Home > Risk > The current state of risk management

The current state of risk management

February 11, 2017 Leave a comment Go to comments

The Ponemon Institute, which I have previously referred to in my posts as the publisher of reports on cyber, recently shared the results of their survey on risk management.

The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management has some interesting content.

The results are disturbing, but unfortunately what I had anticipated.

It is important to note that the 641 who answered the survey were involved in risk management within their organization. So the results are skewed towards having some level of formalized risk management. In other words, they are better than the general population. It is also important to recognize that most of the respondents are IT folk and some of the questions reflect the author’s IT orientation as opposed to a general business one.

The report, as so many, has to define risk management in its own way. But, frankly, it’s not bad. They break it down into risk management and risk intelligence.

In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.

We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use realtime information and forward-looking risk concepts and tools to maximize business performance.

Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. They don’t define what they mean by a risk management strategy, so I can’t comment further.

But this is key.

“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”

I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!

This adds fuel to that fire.

“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53 percent of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8 percent of respondents say these functions fully collaborate in enterprise risk management activities.”

A lack of resources and an inadequate budget are identified as barriers.

But here is the key question.

If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?

This is demonstrable when “30 percent of respondents say no one person has overall responsibility to ensure the risk management program is well executed”.

The Appendix contains some valuable pieces of information. Here are two:

  • Only 32% say their organization has a very significant commitment to enterprise risk management.
  • On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.

So what do we make of this?

Let’s start with some unpleasant facts!

  1. Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
  2. If they saw risk management as helping them make better decisions, you can bet they would invest in it!
  3. They can be persuaded, not by words but by action.
  4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
  5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
  6. The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
  7. Satisfying the board but not top management is not a recipe for long-term success.
  8. The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.

I welcome your comments.

  1. February 11, 2017 at 2:39 PM

    I’ve been pitching the value of Risk Management, which includes the higher-level categories of Hazard (the purview of the traditional risk manager, often ignored by the internal audit function), Operational, Financial and Strategic, as:

    a) Allowing management to fully appreciate and manage uncertainties, positive and negative, that influence an organization’s ability to achieve objectives

    b) Creating a level of comfort around uncertainties such that organizations are more comfortable taking risks than their competitors who, all other things being equal, don’t manage risk effectively, thus allowing the risk savvy organization to achieve similar objectives more successfuly.

    You allude to the author’s definition of risk as workable but reflects an IT focus. I suspect though that their IT focus has narrowed their idea of what risk management actually is and while they give the appearance of a global view, they have actually missed the mark of a full appreciation of the full breadth of enterprise risk management. Risk Management is more than IT, which is really just one of many sub-categories of Operational risk (depending on your framework), and it’s more than Operational.

    Starting from such a narrow definition, I am left to wonder if that has skewed who the authors have chosen to interview for the survey and the types of questions they asked them.

  2. Norman Marks
    February 11, 2017 at 2:42 PM

    There is detail on the respondents and questions in their report

  3. Glenn Daly
    February 11, 2017 at 4:28 PM

    1. And by the same token, top management have the ability to change the level of effectiveness of formal risk management but choose not to. Are you sure this is simply because they have not been persuaded by formal risk management effectiveness?. Dare I say it but could it not be that both board and top management ultimately want the same thing which is a simple and fuss free way to meet risk management related corporate governance requirements. Whether it adds value is simply a bonus. I know this does not play well for selling risk management but this could be more the reality?. Management focus is on making normal management processes more effective to support decision making – not necessarily a bad thing as if this means risk type practices/tools get integrated into specific business processes then overall risk management becomes more effective. But will this be reflected in the silly surveys which people often respond to from a formal risk perspective. Will it be reflected in the write ups in annual reports on risk management which often simply focus on the periodic risk updating process ie what has unfortunately become known as risk management from a CG perspective. Probably not.

    2. Maybe. More insight from what is identified as formal risk management potentially means more uncertainty as to whether a business proposal should go ahead. More insight may mean some risk/issue being highlighted to board. More insight probably means more queries from board. More insight may mean longer time to make decisions. More insight means many things…..and for a risk function that is sometimes set up as a governance function reporting to a board committee (unlike a normal management function responsible for a business process which reports through a CEO).. this has implications no matter how hard the risk function tries to be integrated into management. I can attest to this from personal experience.

    7. Satisfying the board and not top management is not a recipe for long term success…….. But if a formal risk management function works to the board organisationally and they determine whether you stay employed…depends how you measure sucesss!. Rgs

    • Norman Marks
      February 11, 2017 at 5:30 PM

      Well said

  4. February 11, 2017 at 6:19 PM

    Lets face it folks. We’ve failed! After all these years, all those standards and books and despite its intrinsic importance to an organisation’s success, the take up of good, integrated and effective risk management is abysmal. Sure, there are plenty of organisations compiling an annual risk register and telling their management team and board what their ‘top risks’ are. But the fact is that none of that sort of thing creates much value – and managers know that. That is why they don’t turn up at those meetings or try to minimise their length.

    We all know good risk management makes sense and creates value, but we have failed to convince our customers of those facts.

    We have to start to admit that we have got our approach seriously wrong if something so good is not being taken up and supported. As Norman correctly points out, the gobbledegook we use and the complex confections like risk appetite we have become preoccupied with are not the solution, they are the problem.

    Its sad to say but, maybe, its time to start again: only this time, lets try to understand what the problem is before we latch onto a solution.

    My perspective is that we have to see the world through our customers eyes and only use their language and concepts, not our own. This means stopping using the words risk and risk management – they have too much baggage. Quite simply, we need to help people become more certain when they make a decision and then, afterwards ensure their decisions remain valid.

    • Glenn Daly
      February 12, 2017 at 12:32 AM

      Having risk management defined as this separate process is consistent with board/top management wanting a clear and fuss free way to meet their RM related CG requirements?. The fact it may add limited if any real value is not the point (even though the surveys may say differently). There are many things that are already embedded and could be embedded in an organisation and its business processes that aid certainty in decision making. In fact when I have recommended such practices I do not face any resistance – no convincing or sell is needed. The problem is that these practices are not always perceived as being part of what has become known as risk management. Eg Boards discuss risk issues. Is it really necessary to have a dedicated sub-committee to show you have risk management going on at board level?. Is it necessary to have a specific risk report when others are already providing similar or the same info to mgt/board (the more you move towards objectives status and outlook the more the overlap becomes). Is a different approach needed or simply a recognition of what ISO 31000 attempts to get across that risk mgt should be integrated into a business. If so the write ups in annual reports would vary more, the cookie cutter aporoach to risk sold by the industry would be undermined, directors may become less certain about whether they really are meeting their CG requirements etc….not sure this is the result everyone wants. You can only persuade those who are open to being persuaded. Rgs

    • Leonard
      February 14, 2017 at 1:08 AM

      Grant well said. Perhaps i can add a little more. It’s more than certainty, it’s also Confidence!

      Risk, audit, governance, compliance and management are about 1 thing and that is behaviours, the right behaviours. Maybe in the new paradigm we might like to start there.



  5. February 12, 2017 at 2:56 AM

    What are risk management and internal audit? They are not essential to the business in the same way as production and warehousing. I like to think of them as tools for business management, like a screwdriver is a tool. A screwdriver is not essential, a coin could work (or hammer!), but they do make life a lot easier when driving in screws. A screwdriver was invented to solve a problem; it doesn’t exist just as a bit of metal with a handle, for example as a result of legislation. A screwdriver is a screwdriver, not a ‘device for the turning of a threaded shaft of metal with a slotted end, usually consisting of a metal rod with a plastic or wooden handle at one end and flattened at the other end’.

    So can risk management be sold as a tool? Judging by the above comments, some managements do see it as a tool for helping them deliver their objectives while to others it’s an expensive item that is not necessary when a hammer will do the job just as well.

  6. Tim Leech
    February 12, 2017 at 5:25 AM

    Norman: Great post. I don’t think RM should be singled out for failure of ERM in it’s risk list centric form although they, and organizations like COSO that still promoted risk centric ERM in the June 2016 ED are definitely part of the problem. Internal auditors, as a general statement, have refused to use structured risk assessment consistent with ISO 31000 in the majority of their work. A senior IIA staffer, very familiar and involved with the COSO ERM initiative, stated in no uncertain terms he couldn’t see how ERM could be used to meet SOX 404 requirements. It was good for other things, but apparently not the objective of ensuring reliable financial disclosures. Only a small % of internal auditors today could do a decent risk assessment that considered all forms of risk treatment. The core CIA training does not cover it. In many organizations IA does there work one way, ERM another, safety yet another, compliance in a different way, legal does not integrate with ERM, etc. It’s time everyone recognized that ERM and IA have a very bad case of paradigm paralysis. https://goo.gl/KBZdyk

  7. Sharon Boyd
    February 12, 2017 at 10:12 AM

    We’ll, I think you’ve answered the question already with your 8 points. I see enterprise risk management as a facilitation tool, rather than an end to itself. It must ask, how can we identify future speed bumps on the road to meeting our mission and strategic objectives, and how can we lessen the impact of those bumps. Early identification and connect the dots. Actually, the better we do our job, the less we are needed. Management begins to share knowledge laterally and address concerns proactively.

  8. February 12, 2017 at 9:49 PM

    Well, the first unpleasant fact starts with actually a pleasant fact – our business leaders are not idiots ))))

  9. February 13, 2017 at 9:02 AM

    Hi All. You all have written about risk and management of same, but NOONE here has acknowledged that there is a vehicle that DOEs do that: Credit Insurance.

    Credit Insurance insures A/R against the loss of insolvency and or delinquency. domestic or foreign. It has been around for over a 100 years and I have been a credit insurance professional for 45 years. Its’ growth has been nothing less than spectacular.
    When I started in the business there were 2 carriers plus the government. today, there are over 15 carriers plus the government. The Government (Exim) did over 30 billion dollars in volume last year and that was export only.

    In addition to its’ primary function, credit insurance also functions as a collateral enhancement vehicle allowing the policyholder to leverage its’ relationship with its’ lender.

    There is much more to this product, Not room to detail it all here. But in the discussion that was started by Norman, this was glaringly omitted.

    Respectfully submitted,

    Joel Berman
    Credit Insurance International Risk Management, Inc

    • Norman Marks
      February 13, 2017 at 9:30 AM

      Sorry, Joel but insurance against loss is a poor substitute for avoiding the loss or mitigating its potential effect. In addition, the risk is not transferred completely as there is always a possibility that the insurance will be insufficient.

      Risk management is far more than insurance, hedging, or other strategy. It’s about addressing the possibility and extent of achieving objectives.

  10. February 14, 2017 at 10:07 AM

    Surely there is a psychological dimension which gets insufficient attention. If you tell an exec you can help them make a ‘better’ decision it implies they’re not already making the best decision. Their resistance is natural unless you can make a compelling argument for the methods you advocate. However, many of the methods used by risk managers are too basic to be convincing.

    As you state, business leaders are not idiots. Why would they change their mind about an important decision just because you presented them with long lists of subjective opinions cobbled together from low-energy meetings with lots of their underlings?

    There is an analogy to evidence-based policy generation in the public sphere. Risk management has to chance to succeed if it supplies superior evidence to back a superior risk evaluation and superior risk mitigation. Otherwise it is just another opinion, and business leaders are entitled to have different opinions to risk managers.

    You mention technobabble, but I think risk managers are guilty of something worse: pseudoscience. That’s why it sounds like babble. Good data, good statistics, good analysis – do risk managers have the information, skills and technology to really appraise risk, as opposed to trying to make essentially subjective judgments sound much more objective than they really are? Who cares about the so-called appetite of the organization if we have not identified a useful and objective measure of risk to begin with?

    Finally, I would like to observe that psychology rarely gets treated as an important component of risk management but we all instinctively know that persuasion is a part of any management job. Furthermore, we know that there are common cognitive biases which affect the perception of risk and hence decision-making. Nobody familiar with the work of Nobel-prizewinner Daniel Kahneman would argue otherwise. This psychological aspect is real science, not technobabble, but there is not much effort to formally address the implications within the realm of professional corporate risk management. We should not be surprised if business leaders have a low opinion of risk management, and do not allow it to influence their decisions. Professional risk managers also seem to have little knowledge of the way common psychological biases affect decision-making – whether made by themselves or others – and so fail to allow for them in their own work.

    • February 14, 2017 at 2:52 PM


      You put your finger on it where you say: “As you state, business leaders are not idiots. Why would they change their mind about an important decision just because you presented them with long lists of subjective opinions cobbled together from low-energy meetings with lots of their underlings?”

      I’m afraid our profession does not always attract the clearest thinkers. Otherwise we would all be shouting about the ‘Emperors New Clothes’ every time a new whacky confection is dreamt up by consultants or software companies. I’ve been droning on about this for some time, but if people are interested, they can read a paper I gave at a risk management conference a few years ago when I challenged the ever-expanding multitude of artefacts, encumbrances, concocted expressions and three letter acronyms that obscure the core concepts for managing risk and clog up current risk management practice. You can get a copy here:


      When I delivered the paper, some in the audience were excited but many sat there stony-faced. I guess either they did not appreciate what I was saying, or maybe they did!

      • February 14, 2017 at 3:15 PM

        Excellent paper Grant! Thanks for sharing.

        I like the way you attacked some shibboleths that plague us:

        – the wrongheaded idea that different kinds of risks have inherently different characters so cannot be compared;

        – the obsessive over-recording of irrelevant detail that goes into risk registers, making them less useful in practice; and

        – the recurring confusion between risks and the miscellaneous mistakes and issues that have already happened.

        I intend to highlight the paper on my website. Keep up the good work!

      • Glenn Daly
        February 17, 2017 at 5:00 PM

        1. Part of the problem with risk reporting and the tools that support them such as risk registers is simply this. They have been focused on the outputs arising from a risk management framework or as Grant is describing, the key risk conversations at a point in time. For a director to make a decision about a risk managenent framework, like when assessing anything, you need to assess both inputs and outputs. A risk report which comments on the quality of staff, whether forums exist and are effective where issues can be discussed, cultural aspects, whether parameters exist to guide decisions etc…would be a rarity and rather novel. Such information probably only gets currently mentioned in a risk report to the extent they are considered key risks or issues, with the readers oblivious to the connection to an effective risk framework or if they are aware they choose to ignore the connection for the sake of concluding that the framework is effective. However, may I suggest though that perhaps rather than throw the baby out with the bath water, risk registers or whatever people want to call them (eg perhaps call them Decision Support Registers) could assist with collecting such information and maybe part of the solution. More comments to follow on Grant’s article.

        • February 17, 2017 at 5:43 PM


          The role of an oversight body such as a Board is to be satisfied that things are occurring as the organisation intends. Therefore, so far as risk management is concerned, the committee needs to know that, when decisions have been made:
          – The organisation did have a current, comprehensive and correct understanding of the risk it faced; and
          – That risk was at and remains at an acceptable level.

          However, it is impossible for a body to know that this has been achieved by looking only at a historical, probably out of date, list of risks in a risk register: the existence of a red or orange risk in the register, says nothing about the validity or competency of the process by which this was derived!

          How does the body know that those risks are current, comprehensive and correct are at acceptable levels? What evidence has it that the organisation has the capacity to manage risk on an ongoing basis, as part of everyday decision making? The body can only answer these questions if it is provided with reliable evidence that the organisation’s framework for managing risk is soundly based and continues to be effective.

          The third edition of the Australian Securities Exchange (ASX) Corporate Governance Principles is recognised as best practice in terms of oversight arrangements for all types of organisation, not just those listed on the ASX. Principle 7 states that:
          – An entity should establish a sound risk management framework and periodically review the effectiveness of that framework.
          – Recognising and managing risk is a crucial part of the role of the board and management.
          – It is the role of management to design and implement that framework. It is the role of the board to oversee its risk management framework and to satisfy itself that the framework is sound.
          – The board should review the entity’s risk management framework at least annually to satisfy itself that it continues to be sound.

          This reflects both good practice and common sense and the principles have wide applicability to all organisations in all countries. The implications of this are that competent oversight requires organisations, through reports, to:
          – Demonstrate they have a sound framework for managing risk – otherwise any other risk information supplied to an oversight body is not credible and reliable;
          – Report on the framework, its appropriateness and effectiveness;
          – Provide information on risks, controls and risk treatment only to illustrate that conversations about risk and its management are taking place in practice; and
          – Report on risk management performance overall. Ideally through using the organisation’s normal performance management and reporting systems.

          • Glenn Daly
            February 17, 2017 at 6:41 PM

            Grant..I will keep going with my comments on your article and then circle back later to address your response.
            2. Modrern day risk management software packages supporting risk registers distinguish “issues” from “risks”, they allow you to document objective “context” information, risk treatment plans, control assurance plans etc with risk being the bridge. Information you specify in your article that you feel or imply should feature in registers, if they exist at all. The forms this information is on is typically in portrait format, or at least in my company’s software. Excel landscaped based risk registers were what I was using about 30 years ago. Whilst I am not saying this necessarily makes them any more useful, I simply want to highlight that in the right hands, a risk, objective or whatever you call it register can do many things. I would not have been sitting stony faced when listening to your presentation on this particular aspect in 2014, i probably would have been listening in disbelief. Now having said that, the overall conclusion you reach is not something I necessarily disagree with (as you would be able to see from my other posts) but its probably more about how you reach it. More to come. I appreciate the engagement.

            • February 17, 2017 at 9:40 PM


              My experience is that many organisations still use Excel; maybe 80% of the ones I deal with. You are lucky your company provides nice software, but often this is over-elaborate. It also raises the important question of how you can properly integrate the risk management process into your organisation’s decision making processes when you use separate software.

              I think its really important that organisations store records of assumptions (what risky people call risk sources), controls and action plans (treatment plans etc.). They certainly don’t need lists of risks though. They just need records that show that a conversation about risk (singular) has occurred. Minutes of the meeting, if you would.

              However, its not clear to me why people need special risk management software to record all that. After all, we are talking about the normal business processes of preparing for a decision, making the decision and checking afterwards to ensure it remains valid. Most organisations already have systems to record such things.

              And as for issues…! What are these? Just grumbles and ‘concerns’ that we are too lazy to investigate properly?

              • February 18, 2017 at 4:15 AM

                Grant and Glenn. Interesting discussion, but nowhere do you mention internal audit. It is their responsibility to confirm to the board audit committee that the controls which manage risks are present and operating correctly. (That’s a simplification!). IA therefore need a comprehensive list of those controls, which are managing the risks which are threatening the achievement of the objectives of the organisation. Without this list, they are likely to cobble together a list of risks which they consider significant and base their annual plan on this. Not the best way of internal auditing.

                • February 18, 2017 at 4:29 AM

                  David, the opposite of ‘risk’ is not ‘control’. Implementing or maintaining a control is one kind of response, but may not be the right one, and not all risks can be mitigated with controls. You’ve unwittingly highlighted why lists fail. They can become long rambling to-do lists that encourage the people who write and read them to lose sight of the big picture. Hence Grant is right to observe that the entries on these lists are often out of date. Worse still, the ‘controls’ can often descend into pointless make-work where the people executing the control have little sense of how they connect to the organization’s objectives. These are all good reasons for execs to ignore the lists put in front of them.

                  • February 18, 2017 at 4:48 AM

                    Commsrisk, I’m not suggesting the opposite of risk is control. Controls (treatment) are one response to a risk (as you point out) the others usually being considered as; tolerate, transfer and terminate. That doesn’t change IA’s responsibility to ensure that the response to all risks is ultimately in the best interests of the investors. If these ‘lists’ are worthless, then so is the assurance provided in the company’s published accounts.

                    • February 18, 2017 at 6:16 AM

                      David, if controls are just one treatment, why did you single them out? It’s because they’re easy to list. And so a circularity begins. You suppose that the assurance provided to the company’s accounts might be worthless, and I agree. Just look at how many companies have published accounts which are wrong – and that’s just the ones we know about.

                • Glenn Daly
                  February 18, 2017 at 3:56 PM

                  Fully agree David. I think Grant also sees more value in the controls/risk treatment part of the risk reigisters as they are something more tangible in his eyes than the risk statements. My simple point was that the risk information in a risk or objective register typically acts as the bridge to this type of info. My query would be though whether IA effectively utilize the info in the risk registers? (or do they often do their own risk assessment/perform reviews that suit their quals/experience etc rather than really do what you are saying. My experience has been more the latter and hence the registers are not always utilized as effectively as they could be by IA folk….but perhaps not in your case, which is good to hear.Rgs.

                  • February 19, 2017 at 2:09 AM

                    Glenn, I suspect many IA departments do their own risk assessments, encouraged by the IIA’s standards (2010).

              • Glenn Daly
                February 18, 2017 at 2:13 PM

                Grant – this is how I would reply to your query and more generally some observations in your article. My company has an objective around having good corporate governance related to risk management. This can be likened to a company having an objective related to having a good strategy. To support the objective we have a formal risk management process. This can be likened to a formal business planning updating process. As part of the process, a board subcommittee has been set up called a Risk Management Committee which meets every quarter to review and make a decision on the adequacy of the risk management framework. This quarterly “decision” supports a “decision” at the end of the year by the board/CEO&CFO as to the effectiveness of the risk management framework (as per Malaysian Corporate Governance Code). As part of the process, and to help the directors make a decision, a risk report is compiled and presented, with tools such as risk registers helping develop the report. Risk registers can be likened to the risk assessments / stress testing undertaken in a normal business planning updating process ie they are integrated into the process which helps with the “decision”. That is how the risk registers are integrated in. Now you can query whether a risk report helps with the decision, and you can in turn query whether risk registers help with the report. But here is the reality. Under Malaysian CG Code, a report is viewed as helping with the “decision”, and risk registers are considered by me to help with the report. The fact Glenn Daly thinks the risk report overlaps with what others report to the board becomes irrelevant (refer my previous posts to Norman and Tim Leech etc). If I want to keep my job, I produce a report. The directors want a report and I try and do my best to produce a report which I think helps with the decision. To do this I leverage the best brains I can find (Purdey, Marks, Leech, and my own ideas) and produce a report. Because we are a conglomerate which involves multi industry, multi country, multi business unit, I felt some risk management software was the best way for all the business units scattered across the world to report into a very small risk management unit on their risk updates (or key risk conversations), with the key ones being incorporated into a report that is very objectives based focusing on performance and outlook, with key risks of concern (those impacting multiple objectives/exceeding risk appetite) also being singled out. The software also supports our risk management KPI index (linked to Divisional MD scorecards) which focuses on measuring effectiveness in terms of the formal risk management process ie quality of risk updates from the various business units, actions completed on time, number of issues/actions raised against a target, % of KPIs input and measured against objectives/key risks etc. The software also has a sign off approval function that allows me to drive home accountability for the update to the heads of the business units. To do all this in excel would be pretty difficult in my view. Is it over elaborate. Welcome any ideas where you think I can cut back cognizant of the Malaysian CG Code and what my directors want in terms of them being able to meet their CG requirements..

                • Glenn Daly
                  February 18, 2017 at 3:22 PM

                  Point 2. What are the challenges in terms of making this process effective?. The reality is that there are some key differences between the formal risk management process and a business planning process. A risk management process is typically viewed as a “governance” process and the business planning process a “business” process. To generalise, one is seen as supporting directors making a decision and the other is viewed as more as supporting management making decisions This has important implications. Attempts are made to blur the formal risk management process into being a business process but they have largely failed. Why?. Is it along the lines you suggest or could it be more this?. Something tangible ultimately comes out of a business planning process ie an updated strategy. What comes out of the formal risk management process (whether along your lines or not)….a decision that the risk management framework is effective. Is it any wonder management are not convinced of the value?. Sure we can go on about more effectively supporting decision making, fostering culture, and other stuff, but in the end I do not see too many companies anywhere in the world indicating in their annual reports that their risk frameworks are ineffective (even though sometimes they probably are).. Will this change under your suggested changes? Probably not. Why?. ISO 31000 is a standard (understandably) that is not certifiable. Internal audit are scratching around still trying to work out how to review risk management (all the gurus mention risk management should be reviewed by IA and then noticeably stay very quiet on how this is to be done), and the quality of external independent review is somewhat questionable. Here in Malaysia the external auditors review the opinion by the CEO / CFO to the board on the framework and sign off on it. This entails a big 4 Consultant level external auditor (working to international standards of work) calling me up about 1 day before the deadline asking me for the “risk reports” which are supported by our “risk registers”. They invariably sign off indicating the framework is effective). You may well think that you have “fixed” up this aspect by making some theoretical amendments to your Australian Risk Management standard about focusing on oversight of the effectiveness of the framework. Australia of course leads the way. Good luck!. Its all a façade without substance in my view, no different to here in Malaysia. More substance needs to be built into the whole measurement / review process, but is it in anyones interests to do this?, Directors want a clear and fuss fee way to meet their CG requirements, despite what the silly surveys say. Anything that adds to uncertainty over this is not a good thing. The “industry” who advise the regulators and directors want something that makes them money Risk registers or no risk registers, there are a number of problems with the current set up and am afraid even if we head down your path, there are some bigger over arching problems.. Rgs Glenn .

  11. February 14, 2017 at 2:00 PM

    Norman, you bring up excellent points in your post. I agree that the complex terminology and processes that require training for the business people on how to do a risk assessment do not help the situation. Getting a foot in the door in the beginning of the strategy development, creation or expansion of vendor management, etc. are the keys to risk management making headway and demonstrating value to executives. Yes, there may be compliance requirements for RM…but who likes to be invited because “they had to” versus “they thought you would add value”? With the acknowledgement that risk management (and ERM) can and does fail at organizations, I just published a post on the topic: http://erminsightsbycarol.com/4-possible-paths-erm-program/. Would be interested in your perspective on the post, as it ties into your article.

    • Norman Marks
      February 14, 2017 at 2:23 PM

      Carol, I posted comments on your post. Let me know if you agree or not.

      • February 15, 2017 at 7:33 AM

        I agree! And I replied to your comments. Thank you, Norman!

  12. Rogerio Santos
    February 18, 2017 at 4:49 AM

    In my opinion, risk practioneers should use the Word ‘uncertainty’ instead of ‘risk’ or talk about opportunities and threats instead of identified Risks!
    Board members avoid hearing about Risks because It make him feel afraid of failling after deciding, I mean, they don’t want to believe their last decisions are risky, só If someone – like the Chief Risk Office – tells him that some activity is Risky and he has responsability over that Point, he Will fight for keeping It out of sighting. Processes and Techniques for identify, asses and implement and reports should be translated to board members as ‘opportunity for earning money’ and ‘threats of lidinha money’ or ‘cost of Granting Business success’.

    • February 18, 2017 at 5:37 PM


      I like to talk about uncertainties too. However, I normally try to describe the risk management process as helping an organisation gain greater certainty – that decisions will lead to the outcomes it desires and those outcomes with aid and not detract from the organisation’s purpose as defined by its highest level objectives.

      I would differ from you in using the terms ‘threat’ and ‘opportunity’. Threats are not risks, they are sources of risk. Also, ‘opportunity’ is not the antonym to ‘threat’. Also, incidentally, ‘opportunity’ is not the antonym of ‘risk’!

      Opportunities are circumstances that make it possible to do something that would contribute towards achieving the organisation’s purpose or objectives. Although particular circumstances may provide or contribute to opportunities to more than one organisation, opportunities are defined by the objectives of a particular organisation.

      As for ‘risky’, well everything including life is risky – thank goodness, otherwise it would all be rather dull.

  13. Colin Washington
    February 24, 2017 at 6:18 AM

    I think that this dichotomy between idiotic business leaders and non -idiotic is simplistic and unhelpful. How can we expect business owners to be experts on everything?
    I have worked as a risk-based Auditor and also as a risk manager. What shocks me is that there have been many incidences of Risk management having one risk register and internal audit having another one with no attempt to reconcile the two. This practice wastes resources.
    It has been my experience that too many risk professionals are too happy to discuss rsik treatment without specifying the necessary controls. A classic example is how risks are treated by outsourcing be it insurance of computer services where the SMT does not realise that they retain the responsibility hence must review the outsourced function in great detail.

  1. February 20, 2017 at 12:14 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: