Home > Risk > The biggest obstacle to effective risk management

The biggest obstacle to effective risk management

October 28, 2016 Leave a comment Go to comments

A very quick post today.

In an interview, Fiona Davidge, head of the British Standards Institute and a 15-year risk manager, said this – with which I wholeheartedly agree.

She was asked: “What are the biggest obstacles for integrating risk management in all organizational activities for managers in the UK?”

Her answer:

The biggest obstacle is that risk management is often seen as a separate activity which needs specialist risk professionals in order to succeed. Many organizations feel they cannot afford to do this. In fact most organizations do not have, and will never have, a risk professional working for them. We need to encourage organizations to see that everyone in the business owns and manages risk and in acknowledging that fact integrate risk management into their normal business management processes. We already do this in many ways – such as delegated authority for payment sign off, procurement rules and project risk assessments. That these activities are at the heart of risk management for an organization needs to be understood and promoted; it needs to be viewed from that paradigm. Risk understanding and management needs to sit at the centre of all decision making.


  1. John Fraser
    October 28, 2016 at 2:53 PM

    Absolutely. Everything an organization does (or should do) is managing the risks/uncertainties to achieving its objectives. Every cent that is spent and every activity. However, these activities are too often not discussed, coordinated, prioritized or aligned with what the organization is trying to achieve. However, like a sports team or symphony orchestra the chances of success increase with having someone coordinating activities.

  2. October 28, 2016 at 3:24 PM

    Tim Lister’s quote – “Risk Management is how Adults Manage Projects” should be a poster hanging on the wall in every office of the firm

  3. Glenn Daly
    October 28, 2016 at 5:26 PM

    No one can disagree with what is being said and most if not all management fully understand this (hence the reason the risk manager role can become somewhat optional in the eyes of management)……so why the need to have a specialist risk manager?. It ticks a box on the corporate governance defence mechanism list. Whether a risk specialist adds any value is a bonus to management with the main thing being the directors are made to feel comfortable that they are meeting what has become accepted as the normal practices associated with demonstrating good risk management. Management get this but those making a living off selling these normal practices…well obviously they have reasons for doing what they are doing. If a risk manager has to exist he or she should be doing things cognisant of what the organisation has already in place or should have in place. Not necessarily doing what has become accepted as the norm. Such an approach reinforces what is being said in the article. Its not management where the problem is…its all the consultants etc where the issue is, who go around sending the wrong messages to boards and regulators about what good risk management means.

  4. October 31, 2016 at 4:37 AM

    When I started in accounting and implementing accounting information systems annex studied for CPA more than 30 years ago, control activities like a delegated authority for payment sign off were already well known, as was the risk why to take these controls. The controls was written down in accounting manuals, the risk was not.
    With the evolvement of risk management, we started to record the risks as well. Also in some other areas like project management (project risk).
    What I see as the biggest problem is that we now have risk frameworks and transparantly apply risks management in areas like accounting and project management or when it is necessary to comply with specific laws (and record risks and controls). In day to day operations or even when making strategic decisions no such records exist. I am glad when a business case is being made to support investment decisions.
    It is also considered very difficult to write a risk managent parapraph in montly and quaterly management report.
    As there is view evidence it is hard to tell if management truly applies risk management or not. They certainly don’t comply enough with the framework they issued.

    October 31, 2016 at 6:39 AM

    In my opinion, the current problem has arisen over the years gradually, because Risk Mgmt is perceived as a separate, specialized silo, by everyone, all the way from the board down to the junior-most employee, creating an “us” versus “them” mentality – “we sell / we market / we hire / we manufacture / we do R&D, we don’t do risk mgmt, the risk guys take care of that !”. Two points to consider to resolve the situation –

    1) Risk management should be integrated into every graduate and post-graduate course curriculum – every employee, every manager coming out of the education system and working in any industry anywhere in the world, needs to understand the basics of risk management – how to assess risk to an entity’s objectives, how to treat risks, and how to implement the treatment, etc. The FIRST LINE OF DEFENCE (the Front Line) is best qualified and positioned to practice the basics of risk management in the flow of operations, in real time.

    2) Having said that, I think many industries (many more now, than say 5 years ago) do require specialist risk management guidance, which cannot be mastered by every student coming out of the educational system. For such industries, you would require a limited number of Risk Specialists, (not an army of “risk managers”) who will be able to provide the expert guidance needed to navigate such riskier waters. So employ such Risk Specialists. In addition have a Risk Co-ordination Department – RCD (NOT a Risk Management Dept) that brings all Risk Mgmt processes in the organization under a common risk taxonomy for better co-ordination between various departments, and for comprehensive board (or equivalent) risk reporting.

    The Internal Audit service then, provides assurance on risk mgmt processes as practiced within each division of the entity, and assurance on whether the risk specialists and the RCD are fulfilling their respective roles.

    However, even if such a RCD were NOT to exist, and even if the organization could NOT employ the services of Industry-focused Risk Specialists, an Internal Audit service, that is sufficiently proficient (and qualified) in Risk Mgmt, should be able to provide assurance on whether risk mgmt processes required by that entity, have been designed and are being executed effectively. Through their advisory role, the IA service would provide guidance on industry-specific risks, and co-ordinate taxonomy and reporting. Internal auditors equipped with rigorous risk management qualifications would be more sought after in such situations.

    October 31, 2016 at 10:51 AM

    Just came across an article on GARP that echoes the sentiments in my above post:

  7. msfedorov
    October 31, 2016 at 12:20 PM


  8. Richard james
    November 1, 2016 at 2:29 PM

    Having oversight of risk management across the nuclear industry, I can see and understanding this obstacle. On paper, most risk frameworks highlight that RM is everyone’s responsibility and that it should be embedded in business processes. However, in reality it often relies upon the risk professional to lead and guide the process. I can also observe that some organisations place to much reliance on the risk professional and do not others do not take their responsibility seriously.

  9. Manoj Kumar Agarwal
    November 1, 2016 at 6:59 PM

    In my view being Head of Internal Audit as well as the Risk Management, 1st line of Defence is the Functional Expert and can better take care of Risks emnating to his objectives. However, there has to be someone who constantly keep raising the issues in attaing the organisational objectives through Internal Audit, through Risk Management Updates required statutorily.

  10. Bill Storage
    November 1, 2016 at 7:43 PM

    We read many conflicting theories on what counts as effective risk management and what its obstacles are. Given that they can’t all be true, it might be useful to test the theories against the real world. All of them likely can cite some past anecdote as confirming evidence, but have any been tested enough to be said to have had significant predictive success? Are they reasonably falsifiable in any way?

    Beginning in the 1960s, the design of commercial aircraft established risk management standards that were measurable. 50 years later we saw a decrease in fatal accident rate of passenger aircraft of at least 4 orders of magnitude. Strong evidence shows that it was the approach to safety risk management and not merely improvements in component reliability that produced these dramatic results. I.e., design quality and product quality are very different things.

    Distributed risk management was in fact a key aspect of that program’s success. The FAA knew it lacked the resources to create specs for every aspect of every piece of equipment (in contrast, e.g., to the FDA). Instead it asked the industry to come up with high-level measurable risk requirements that the FAA would own and enforce. Those handful of requirements then informed aircraft system and component specifications consistent with the high-level probabilistic (therefore measurable over time) requirements.

    Lacking enforcement resources, the FAA also fostered a culture of risk management by engaging engineers and managers of aircraft firms as designated representatives. Many of us engineers were, in a real sense, duty-bound delegates of the FAA. However, aircraft makers and the FAA still did (and do yet) have a number of specialist risk managers who, for example, quantify risk at an aircraft-system level during design, to allocate weight, cost, and redundancy, and at time of aircraft certification.

    A great many people with no experience in aerospace or other risk-centric fields are quick to say that what worked in aerospace is not applicable to ERM. Having worked in both fields, I disagree. ERM seems, in my view, to suffer greatly from lack of rigor, metrics and discipline. Without these, talk of embedding risk-management principles is just poetry.

  11. November 3, 2016 at 1:59 AM

    I would reword the last sentence from Fiona Davidge but her message is still spot on.
    It is Decision making that lies BEHIND all Risk understanding and management. It needs to be a holistic process which aligns decisions with values and takes into account ALL stakeholders, It also needs to be transparent with an audit trail. I like to call this Risk Intelligence.
    Please note that decision Making is not the same as decision Taking! Most orgs confuse the two and think because they have a “good” set of procedures that they have risk “under control”. The challenge is that implementing poorly conceived decisions (Making) is precisely what leads to failures and puts people and business “at risk”.
    Teaching and embedding courageous decisioning is the key factor- imho.
    How many orgs can really articulate their decision making framework and how does senior management know that it is used across the org?
    My belief based on many practical observations is that the percentage is extraordinarily low!

  12. November 3, 2016 at 5:34 AM

    It is hard if not impossible to disagree with Ms. Davidge. What is arguable is why risk management is not integrated throughout the management process. I think there are two key factors. One might be that it is not taught in business school. If addressed in the classroom it is likely is presented in the form of “governing” mandated obligations via OSHA or EPA. I think this is further supported by degreed curriculum for these “specialist” professionals. My second point is related to the first in that most managers’ perception of risk is relative to the “environment” and not the behavior of their employees. Governing bodies like OSHA and their regulations are more focused on workplace condition. Even when workplace conditions necessitates “specialist” for compliance, their focus too misses the point that workplace risk is higher because of the employee’s (un) safe behavior not the unsafe workplace.

    Because of these two factors, I think the result is a rift and what is lost in this rift is the purity of what risk management is, should be, and can be. The purity is appreciating employees enough to keep them safe and in so doing build a bridge between the obligation of “mandated safety” and the inevitability of “behavioral safety”.

  13. November 3, 2016 at 3:49 PM

    God must love Auditors because he made so many of them. Auditors must love rules, certifications, and procedures because they make so many of them. Unfortunately for the Auditors their risk management paradigm is flawed, since God also loves novelty, uncertainty and randomness….”Man plans and God laughs.”

  14. Mark Bon, CMIRM, MBA
    November 4, 2016 at 3:27 AM

    It is absolutely right to say everyone in an organisation should own the risk. But we could equally say everyone should own the profits of an organisation and we all know this is never going to happen. However if we were to say everyone should be motivated by the success of an organisation then surely it seems reasonable to think everyone should share in the risks and the rewards. Well managed companies try to achieve this, but is it down to the presence of a good risk management system? The point is that risk management helps, just as a strong team of accountants, marketing managers, and IT managers contribute to the success of the whole. In order to make risk management effective, the whole team within an organisation needs to be effective. This requires professionalism across the whole and risk management is no different. Risk managers can’t wave a magic wand and suddenly make organisations perfect, but this should not make us think they can’t nudge organisations in the right directions. Is not everyone’s responsibility to play a part in making business run better. If risk management tries to facilitate this, surely it is being effective. Risk management needs professionalism, it does not need to be the preserve of an elite few, it should be understood and practised by everyone in positions of authority. Risk management needs to be integrated into the mainstream of business studies, the mainstream of accountancy, the mainstream of HR, the mainstream of IT management and marketing. As long as it remains in the fringes it is unlikely to be effective. Giving risk managers a voice and a seat at the table must make it more effective. To deserve a seat of authority, professionalism seems the minimum requirement. We need more professional risk managers and we need those risk managers to make their organisations sit up and take notice. I can’t think of anything better than risk managers gaining certification from the IRM and integrating everything they have learnt into their organisations. Keep up the debate, but don’t lose the faith.

  15. November 6, 2016 at 1:32 PM

    I agree that Risk is a matter that all parties have a level of responsibility for. Risk identification however can be a very challenging task that may be beyond the capability of some people due to their lack of process understanding or lack of technical competency. It is therefore CRITICAL that people responsible for an activity take the necessary steps to ensure risks are effectively identified and either eliminated or mitigated to an acceptable level BEFORE the activity is progressed. Only when there is awareness of the risks by the people conducting the work and the implementation of effective controls to ensure a risk mitigation plan is diligently applied should work proceed. Specialist Risk Assessors would be great resources to support the development of Risk ID and mitigation plan. Use of multi skilled practitioners and technical/specialist personnel working together with process ‘owner’ as the people engaged to implement the planned work should be included in the process of completing the Risk ID and mitigation plan. Not all ‘work’ will require this level of assessment, however even simple or routine work does require pre-work Risk Assessment, even if it is as simple as verifying right tools, right skills, right conditions, and no external factors that may create an unsafe situation for conducting the work. In the end, the Owner is the responsible party and the Owner must make the right call about what level of expertise is required to ensure activities are safe.

  16. November 6, 2016 at 2:42 PM

    Agree completely, and add remove barriers to wide engagement in capturing and managing risks, by giving users tools that are simple to use.

  17. John Pease
    November 9, 2016 at 11:58 PM

    It’s interesting … risk management, change management, performance management, project management … all disciplines that really are just part of management’s role. They would not have emerged as separate/discreet disciplines if it were not for the fact that there was a perceived need, i.e. management was performing them inadequately – and yes, I know that I’m generalising and over-simplifying. Each discipline performs a similar role, i.e. it creates a structure (or formalises) what management should be doing intuitively or naturally. Of course, over the decades, academics and consultants have created this and that framework along with beautiful icons, but we the practitioners must never lose sight of the fact that we are supporting management in performing their role. Our risk registers must never become more important that the measures that management is taking to identify and management their risks!!

  18. Danielle Mecleary Whalen
    November 11, 2016 at 7:04 AM

    The clients need to work with their brokers and use the carriers suggestions ( video’s etc). Two heads are better than one in my book! Great statement!

  19. Danielle Mecleary Whalen
    November 11, 2016 at 7:05 AM

    I always include the IT head and their outside vendor source into the discussion on Cyber Liability

  20. December 6, 2016 at 6:56 PM

    100% agree with the first part and also 100% disagree with other statements made.
    I totally agree with the statement: “The biggest obstacle is that risk management is often seen as a separate activity which needs specialist risk professionals in order to succeed.”
    I totally disagree with the statement: “We need to encourage organizations to see that everyone in the business owns and manages risk….” This is a fantasy, which assumes that mid and non-management can “own” and can also “Manage” risks with some magical empowerment mandate, even if they have a totally different perception of risks from those who reside in protected corner offices. Totally absurd.
    True enterprise risk assessments compare the risk perception differences between different management levels as well as from different departments and then anonymously resolves such perception differences (i.e. with the Delphi method) by debating corner office versus a trench views of the organization and its processes.

  21. Mark B. Mitchell, Director of Internal Audit
    December 7, 2016 at 6:28 AM

    I agree with Ms. Davidige’s remarks and, for the sake of clarity, I would add that inherent in her remarks is the need to transfer knowledge from risk specialists to everyone in management. The COSO framework is a powerful model for effectively assessing and managing risk. However, it’s true value will be realized only once management teams have become thoroughly familiar with all of it’s constructs and how they interrelate with each other to the point in which employees are consciously managing and communicating risks in a manner that is consistent with the framework.

  22. December 13, 2016 at 8:43 PM

    It will help fill a void. Yet, risk management training is also needed for every risk manager. Otherwise we recreate the same error that Quality is everyone’s responsibility did. On one level Quality actually is everyone’s responsibility. However, a trained escalation structure with limits based on cost effective quality add an essential way to cut off Quality for Quality’s sake.

    You may ask what this has to do with Risk Management. Try a find and replace of the word Quality with “Risk Management” and the above paragraph becomes a deja-vous lesson learned.

  23. December 13, 2016 at 8:49 PM

    The good side of aligning Risk Management with each decision maker is that small firms can never afford a full time professional dedicated to such tasks. Consider a simple cost of quality model. Projects large enough to need professional support might occur about 3 per thousand tasks per year. Assuming a Risk Management part of an effort resolves risk in about a month. One would need about 4,000 staff before that professional staff is fully occupied all year with advanced risk management efforts.

    if half the firms in the USA have less than 20 staff, these firms might never have a single full time roll performing such tasks.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: