Home > Audit, Governance, Risk > The real risks: the ones not in the typical list of top risks

The real risks: the ones not in the typical list of top risks

December 31, 2016 Leave a comment Go to comments

This is the time of year when people are rushing to share the top risks to organizations across the world.

Those lists include such items as cyber, political change, economic instability, and so on.

Here’s a different type of list.

It’s comprised of risks that are perhaps the most critical but, for whatever reason, rarely figure on any risk register (those awful devices) or other ERM report.

They are not in any particular order.

  • Bad decisions, for any number of reasons such as involving the wrong people; relying on gut experience instead of information; failing to act; and so on
  • Poor information flowing to decision-makers and the board (it may be out-of-date, slow, incomplete, indigestible, wrong, or simply off the mark)
  • Hiring the wrong people
  • Not having sufficient people
  • Lack of teamwork
  • Lack of shared goals
  • Politics
  • Legacy systems that make the organization lack agility
  • Bureaucracy that slows decisions and stifles ingenuity and innovation
  • A bully of a CEO
  • Executives who don’t listen
  • Poor morale
  • High turnover of staff
  • Failing to fire poor customers
  • Ignorance of new technology that could disrupt the business
  • Being excessively risk averse
  • An ineffective internal audit function
  • An ineffective risk management function
  • A legal function that does not provide quality advice when it is needed
  • A CFO who does not get involved in the business and its operations
  • And so many more

I welcome your thoughts – and additions of risks that are too often overlooked, usually for political reasons.


  1. Don Tomaso
    December 31, 2016 at 11:54 AM

    Spot on Norman! Looking from inside an organization that is real life. Unfortunately, consultants and others outside the organization usually see the other risks (e.g. cyber) and get people look in the wrong direction. But you need to have some guts to SpeakUp a about all the internal issues. Hope you all have the guts in 2017!

  2. Vladimir Bidniuk
    December 31, 2016 at 12:11 PM

    Hi dear Norman, I wish you a great 2017!

  3. marcushabib
    December 31, 2016 at 1:50 PM

    I think what came in this list are not risks but root causes to risks .

    • Chandy Varghese
      January 5, 2017 at 11:55 PM

      True. Still it’s like part of an useful questionnaire. One needs to expand this in terms of the probability and impact in their own organisational context to be seriously seen as a risk, if that situation exists.

  4. December 31, 2016 at 3:41 PM

    Happy New Year Norman, love your list. Its like I always say, governace is easy … until you add people. Everything you listed is root cause us, if only we could get out of the way of our organisations!

  5. January 1, 2017 at 3:11 AM

    Norman, a thought provoking list. I would add, ‘Lack of training’, which is often the first casualty of budget cuts.
    Happy new year to you and all your readers.

  6. January 1, 2017 at 3:03 PM


    I think these are risk sources, as normally defined, not risks. Some are also causes.

    Risks are simply scenarios that describe what could happen and what it could lead to, normally in terms of the effects on the organisation’s or person’s purpose. They are two-part statements where the second (the effects) are required to give the first part context and relevance.

    Also, are not all those on your list just derivatives of the first ‘risk’ – that is, poor decision making so that desired outcomes are not certain and do not necessarily support the organisation’s purpose. Your’s don’t pass that test!

    I do agree with you that such lists have limited, if not destructive value. They support the false paradigm of static, ‘list management’ where an organisation thinks it ‘knows its risks’ because it lists them once a year and sends that list to the Board.

    May we all improve the way we think about risk and how it should be managed in 2017. Lets start by banning or at least ignoring such lists.

    • Norman Marks
      January 1, 2017 at 3:08 PM

      Grant, I agree that technically these are risk sources, just like the items in most lists of top risks. Unfortunately, our lexicon is poor and we do what we can with what we have. You and I both prefer not to use the ‘r’ word at all, but sometimes it is necessary to make a point.

      Oddly, I could make the argument that if risk is the effect of uncertainty on objectives, risk is always some degree of success or failure to achieve an objective. The effect is achieve, fail to achieve, or surpass an objective. Everything else is a cause of that effect or a risk source.

      But, I am trying to point out that most of the reasons for failure to achieve objectives are ones that we don’t talk about.

      • January 1, 2017 at 3:28 PM


        I wholeheartedly agree. Lets hope some of the people who mistakenly produce glossy brochures with lists of ‘risks’ at this time of year read this thread – and understands it!

  7. Edward Clark
    January 1, 2017 at 6:12 PM

    We incorporate these pieces of errant intellectual property as a formal of our All Perils Assessment. (Or as Grant refers to them, Risk Sources) Called barriers, we define them as human decisions or other intellectual property (Or lack there of, such as lack of training – Good Catch), such as legislation, regulations or political decisions. Perhaps the greatest example we have seen is the situation in The Philippines. By formalizing this as a part of or consulting practice, we are able to consider, analyze and mitigate the effects of these dynamic decisions and unhealthy operating environments.

  8. Vladimir Bidniuk
    January 2, 2017 at 3:17 PM

    Norman, it is a great list. In Brazil many families and family businesses have a large risk appetite. They think that nothing or some dangerous effects will occur with them, principally about cyber, financial, compliance and strategic risks. Many have a twisted vision about. I think they need more risk management culture.

  9. Annette Nicholson
    January 2, 2017 at 4:42 PM

    A very practical list. I kept nodding as I went down the list having experienced most of them. It is all about the people and flawed leadership, which stifles the bubbling up and refinement of ideas to improve the business. After a while good people get fed up and leave.

  10. Gary Lim
    January 3, 2017 at 5:49 AM

    Human beings are assets of the company as many CEO would like to claim for the publicity, deep inside they know these are the liabilities too!! Personally having been working under a few CEOs in my working life, CEO charts the culture of the organization provided the CEO is provided with sufficient time to build the culture then if the results do not matches to the expectations of the BOD, fired! The music chair starts again!

  11. Matt Bell
    January 3, 2017 at 1:59 PM

    Hi Norman, great list.

    How about “staff who plan things not truly believing the plan is going to eventuate and rather plan for the sake of planning because it is part of their job”. Or “having a multitude of strategies accross and organisation that don’t synergise and ultimately confuse the staff who are meant to put them to effect”.


    Matt Bell

  12. January 3, 2017 at 4:14 PM

    Isn’t the issue more….
    1. What uncertainties am I happy with?
    2. What uncertainties do I have little choice but to manage
    3. How do we propose to mitigate / lessen the uncertainties
    4. How is our execution of (3) proceeding

  13. Terry Hoover
    January 4, 2017 at 6:42 AM

    Good thought and list. Many of the risks you list are on the risk registers that I use / have used (turnover, training, correct people on staff, legacy systems, etc.). If you involve the managers in generating the risk list, they will typically come up with these issues if they are real concerns to them. Most of those that aren’t on the list are at least discussed at some level. That said, while I believe a good risk register provides real tactical benefits to the management of risk, I agree that risk management is not about the list…it is more about the conversation that takes place in developing the list, vetting the list, etc. Simply asking the question of “what are the key risks associated with (fill in the blank)” produces a valuable conversation. When people are truly brainstorming things that can go wrong (or right) in light of their objectives, something positive is taking place. Some of the risks you list (politics, bad CEO, execs know it all)…well, those don’t typically change unless the execs change. Might consider moving on to another company or you will forever beat your head against the wall.

  14. Marc Weinberg
    January 4, 2017 at 7:48 AM

    Dear Norman,

    Many of the risks mentioned above can be rolled into “Ineffective Project Management” – a critical risk that is rarely, if ever, mentioned on a risk register. The Project Management Institute (PMI) has established the PMI-RMP (Risk Management Professional) – and for good reason.

  15. Cary
    January 5, 2017 at 6:24 AM

    Hi Norman,

    I like the list. I’d offer that “cultural identity crisis” due to either bringing in external talent, removing existing culture carriers and/or absorbing another firm’s leadership or Board can be challenging. Taking the “cultural temperature” is a good step for any size firm.


  16. Almutaz Sidahmed
    January 7, 2017 at 12:24 AM

    Toxic culture (recent scandals is a clear evidence), although it seem like an impact of some risks you specify above, I think it should be added as risk by itself.

  17. Buzwe Lindi
    January 9, 2017 at 10:11 PM

    This is so true. Especially if your work environment is not conducive for the staff to thrive whether it’s work conditions or processes that do not support organisational goals.

  18. Rob Frost
    January 10, 2017 at 2:47 PM

    Very good input Norman. I agree with another comment that the risk process is about the right conversations and process. I would broadly describe the issues you raised as reflective of leadership and management efficiency and effectiveness. In my experience, these are generally considerably downplayed in a risk identification and assessment process. The success of a risk assessment often depends upon the honesty of participants; in this area, an objective discussion about the issues you raised is not as full and frank as necessary.

  19. Robyn Lovell
    January 11, 2017 at 5:14 PM

    So – you’ve identified the risks (or causes for risks). The next step is to identify the controls an organisation can put into place to prevent/ avoid those issues. Some are obvious such as hiring policies, training etc., but if there’s a political issue, the response may also need to be political. I’ve found risk identification to be a piece of cake. The controls and treatment plans – that’s the key.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: