Home > Audit, COSO, Governance, GRC, IIA, Risk > How do we make decisions? Where does ERM fit?

How do we make decisions? Where does ERM fit?

How do you make decisions in your personal life?

How do you decide where to live, which car to buy, and where to go for lunch?

For many of us, the last is the most difficult decision to make in a day!

So let’s think about it.


It’s lunch time. Even if your watch didn’t tell you, your stomach is loud.

The first decision is whether you are going to eat at all.

Can you afford the time? Can you afford not to eat, given what lies ahead in your day?

What can you get done if you skip lunch? What will suffer if you don’t?

Did you bring your lunch to work? That would provide a compromise solution: eat while you work. Do you really want to do that and risk getting stains on your papers? Is it accepted behavior or will you be forced to leave your workspace for a lunch room or similar – in which case, time might be saved but the idea of eating and working may not be achieved.

If you have to get some lunch, where do you go?

Do you go where you love the food, or where you can get a quick bite of so-so flavor and be back at work promptly, or do you go somewhere where the food is just OK but at least is relatively quick?

Or, do you gather up some colleagues and have a lunch together? This may help with team spirit and other objectives but would take longer. Maybe your colleagues ‘expect’ you to go with them and failing to do so will affect your relationship with them.

Can you afford the time, given how much work you have and the deadlines given you by your boss?


There’s more to the lunch issue (such as how will you get to the restaurant and when you should leave), but let’s leave it there.


What we did was consider our current situation and determine whether it was acceptable or not. We decided that it was not, because we needed (and wanted) to eat. The value of eating outweighed the loss of time (sorry, boss).

We then considered all the options, the benefits and downsides of each.

We made a decision.


Where was the risk manager with his list of potential harms?

Did we have a separate analysis of the risks from any analysis of the benefits (getting more work done, satisfying the boss, enjoying our food, and being ready for the rest of the day)?

What would you say if one of your colleagues responded to every suggestion about a restaurant by pointing out what could go wrong (bad food, food poisoning, delays getting back, unpleasant service, and so on)?

Would you say he or she was doing their job well and look for a separate colleague to identify and assess all the good things that might happen by going to this or that restaurant?


Can risk practitioners continue to be the voice of gloom and expect to be asked to join the CEO for lunch at his or her club?


I welcome your thoughts.

  1. May 8, 2017 at 7:32 AM

    Your underlying point is spot on. Risk management makes little sense if done outside of decision making and little use if just covering the downside. The lunch example is a bit off, because it’s such a low stake situation. Buying a property overseas on mortgage or choosing time and place for the next overseas holiday that’s when risk management kicks in big time :))

  2. May 8, 2017 at 10:29 AM

    Norman, you say, ‘Where was the risk manager with his list of potential harms?’ Thus implying that all risk managers do is to highlight harms. If this is the case, risk managers should be abolished, since it is management’s job to highlight harms. In your example it is the risk manager’s job to facilitate a decision:

    What is your objective? ‘Finish an important report by 5 pm.’

    What are the benefits assisting this? ‘I’m in the office with a team around me.’

    What are the risks threatening this objective? ‘I’ll get hungry and quality will suffer; I’ll get interrupted.’

    Bearing in mind the above, what’s your initial decision/control? ‘Go out for lunch.’

    What are the benefits? ‘Get a break to rethink; Get some fresh air to the brain.’

    What are the risks? ‘Waste time over a long lunch.’

    What is your decision/control? ‘Buy good sandwiches and a drink. Sit on a quiet seat in the park and make notes about the report on my smartphone, while basking in the sun and listening to the birdsong.’

    The above reasoning follows the methods outlined in http://www.internalaudit.biz. So I think you can use risk analysis, but you don’t necessarily need a risk manager.

    • Norman Marks
      May 8, 2017 at 3:28 PM

      You get an A+ from me for your analysis, David

  3. May 9, 2017 at 11:52 PM

    In an organisation I worked for in the past we changed the discussion the other way around: why take all kinds of businness continuity measures when we accept that the entire board takes lunch in the same restaurant (and risks food poisoning) or uses the same plane to travel abroad.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: