three choices, in each case between two alternatives. One alternative was an example of risk management being ‘added on’ while the other was risk management being integrated into ordinary activities.

Respondents were asked to say if they were risk management specialists responsible for promoting risk management in their organisations.

Overall, the majority of the 41 respondents favoured the integrated options on all three choices. There were also differences between the risk management specialists and other respondents.

However, these results must be interpreted cautiously. The survey asked for only a small amount of data, the number of subjects who were not risk management specialists was just 12, the vast majority of the risk management specialists were almost certainly internal auditors (who can be expected to prefer interviews over form filling), and there are clearly many other factors besides how integrated something is that decide what people prefer. A more detailed study to analyse out these factors is needed.


The percentage of respondents preferring the integrated option in each of the three choices is shown in the following graph, divided between risk management specialists and others. In general the integrated options were more often preferred and non specialists preferred them more, except that non-specialists did not like the idea of sending their documents to a central risk management function, even though it would have meant they did not have to create any new documents.

Non-specialists do not like the idea of being trained to use a database that requires them to describe their controls and then confirm they are in place and operating. Specialists weren't keen on this either but a few thought it preferable. The conversational approach is typical of internal audit work and its popularity in this survey may be because most specialists were internal auditors.

The following table shows the full results including the actual words used in the survey. (The words used if the respondent was not a risk management specialist were slightly modified e.g. instead of saying ‘Give training...’ it said ‘Receive training...’) In each case the integrated option is second. In the survey the order of presentation of each pair was randomly chosen.

ChoiceOptions% overall% RM specialists% other
Kick off‘Give training in how to use a web-based tool for confirming controls, that lists control requirements, including some specific controls (where possible), and requires various confirmations.’17240
‘Hold discussions with managers on how risk and uncertainty are currently managed, where improvements might be made, and how evidence of it can most easily be provided for regulatory compliance.’8376100
Ongoing evidence‘Receive forms into a database confirming things are under control.’342850
‘Receive electronic copies of documents from managers that have previously been agreed as providing evidence of risk management (e.g. KPIs, reports, meeting minutes).’667250
Business cases‘As part of getting approval for a plan/bid, people must complete a document, or section of a document template, that requires a list of risks and responses to those risks, and an overall summary of the level of risk involved.’373833
‘People must follow a process for developing the plan/bid that involves a flexible but systematic exploration of the uncertainties involved, and uses that and other information to build the plan/bid, and forecast the range of outcomes to expect.’636267

(One respondent had no preference between in the second and third choices and that respondent's responses have been omitted from these results.)

The survey also asked which approaches respondents had actually experienced and the results are shown on this graph.

Comments by respondents

The survey asked if the respondent had any other comments they would like to make about risk management audit evidence. Most respondents made no comment but some made interesting comments, which are quoted below.

‘Matthew, I think this is good and the answers will reflect a mixture of where an organisation is on the journey to getting RM embedded or the extent to which they want buy-in or are just 'telling' people what to do and are at risk of getting inconsistent results.  Initially you'll need a discussion to sell the concept but later on line functions should use the tools and only have discussions with audit/RM staff as part of the review of risk management. Also you may initially receive forms and enter these yourself but later review the electronic submissions when the process is up and running. Autocratic organisations may like to tell rather than sell but will it work? On item 3 I personally feel that the creative entrepreneurial types who present the projects should need to submit a piece of paper or the risk assessment won't get done - too often I've been consulted on something that was going live and was considered too far advanced to stop (so it was safe to ask).’

‘In a large company with several lines of business, I think it might be too difficult to set up web based training or a database to manage risks.  It seems to me that the web based training or database could provide some benefits in the overall process but I think that these tools would have to be too generic to be the main control in managing risk (i.e. what is required is some formal process with flexibility depending upon the types of risks that may be encountered).’

‘An awareness amongst executives of business volatility should be imparted to reduce the level of risk.’

‘I am employed by a not-for-profit. Management and the audit committee are very keen to assume best practice processes and procedures but the education for a risk management approach is daunting, to say the least. I would imagine that this is not an isolated situation.’

‘Risk measurement, where financial matters are not involved at micro level but at the macro level, is really a task which most people do not know. They are of the view that only finances are the subject matter of risk and only those can be measured.’

‘Extremely difficult. Risks are always “LIVE” i.e. difficult to list down and ever changing. Be vigilant. Follow the policies to minimize inherent risks. For other risks, know and make an assessment of what kind of risks you can face. Even the remotest can happen, so cross your fingers and hedge.’

Respondent profile

Responses were generated by a request on the AuditNet discussion list and AuditNet newsletter, a resource for auditors which is mostly used by internal auditors.

There were 41 respondents, comprising 29 risk management specialists and 12 others.

Slightly under half the respondents were from the United States of America. The countries of respondents are shown on this graph:

Made in England


Words © 2004 Matthew Leitch. First published 27 May 2004.