Home > Risk > Risk in the Fourth Dimension

Risk in the Fourth Dimension

January 15, 2017 Leave a comment Go to comments

As a young boy, my family often spent our vacations at a hotel near Rimini, on the Adriatic coast of Italy.

The hotel owner had a six year old son. If I recall correctly, his name was Mario.

Mario only spoke a little English, which he had picked up from guests. But there was one word that he used all the time and which I recommend to you now.

The word, a magic word with amazing power, is “why”.

“Why are you going to the beach?” “Why do you want to swim?” “Why do you want a tan?”

Let’s think of the power of this word when it comes to risk and risk management.

For board members and executives, the question is “why should I spend my limited time on risk management? Do I do it only because it is expected or the regulators told us to do it?”

For risk practitioners, the question is “why should risk management be important to the organization and its leaders? Are its leaders only paying scant attention because it is expected or required for compliance with regulatory requirements? Why am I doing this; is it because my job is to help manage risk, or is it for some larger purpose?”

For internal auditors, the question might be “why should I assess risk management? Is it because that is what internal auditors are expected to do? Is it because it is ‘best practice’ or required by IIA Standards?”

I think these are all good questions that demand answers.

The answers are the key to unlocking the value of risk management.

The journey to the answer to the question ‘why’ starts with answering the question ‘what are we trying to achieve?’

We say that risk is about achieving objectives. So what are they? What are we trying to achieve?

We also say that risk management enables us to make more intelligent and informed decisions, and that making the right decisions is how we achieve our objectives.

So, every time we think we need to make a decision, we should ask “What are we trying to achieve?” followed by “Why are we making this decision?”

Now, we can start to think about what might happen (getting rid of the ‘r’ word, which only limits our thinking).

We can progress to additional questions, such as “Do I have all the information I need; am I involving the right people; how will my decision affect my and others’ objectives; what are the options; which is best; are any of the potential consequences of the decision unacceptable?” and so on.

But if you don’t have an answer to why you are making the decision and what you are trying to achieve, will you make the right decision?

For board members and executives, there has to be a rational and adult answer to “why should I care” and “why should I spend my time?”

As adults, we shouldn’t be doing things just because we are told to do them.

As children, when our mother told us to make the bed, did we do it well or just enough to get by?

If we were in the armed forces and the sergeant told us to make the bed, we probably made it better than was really needed for our comfort.

As adults, we make it (I hope) well enough to make the room look OK and our bed comfortable when we return to it.

As adults, we should manage risk because of its value to the organization, not because we are told to do it, because it is in the governance code, it is our job, or because of professional standards.

Understanding the value starts with “what are we trying to achieve?” on the journey to “why are we doing this?” and “what is the right decision?” The word ‘we’ includes us as individuals, as members of a team, but especially the interests of the organization as a whole.

Let’s take a specific risk management task, the report to the executives and the board.

Why do we do this, prepare and share the report?

What are we (the risk practitioner) trying to achieve?

What are they (the board and executives) trying to achieve?

Is this the right communication? Is it helping them achieve what they want to achieve?

Are we practicing risk management as children (doing what we are told or is expected) or as adults (doing so because it helps the organization and its leaders succeed)?

I welcome your comments.



PS – the title is stolen from the late Victor Mollo, author of two of my favorite bridge books, Bridge in the Menagerie and Bridge in the Fourth Dimension.



  1. Glenn Daly
    January 15, 2017 at 2:22 PM

    Unless someone is really convinced about the value of something, no matter how it is sold, they will act like “children”. People act like adults in relation to risk management when using risk management tools such as value at risk to help make decisions when trading commodities. Why? Because this practice helps them with making decisions.They turn and act a bit like children when asked to update their risk registers. Why? It is not seen as assisting with achieving their objectives. There is an entire industry that has grown up around trying to get people “engaged” eg the latest buzz word, interpretation etc. Why is this needed if such practices are so obviously set up to help with achieving objectives?. Could it be the info coming from this particular process does not tell management anything they did not already know? (no matter how well it is practiced). Could it be that it largely duplicates the normal management process?.

  2. January 15, 2017 at 2:29 PM


    One of the downfalls of the risk management profession of late is that we consistently fail to define the problem before taking up a solution. Great examples are the hideous and unnecessary concept of inherent risk, the pointless lists of risks in risk registers and the whacky confections we seem to come up with each year like risk velocity, risk appetite and risk-based thinking. Often we seem more easily seduced by three letter acronyms like ERM, ORM, RBT, KRI etc. than spending time understanding the problems of our organisations and the needs of those who run them.

    I’ts always healthy to challenge “why” we are doing something that has become custom and practice, but maybe of greater value is to start at the beginning and ask “what” is the problem before we leap to adopt this year’s risk-something confection or three letter acronym.

    So often when we do this, we end up saying, like the apocryphal Irishman when asked for directions, “but I wouldn’t start from here Sir”.

    Lets hope more not only question “why” but also ask “what” in 2017.

  3. Ray Willows
    January 15, 2017 at 5:21 PM

    Good article, Norman. The setting of clear objectives seems to be too difficult for many managers these days, so I’m starting to talk more along the lines of, “I have a process and some tools that could help you be more successful” (I recall others may have said something similar in posts previously). They seem to understand this approach a bit better! And it helps steer things away from the ‘negative’ perception of risk (also mentioned in this blog previously).

    Linked to the above view on objectives, many (corporate) people these days seem to be happy as long as they are doing SOMETHING – doing anything – being busy. It brings to mind one of my favourite quotes (author forgotten), “Most people would prefer to live with a solution they understand, than with a problem they do not understand” – to Grants point above.

    It’s difficult to move the conversation forward when people or teams are not even clear on their business objectives.

  4. Kaiser Naseem
    January 15, 2017 at 8:06 PM

    Agree, Norman. It is the “why” and “what if” that matter. However, I think that risk practitioners these days are overwhelmed with the type and number of risks they need to be aware of and mitigate against. So “what can go wrong” in one’s assessment can only be done if one really knows what “CAN” go wrong.

  5. Gary Lim
    January 15, 2017 at 10:11 PM

    The culture of the race or country has a part to play. I believe Asian culture children is to be seen and not heard, a big difference with the Western culture if my observation has some truth. Next would be the difference of remuneration so the concept of What’s In It For Me becomes relevant. Top management are paid very well and so it is their job to not us. Sounds negative but this is my observation and there is an element of truth in it. I am from Malaysia, if you had read a bit of the political scenario you would know what I mean. However other countries where the new generation gets more exposure, they will not only as WHY and then WHY NOT!

  6. January 16, 2017 at 12:59 PM

    Quite right Norman. There’s an excellent book written by Mark Magnacca, titled “So What? How to communicate what really matters to people”. Asking “Why?”, as well as “So What?”, will focus our attention on things that really matter to our audiences.

  7. Steve
    January 17, 2017 at 1:54 AM

    I have to agree with what you are saying in your article. The business (whether it be the board for strategic decisions or executives and managers for operational decisions) should be asking ‘why’ am i making this decision. They should understand ‘what’ they are proposing to do and achieve and ‘why’ they are proposing to do it. In my opinion, we as the risk practitioner should be there to help facilitate the discussion around these questions (and subsequent questions) and help them understand both the positive and negative outcomes which may occur if they make that decision.

    • Norman Marks
      January 17, 2017 at 6:47 AM

      Well said, Steve

  8. Edward Clark
    January 22, 2017 at 6:04 AM

    If your risk analysis is relevant, this goes a long way to answering Why (I call it The “So What” factor). I had a scenario where I ran an exercise and when asking for feedback a participant state that he thought the scenario was relevant and pertained to his job and not responding to a tornado in Norway. If you are listing risk-based scenarios in your registry because they are on a list of “Best Practices” it is like walking into an emergency room and asking to be treated for the ailment suffered by a majority of the patients.

    Operational Risk managers have to know when their risk either deviates from the Risk Appetite or approaches the level of risk tolerance. This is where we see risk supporting the organizational objectives. Otherwise, The Enterprise Risk Management function practices spurious risk management by only picking low hanging fruit or some other subjective method.

    Another dynamic that impacts the Why is regulatory compliance. If you have a business process regulated by federal legislation, you often times find the answer to WHY being that you must protect your assets from the regulator and not the actual force the regulation is designed to thwart.

  9. ayo
    February 27, 2017 at 8:31 AM

    Very interesting and thought provoking article at a time when our ISO consultants are querying our Risk Mgt. process (action plan ) and monitoring process

  1. January 21, 2017 at 10:58 AM
  2. January 26, 2017 at 5:22 AM
  3. April 25, 2017 at 9:29 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: