Why do so many practitioners misunderstand risk?
My apologies in advance to all those who talk about third-party risk, IT risk, cyber risk, and so on.
We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos.
We should address risk because of its potential effect on the achievement of enterprise objectives.
Think about a tree.
In root cause analysis, we are taught that in order to understand the true cause of a problem, we need to do more than look at the symptoms (such as discoloration of the leaves or flaking of the bark on the trunk of the tree). We need to ask the question “why” multiple times to get to the true root cause.
Unless the root cause is addressed, the malaise will continue.
In a similar fashion, most risk practitioners and auditors (both internal and external) talk about risk at the individual root level.
Talking about cyber, or third party risk, is talking about a problem at an individual root level.
What we need to do is sit back and think about the potential effect of a root level issue on the overall health of the tree.
If we find issues at the root level, such as the potential for a breach that results in a prolonged systems outage or a failure by a third party service provider, what does that mean for the health of the tree?
Now let’s extend the metaphor one more step.
This is a fruit tree in an orchard owned and operated by a fruit farmer.
If a problem is found with one tree, is there a problem with multiple trees?
How will this problem, even if limited to a single tree or branch of a single tree, affect the overall health of the business?
Will the owner of the orchard be able to achieve his or her business objectives?
Multiple issues at the root level (i.e., sources of risk) need to be considered when the orchard owner is making strategic decisions such as when to feed the trees and when to harvest the fruit.
Considering, reporting, and “managing” risk at the root level is disconnected from running the business and achieving enterprise objectives.
I remind you of the concepts in A revolution in risk management.
Use the information about root level risk to help management understand how likely and to what extent it is that each enterprise business objective will be achieved.
Is the anticipated level of achievement acceptable?
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Lucidly explained. It’s back to basics.
Thank you for the reminder Norman. Though I wonder if it Is really a “misunderstanding of risk” or one of practitioners taking their “eyes off the ball” and engaging in “herd behaviour”? Whatever it is, as Gejo Varghese commented, it is back to basics. Having a deep understanding of the enterprise objectives and the risks that may deter its achievement.
Risk frameworks tend to view risk as an atom – i.e., an elementary and fundamental “particle” of risk analysis and management. This leads to vague and incoherent hierarchies and taxonomies of risk. I think your inclination toward “root level risk” is a step in the right direction, but we can probably do even better by decoupling “root” and “risk.” Risk is not a rudimentary entity. Risk stems from hazards (unwanted outcomes) that result from causes. ISO 31000 (and related) seem all to have the flawed notion that the causes of interest can be revealed by FMEAs are similar cause-first (“bottom-up” in some circles) analyses. This was found to be unworkable half a century ago in aerospace and nuclear risk.
Many risk managers misunderstand risk because they learned about risk from frameworks, consultancies, and peer groups who don’t understand risk, partly because they developed their approaches without due research into prior art.
1. Central to your question are the “objectives”. What objectives?. Those explicitly documented in a strategy blueprint?. Or does it extend to those implicit objectives that are taken as a given?. What if the organisation does not have specific objectives and they are more general?. My point. Everyone talks as if it is easy to get a fix on objectives and risk analysis flows. In practice this may not always be the case. 2. I got reminded of this recently by a director. If a director wants me as a risk practitioner to focus on risks that is what I do, rightly or wrongly (assuming I want to keep my job). I had a meeting with a couple of them recently over their request that I include high inherent impact externally sourced risks in my report, with steady state controls/actions ie we had confined our content to those impacting objectives and secondly singled out those of concern from an appetite perspective (repeating externally sourced widely known high impact low probability risks which have mature mitigating controls and actions took up valuable space in our report). I started the discussion with “risk management is basically about the achievement of objectives”.. and was immediatly pulled up with them saying they did not necessarily agree. Your question should be more correctly reworded as..why do Directors on Boards (in lieu of “practitioners”)…..if you ask this question you might get to some real answers. And one of the answers perhaps relates to why you did not word the question the way I have suggested. 3. If you folllow through on the objectives focus, I have pointed out to you in previous posts that risk management really does start to very overtly overlap with others eg strategy depts typically do updates on the status of objectives, challenges/issues with achieving objectives are often in functional reports etc…..the enterprise “myth” management gig gets exposed. Not good for the risk management “industry” which relies on duping directors into thinking risk management offers something more than what their organisation is currently doing…when in fact, as I have come to realise, what it should be about is ensuring such practices are integrated into the business and are robust, not creating something new or separate under the banner of “risk”….but that approach has not been how risk management has been and is being typically “sold” to directors ie there is something wrong with your risk management function, they are not serving you well and we can help etc..with the set up of something new which basically may not add any real value but which adds to the list if things making it easier for directors to satisfy their corporate governance requirement. The way you asked the question in my view partially answers your own question. Disappointed you will not be in KL for the corporate governance symposium – was going to get you to sign my world class risk management book!. Rgs
Great article – it fundamentally means that risk professionals should be part of the decision making process of an organization and be able to “take a step back” rather than be in the weeds of the doing!
Paul, I would say that decision-makers are risk professionals – whether they think so or not
True – although they may not believe it is in their job description to think about risk!
If this is true, then there is yet some more work to be done on the risk culture.
Risk 101 – the “business” or operational management are the first line of defence. They are risk managers….
I think it is the “tricky” balancing act/trade-off between robust risk management and meeting business objectives that is the issue. So the two are really not disconnected to begin with.
Exactly. If we see they are not disconnected why then do we engage in this “balancing act”? My response to this is – mindset, and Norman touched on this in one of his posts. Until the risk management function is seen as a business “partner” with same enterprise objectives, we will keep having this issue of “tricky” balancing act/trade-off.
The question then is how can this can be achieved? Some may even wonder (secretly) if this is not “building castles in the air”… My answer is – It can be achieved and I have seen this practiced, and without breach of set controls. The change in mindset must first begin with us the risk practioners….when we “see” the possibility and begin to act as partners, then it will become easier to get the needed buy-in from our business colleagues.
Norman, another good post. In answer to some of the posts above, I would ask, ‘How can you have risks without objectives?’ A risk has an impact, on what?? An objective. In my opinion, if you don’t have objectives, you don’t have risks. If the Board doesn’t know its objectives, then that’s the biggest risk of all.
I think many practitioners misunderstand risk because they are sold on the term ‘risk managers’, when they don’t manage risks. They assist the people who do manage the risks to identify them. As Glenn has stated, you probably need to start by educating the directors.
In my opinion, we cannot discuss root causes when we discuss risk. A risk is a potential event, a future issue that may or may not emerge and that has a probability (high or low) of occurring and a potential impact on the organization. A root cause analysis is an evaluation of why something actually occurred. We are no longer talking probabilities or potentials, we’re now discussing facts. One risk can have many possible causes, but that is why mitigation plans may have many different assessments and actions. If you try to assess a “root level risk” of an enterprise issue, you are ignoring the multiple other causes that could result in that issue arrising. Isn’t that the opposite of what risk assessments should be doing? Or am I misunderstanding your point?
Richard, root cause analysis can be applied to any situation, including where the level of risk is not what you want. For example, if there is a risk that a theft of inventory would not be detected timely because counts and inspections are not consistent, root cause analysis can be used to find out why.
The point I am trying to make is that when people focus on a source of risk, such as poor inspections and counts, they are focusing on a root. Perhaps they report an increased risk of theft. But, what is the potential effect of the theft on the whole tree? The loss of inventory can lead to an inability to manufacture products and not only lose the sales but a customer.
I hope this makes it clearer. I suspect we are aligned.
I have a background in RCA as well as Risk. This is a good comment Richard. I agree with Norman’s response, but urge you to look at a continuum of cause/effect actions which can go back in time to multiple causes and forward in time to multiple (potential) effects. The problem with “root” is that there isn’t really such thing. It is that thing or those things in the continuum which you choose to focus on.
Maybe that is confusing… Imagine you are driving and experience a blowout. In that moment a number of things have happened to contribute to the blown tire (a defect + driving condition + driving + vehicle weight for example) AND a number of things could happen (regain control and pull over, lose control and crash into another vehicle, etc) understanding those potential futures separately is a type of cause/effect analysis that RCA can help with. You are right that other possible causes could result in a blown tire (nail, pothole), but the process of understanding potential effects is very similar to understanding possible causes. In the end what you want to find is the best solution whether the problem exists in the past, present or future. (improved tire manufacturing, better roads, lighter cars, hovercraft, improved driving skill, whatever…)
If you have a chance to read up on Apollo RCA, it is some of the best and clearest reading on this topic (and you don’t have to buy their s/w to understand it.)
Looking at the arguments above, I would say that there is a need to concentrate on the objectives before the risks. Doing this results in the impact of any risk being clear.
Taking your example.
There is the top objective (say) of maintaining profits.
One risk threatening this objective is that we have no inventory (stock) to sell, or to use for manufacture.
So we have a sub-objective of ensuring adequate inventory levels.
One risk threatening this objective is, ‘theft of inventory’ (This risk would also appear under the sub-objective of minimising costs). Other risks would include, ‘inventory not ordered promptly’.
The control to manage the risk of theft is, ‘timely inventory counts’. This control, among others, also manages the risk, ‘incorrect update of stock records’.
(A failure to carry out timely counts is not a risk, since it doesn’t necessarily result in a loss, but a failure of a control.
A risk is NOT a ” potential event” although that is what COSO has erroneously defined a risk as…if one gets caught in that paradigm then this will limit one’s ability to deal with uncertainty.
Wisely spoken, John, and they’re still at in the COSO upgrade.The creeping shifts in technology, social behaviour, climate etc are far more important to understand than sudden events. Those who detect shifts in time hopefully will survive. This is the true combination of risk and opportunity.
A really important point well made. The continuing resistance in the previous comments shows how important it is to keep shining a light on the true nature of risk: the effect of uncertainty on objectives. Risk is not itself the taxonomy or causes of uncertainty hazards and events). I have reflected this fundamental principle in a refinement of the ‘typical’ risk management process. http://bit.ly/2el46kC The real-world difficulties noted by some commenters are also worthy of note, and I appreciated those as well.