Home > Risk > Key Principles of Successful Risk Management

Key Principles of Successful Risk Management

December 8, 2017 Leave a comment Go to comments

First, let’s congratulate Jim DeLoach for his recent recognition by the National Association of Corporate Directors. He received their Directorship 100 award this week.

Now, let’s look at his latest risk management post.

His 5 Key Principles of Successful Risk Management are:

  1. Integrity to the discipline of risk management
  2. Constructive board engagement
  3. Effective risk positioning
  4. Strong risk culture
  5. Appropriate incentives


Each is important.

But are they the key to successful risk management?

Are they half as good as the principles in ISO 31000:2009 or in World-Class Risk Management? The latter are:

  1. Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
  2. Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
  3. Risk management is dynamic, iterative and responsive to change.
  4. Risk management is systematic and structured.
  5. Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
  6. Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.

How about these?

  1. Focus on enabling success rather than avoiding failure
  2. Help everybody make informed and intelligent decisions, understanding what might happen and acting accordingly
  3. Obtain reasonable assurance that people are making quality decisions and taking the right risks

The rest is detail.

Somehow, we need to move the practice away from a periodic review of a list of risks (which Jim refers to as enterprise list management) and to increasing the likelihood and extent of success.

I welcome your thoughts and commentary.

  1. Jim DeLoach
    December 8, 2017 at 4:47 PM

    Thanks for the kudos, Norman. Happy holidays to you and your family.


    • Norman Marks
      December 8, 2017 at 4:48 PM

      same to you, Jim

  2. December 9, 2017 at 9:54 AM

    Hi Norman

    Nice resume however not sure about the addition
    “Focus on enabling success rather than avoiding failure”
    I get the intent but I think a more balanced expression is needed. I have often seen where too much emphasis is placed on success whilst ignoring threats or potential failures.

    A balanced approach to threats and opportunities and a balance between success and failure. RM should support the achievement of objectives through the pursuit of opportunities whilst controlling potential threats.

    • Norman Marks
      December 9, 2017 at 10:02 AM

      Sean, I understand what you are saying. But sometimes you need to take the risk, accept the threat. Success means knowing when the upside, on balance, justifies the risk.

  3. Pascal Duport
    December 9, 2017 at 10:52 PM

    Reasonable assurance that performance will be optimised? Well, it probably depends on your definition of optimization. However, in the context of planning for an uncertain future, this is a very theoretical notion. You will know whether you achieved it only a posteriori.
    Thanks for sharing your opinion.

  4. Lalit Dua
    December 11, 2017 at 12:19 AM

    An optimism of success prevails when objectives are defined and also the acceptance that there may be obstacles and uncertainty to achieve the same. Here the integrity to the discipline of risk management is important and turning blind to the possibility of failure is self deceiving.
    RM exercise helps in making right decisions, in pursuit to achieve goals, in systmatic and structured way. Again the culture of RM should be enterprise wide and any disconnect in efforts will increase the risk of failure.

  5. Hans Læssøe
    December 11, 2017 at 2:33 AM

    True – Risk management MUST be embedded in decision making. Both COSO and ISO has stated this for years yet the idea is rather systematically ignored in most companies.

    Maybe we should stop talking about risk management as more than management of risks, we have already taken, just like we do not talk about financial bookkeeping as part of decision making, but of recoding money already spent.

    Let us instead talk about intelligent risk taking, when we wish to impact management decisions – that are never about limiting/avoiding risks anyway.

  6. GSosbee
    December 11, 2017 at 6:29 AM

    No matter the subject, everyone approaches it within their own experience. While there are a lot of “risk managers” there are very few experienced enterprise risk managers. Protecting liquidity (both invested and earned) as determined by the owners of the organization through the board of directors is what risk management is all about. Projecting “what if’s” without the “what did’s and does'” is an academic exercise and not risk management.

    While the risk transfer industry loves risk registers, a risk register is really a useless document to a risk manager since the risk manager must know not only the risks facing the organization, but also the risk each exposure (risk) presents to the organization. The risk manager works off a risk matrix that quantifies organizational risks which enables stratification which provides an input to strategic decision making. That said, Jim’s list is the closest to what I refer to as practical risk management rather than theoretical risk management.

  7. December 11, 2017 at 3:24 PM

    Gidday Norman – good stuff. One of the challenges, I face in educating my colleagues in the festivals & events industry on ERM is how to translate the ISO 31000 principles and guidelines in a pragmatic way which will resonate with event organisers and producers (often with less than 5 full time employees) who work in an environment constrained by resources, experience, knowledge & time. Your RM objectives go towards bridging that gap for those who have limited knowledge or appetite (in some cases) for risk management. Thanks.

    • Norman Marks
      December 11, 2017 at 3:29 PM

      Thanks, Peter

  8. December 12, 2017 at 7:00 AM

    Always a good and assertive summary. Thanks

  9. Jesus Levy
    December 15, 2017 at 11:04 AM

    Much simpler. Much better!

  10. William Castillo
    June 1, 2018 at 4:17 AM

    Very informative and interesting post related to risk management . Thank you for sharing.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: