The greatest risk? The risk that the risk management program is insufficient to identify, evaluate and assess, and respond to all the potential effects of uncertainty as we strive to achieve or objectives.
How many risk practitioners measure and report on the limitations of the risk management program? (And don’t tell me that everybody has perfect systems that will identify, promptly and accurately, and address appropriately all situations and events. I don’t believe it.)
I suspect that most practitioners are at least subconsciously aware of the limitations and the likelihood that risk management will ‘fail’, with undesired effects. But, I doubt that more than a handful have completed a risk assessment of the risk management program.
Neither COSO ERM nor ISO 31000:2009 tell you to do this, although the process in 31000 will work – once you realize that ineffective risk management is a risk source! You could argue, but I think its weak, that the monitoring activity in COSO handles this; I don’t recall any discussion of risk assessing the program in that document.
What do you think?
Isn’t this something we should do every year, at least?