Home > Risk > How to mess up your risk management program

How to mess up your risk management program

January 28, 2017 Leave a comment Go to comments

My friend and sometime colleague Rick Steinberg has penned an amusing but spot-on piece that was recently published in Compliance Week.

Ten simple ways to manage risk … or not is a quick way to test whether you have an adult’s or a child’s risk management program.

Does your risk management activity ‘check the box’, or does it help the organization succeed by making more intelligent and informed decisions?

Tell me what you think of Rick’s ten. Here are some of my own, in addition to his excellent ones:

  • Be satisfied with the periodic review of a list of risks
  • Separate the discussions of strategy, performance, and risk
  • Ignore the fact that risk is created or modified with every decision
  • Don’t question how people make decisions, whether they do so in a disciplined manner that considers what might happen
  • Believe that an enterprise risk appetite statement drives decisions and risk-taking at all levels of the extended enterprise
  • Fail to assess the reliability of your risk management practices

Let me expand on the latter, a principal theme of World-Class Risk Management.

If you follow the principle that you set objectives, identify risks to those objectives, then ensure that there are measures in place to provide reasonable assurance that the objectives will be met, then we have objectives for risk management. They include:

  • Identify the more significant risks to the achievement of enterprise objectives
  • Analyze the risks to determine their potential effects (consequences) and the likelihood of those consequences
  • Evaluate the risks (individually and in aggregate) to each objective and determine whether they are acceptable
  • Respond when the risks are at unacceptable levels
  • Monitor the condition of controls to ensure that the likelihood and extent of a failure in controls continues to be at acceptable levels
  • Communicate risk information to all who need it, when and how they need it
  • Manage all of the above at the speed of risk

There are risks to the achievement of these objectives. In the book, I reference a number of sources of risk, such as:

  • Unreliable information
  • Failing to involve all the necessary people
  • Failing to communicate to decision-makers guidance that will help them take the right level of the right risks
  • And many more

Few self-assess their risk management program. Where internal audit assess it, I believe they focus more often on compliance with policy than with the level of risk that risk management will fail.

So, let me leave you with a couple of questions.

  1. What other signs are there that you have messed up your risk management program?
  2. Have you defined the objectives of your risk management activity, identified and assessed the risks to their achievement, and reported your assessment to executive management and the board?


  1. Robert Hart T
    January 28, 2017 at 10:15 AM

    Dear Norman
    Do you have a best practice in a risk appetite statement ?

    Robert hart
    Netherlands/ Holland

    • Norman Marks
      January 28, 2017 at 10:18 AM

      Robert, I have written quite a lot about this. It will all depend on your organization, but you need to ask who is taking risk and how can you guide them. SAP does it quite well. They treat taking risk the same way as spending money. They delegate authority to do both depending on ‘level’ of risk and the executive. Frankly, I prefer the concept of risk criteria as multiple attributes may be applicable to a risk decision.

  2. January 28, 2017 at 9:58 PM

    Steinberg’s article is interesting albeit bordering on cynicism. But the main problem I have with it is it’s understatement or trivialization of execution of risk management. It’s (execution/implementation) the most difficult part of effective risk management and it’s quite neglected in Steinberg’s article. And the CRO has an important role in that execution process, that is, to encourage consistent and constant compliance with effective risk management principles and practices by the decision making personnel of the enterprise and throughout the organization. It’s not simply a grab for power by the CRO and if it is then redefine his/her role, objectives, functions, scope and accountabilities.

  3. Glenn Daly
    January 29, 2017 at 1:45 AM

    Additional key risks to a formal risk management program:

    Key senior management who prefer everyone to be positive with questions or issues raised about decisions being perceived as negativity or undue worrying about things that may not happen. Whilst it is agreed being around constant negativity is not good, constructive challenge where appropriate should be encouraged.

    A board who display limited if any interest in formal risk information/ reports by not overtly levaraging them to query management in committee meetings, RMC meetings being held 2 plus months after the end of a quarter, focusing on other matters during meetings etc with flow on impact to management who see this and know the board are not that interested and then in turn demonstrate minimal interest in formal risk management. Whilst it is agreed that board committees have an oversight role, if this is carried to the extreme with risk reports being noted every meeting, the reality is this has significant adverse implications for a formal program operating effectively on the ground.

    Risk staff being forced to adopt the latest thought bomb from consultants and the like who press board members to query the adequacy of their risk management programs leading to instabiliy and lack of progress with even the basics. Whilst it is agreed constant improvement should be a characteristic of formal risk management, this must not be carried out to the extreme in response to aggressive sales tactics from consultants.

    Generic risk management program which is not tailored to the specific circumstances of an organisation cognisant of the existing risk related information and reports etc that are going to board/management leading to duplication/overlap. Whilst acknowledging the need to satisfy corporate governance requirements, if risk information/program ends up duplicating what others are doing it drives the risk program into redundancy.

    • Norman Marks
      January 29, 2017 at 5:49 AM

      Glenn, some good points.

      When the board shows no interest in RM, I have to wonder why. In my experience its because risk is being addressed in isolation, not linked with strategy development, execution, and performance management. They cannot see why a list of risks matters and can affect the likelihood of achieving objectives.

      Is that a failure of the board or of the CRO?

      • Glenn Daly
        January 29, 2017 at 3:12 PM

        Norman….I thought so too, that is why 12 months ago our reports under went a complete makeover after reading World Class Risk Management and focus on giving an update on performance status and objective outlook for each strategic objective. Problem appears to be our performance update largely duplicates what others are already telling them and indicating what may happen in the future distracts them from dealing with the significant here and now issues and they are told the key challenges going forward anyway by the businesses in operations updates reports to the board. Hence the other risk management program risks I mention. Look I am not arrogant enough to suggest that my risk reports are perfect as per the Norman Marks ideal, however they are not too bad. In larger companies, formal risk programmes do face a problem in my view finding a niche where they can be value adding. Rgs

        • Norman Marks
          January 29, 2017 at 5:16 PM

          Well said, Glenn.

  4. January 29, 2017 at 11:40 AM

    Another one for the list of how to mess up your risk management program:

    When implementing an ERM program, make it as complicated as possible. Forget that risk management is a process that evolves over time, and that it involves a change in the culture at every level of the organization; do everything all at once.

  5. January 30, 2017 at 7:11 AM

    Another: outsource your risk, or management of it. Companies may divest operations that don’t fit their core strategy, but these operations can play a key role in implementing their strategy. Remember when auto makers were vertically integrated, and made most of their own parts? Divestiture/ outsourcing can change the nature and complexity of the risk, but it does not eliminate it.
    Same with outsourcing risk management to a consultancy. External resources can be very helpful, but the ultimate responsibility is on the board and management. If external resources are to be used, co-sourcing can be a better model.

    • Norman Marks
      January 30, 2017 at 7:13 AM

      Good point. It’s like outsourcing strategy

  6. Eline Nelson
    January 30, 2017 at 8:36 AM

    Hi Norman.
    What happens when there are not clear objectives in an organization? Does this mean that risks cannot be assessed or is it mainly strategic and operational risks that cannot be assessed? What is risk management’s role when there are not clear objectives?


    • Norman Marks
      January 30, 2017 at 8:38 AM

      If there are not clear objectives, that in itself might be considered a ‘risk’ – although purists will say its a fact and not a risk.

      Even so, the unstated objectives can be determined fairly readily and then agreed on with management.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: