I see more and more talk about Risk Assurance and Risk Attestation (together with so many advertisements of people and organisations offering these services). This sounds like getting stuck even deeper in the trenches of the 3/4/5 Lines of Defense by trying to provide confirmation that “nothing bad will happen on my watch”. We will take NO risk, nobody will stick out their head and nobody will get hurt----we will also make NO advancement on the battlefield of business; something similar to what we achieve with compliance!
Risk Assurance and Risk Attestation certification processes add no value to the business other than creating a false sense of security and comfort that the risks that we identified and assessed are okay, and implicit confirmation that we are completely oblivious to the rock that might hit our windscreen whilst we are speeding on our highway to success. These services are most likely the biggest scams in the Risk Management Industry.
Nobody can ever give assurance or certification of a risk management framework, risk management process or the conduct or effectiveness of a risk manager; there are too many internal and external factors at play on the battlefield of business and in the hearts and minds of the people involved. Your exposure to risk is a constant and consistently changing dynamic. Any review or certification is possibly outdated by the time it is published or issued.
The only way to optimise the management of risk; and the only real level of comfort, is that every employee has risk management competencies and knows how to assess and respond to a situation of risk to the best benefit of the organisation.
In the end it comes down to either spending money on worthless assurances and certifications that just create a false sense of security (at a point of time in the past); or training every employee the skills to drive better and avoid dangerous roads; or in the worst case, to know what to do when the rock hits the windscreen.