Home > Risk > It’s not about risk management

It’s not about risk management

February 3, 2018 Leave a comment Go to comments

I have said many times that it’s not about managing risks: it’s about managing the achievement of objectives.

It’s about being successful.

Success is measured through the achievement of specified objectives.

We improve the likelihood and extent of success if we understand what might happen, both good and bad, as we strive to achieve our objectives.

The “what might happen” is risk, but the focus should not be on managing them individually but on being successful – taking the right level of the right risks.

The CRO (or equivalent) should be concerned with helping leadership run the organization and achieve its objectives, rather than helping them manage a list of risks.


Let me explain what I mean with a hypothetical story.


The executive team has come to the point in their monthly meeting where they review the report of the Chief Risk Officer.

The CEO invites the CRO to join them.

CRO: “Here is my monthly risk report. As you can see, every risk, whether strategic, operational, technology, or other, remains within our defined risk appetite. While the level of a few individual risk areas has increased, they have not escalated to merit a ‘high’ risk rating. We are continuing to monitor them.”

CEO: “Thank you. Do any of you have any comments or questions?”

CIO: “Yes, I do. I see that you are reporting that cyber risk has increased, although it remains at a yellow rating, which I believe indicates that it needs to be monitored but no additional actions are required. Can you tell me why you see the risk level increasing?”

CRO: “Certainly. The Chief Information Officer’s assessment is that opening our new office in Poland increases the risk level. It’s not only that we now have additional network points that may be vulnerable, but as I understand it crime groups from the region may choose us as a target.”

CIO: “Thank you. The CISO had discussed that with me and we had come to that same conclusion. But you also show IT systems risk as increasing. Is that because we are adapting our systems so they can support additional languages such as Polish and currencies such as the zloty?”

CRO: “That is correct. I think that is what you and I agreed last week.”

CIO: “It is.”

He is interrupted just as he was about to ask another question.

COO: “You show supply chain risk as increasing. I agree with that assessment. Is it because there may be disruption in our supply of products to the new market in Poland?”

CRO: “That is correct. The VP of Supply and Logistics is concerned about transportation during winter as well as the possibility of rail strikes.”

EVP Sales: “You know, I am also concerned about Poland. You show revenue-related risks, including credit risk, as within tolerance. But I only see the likelihood of hitting our first year targets for Poland as 85%. I don’t that’s as OK as your report indicates.”

CRO: “But when we met, you said that the overall risk to revenue was not high yet and the CFO said the same about credit risk.”

CEO: “Am I missing something here? It sounds like your risk report tells us about enterprise-level risk in a number of categories, but doesn’t help us with specific programs and projects. Is that right?

CRO: “Well I am following the global risk framework and what our consultants told us when we set the program up. This is their recommended report format, with a heat map on the second page. I would be happy to give you a separate report on Poland-related risks.”

The CEO is clearly disturbed and asks the CRO to step out. He then continues.

CEO: “Clearly the Poland project is increasing our risk in a number of areas. Do we need to have the CRO run a separate report or should we talk about it now, without him?”

COO: “Poland is my project. I would like everybody involved to stay after the meeting. Let’s talk about whether the prospects for Poland justify taking these risks. If we are going to potentially miss our revenue targets and, at the same time, increase risks around credit, cyber, and so on, perhaps we should reconsider.”

CEO: “Good idea. But I want to be part of this discussion as we have made this a key part of our strategy, with Poland being just the first step into Eastern Europe, in our discussions with the analysts and investors. In fact, it is possible that after considering what we now know we may want to delay or move into Croatia first. Let’s finish the rest of the agenda and then continue. Can everybody stay a little longer?”

The meeting continues without the CRO.


My point: it’s not about managing risks, even at the enterprise level.

It’s about managing the organization to deliver success: making informed decisions.


The most effective risk management involves quality risk-informed decisions when the CRO is not present.


How would you advise the executive team? What would you suggest to the CRO?


I welcome your comments and observations.

  1. February 3, 2018 at 9:29 AM

    Reblogged this on RISK-ACADEMY Blog and commented:
    Excellent blog post from Norman Marks

  2. February 3, 2018 at 9:35 AM

    Good example, Norman. I’d go back in time. The proposal for a European operation, of which the Polish office is to be the first part, should have been a formal proposal to the board. This should have contained: financial modelling showing those risks most likely to affect profitability, scenario planning such as strikes, risks affecting the whole enterprise and their management and alternatives such as opening in Croatia first (and the advantages/disadvantages of each alternative).
    My advice to the executive team? Make sure your project approval is sound, and then monitor how the factors in it change over time.
    My advice to the CRO? Check every proposal to the board to ensure all the information required to make a decision is present, advise the board if it is not and monitor how the proposal affects the ongoing business as it is implemented.

    • Norman Marks
      February 3, 2018 at 9:43 AM

      Absolutely right. However, new risks can emerge that were not considered when the strategy was developed (an omission in COSO ERM 2017) and the upside potential can also change. Further, perhaps the Croatia option has improved and nobody was looking.

      We had a situation (I think I covered it in my book) where we decided to build a new unit in our Bayway refinery. An excellent job was done to consider all the things that might happen, including downside and upside, in designing the unit. However, 6 months in the prices for the different product streams changed and nobody realized that we should change the design (and there was still time) to profit from the change.

      • February 3, 2018 at 11:21 AM

        Your reply shows the importance of monitoring a project, and its impact, until it is considered complete. Emerging risks and improved options should come into this monitoring. Why was ‘nobody looking’? I would suggest that on a project like the one you have outlined, the project team, including the CRO, should meet monthly to look at the status of risks and whether assumptions made in the initial proposal have changed.

        • Norman Marks
          February 3, 2018 at 11:30 AM

          I agree entirely.

          Its interesting how something happening in one place can affect another. We had a situation (a different one) where a major project was steaming ahead without thinking that there might be trouble brewing. The economy was faltering and so was cash flow. Fortunately, the project was able to have a soft stop.

          This all illustrates, as you also say, that simply monitoring risks is insufficient.

          It is also insufficient to monitor risks and tie them to objectives.

          You need to monitor objectives, plans, programs, strategies and so on – and how things might be changing.

  3. Nik
    February 3, 2018 at 10:01 AM

    I long struggled with the idea of an organisation wishing to “take more risk”—it sounds like a bad thing, so why would they wish for it? So I drew out some diagrams of probability density functions and inferred that the reason an organisation might desire to take more risk is because the same action that increases the chance of a more negative outcome is also the one that increases the chance of a more positive outcome. (And it decreases the chance of a more middling outcome.) This may be incredibly obvious, but for reference my thinking is here, and was prompted by another article on these pages: https://niksilver.com/2017/10/24/take-more-risk/

    When this board says there is increased risk in cyber or suppy chain or whatever they associate “risk” with “bad thing” (which is only natural). It’s only near the end that the CEO reminds them that the Poland venture also has a potential upside which wouldn’t otherwise be available to them. The question is whether they are willing to accept these particular downsides if it also increases the chance of greater upsides. Again, that may be incredibly obvious, but the board members clearly needed to be reminded of it, otherwise they’d just worry about the individual dangers in their own areas without looking at the whole picture.

    Here are a couple of further points which I’d like to think are helpful to their discussion.

    First of all, there is a mismatch between the potential negatives they’re worrying about and the potential positive they needed reminding of. All the negatives are individual, localised worries: there may be a cyber attack, the supply chain might get disrupted, etc. But the positive is an organisation-, system-level one: they may establish a new and profitable line of business in a new market. Localised bad things might happen, but the overall system may be resilient enough that the venture is a net success. Worrying about the details may be a distraction at this (board) level. A bit like worrying about cracks in the paint of a painting, and forgetting that you’re looking at the Mona Lisa.

    Second of all, targets schmargets. I assume the targets are short term aspirations of profits or customers or similar, but even if those short term aspirations aren’t met it may be that the organisation still gains enough traction to establish itself well in Eastern Europe. It might take longer, but it may be worth it. The targets feel like another distraction when it comes to deciding whether or not to press ahead with the venture.

    (Well, you did ask…)

    • Norman Marks
      February 3, 2018 at 10:04 AM

      What would you guys advise the leadership team and CRO?

      • Nik
        February 3, 2018 at 10:14 AM

        Oh dear, did I not answer the question?

        I would advise (a) playing down the revenue targets, because there is a bigger benefit at stake here, (b) for each board member to individually find ways, where possible, to reduce the likelihood of a negative outcome in their own areas that were identified by the CRO (because that’s just the responsible thing to do), (c) collectively look at the big picture, and decide whether the organisation-level potential negatives balance the organisation-level potential positives (i.e. do they like the shape of the probability distribution of potential profit?), and (d) ask if there are system-level actions they can take to increase the chance of positives without introducing undesirable potential negatives.

        Hope that’s better.

        • Norman Marks
          February 3, 2018 at 11:32 AM


          Should they “reduce the likelihood of a negative outcome in their own areas that were identified by the CRO” when the negative outcome is more than compensated for high high potential rewards?

          I would prefer the executive team to focus on the likelihood of achieving objectives rather than monitor and address risks out of context.

  4. Evgeny
    February 3, 2018 at 10:54 AM

    It has been called for ages as Management. What sense in statement “risk management is not about managing risk”? Or, that scenario planning is a risk mamagement tool? (Of course, it is, but it has been using for ages in planning, budgeting, financial modelling that are sipmly parts of good management).

  5. February 3, 2018 at 10:59 AM

    I would advise the CRO to tie the risk that he has identified to how they impact they higher level objectives that this audience cares about and the provide context against those objectives. Prior to this meeting, the CRO should have completed the analysis with the leadership that owns the risk that includes recommendations to manage in light of the organizational objective that it impacts. That might keep the CRO at the table.

    • Norman Marks
      February 3, 2018 at 11:33 AM

      If you start with risks and tie them to objectives:
      1. How do you know you have included, as part of your assessment of the objective, all the potential things that might happen?
      2. How do you aggregate the multiple risks that might affect an objective?

      • February 3, 2018 at 11:43 AM

        In this case, I’m retrofitting to this example.

        I would normally start with objectives.

        • Norman Marks
          February 3, 2018 at 11:44 AM


  6. February 3, 2018 at 2:40 PM

    All the above discussion seems to show is how redundant now are the terms ‘risk’ and ‘risk management’. We can’t even agree what they mean! And most ‘normal’ people don’t understand them either and struggle to see their relevance to their day to day lives.

    If risk management is as powerful and valuable as we have always claimed why, after all these years of having standards and code and reading books, do most organisations fail to achieve a good, integrated approach to managing risk. Could it just be that the people running organisations think that it’s all poppycock: complex word soup of terms and concepts even the experts can’t agree on? A process that in most organisations is relegated to a tedious, once-a-year activity to produce a register of information that most people never look at again.

    Maybe it’s about time to admit the emperor has no clothes?

    It seems to me that what normal people want to do, is obtain enough certainty that when they make a decision, the outcomes will be what they desire and that these outcomes will support and not detract from their organisation’s purpose. That’s it, quite simply!

    Now the real test is, does your ‘risk management process’ (or whatever label you want to put on it) do that every day, everywhere? And does it do that without confusing people and wasting their time on whacky concepts and confections that have no relevance in helping them make sufficiently certain decisions – and then ensuring that the assumptions on which they are based remain valid.

    I’d like to bet that 99.99% of what we call ‘risk management’ does not do that, or if it does, no normal person who makes decisions sees it like that.

    Time to move on chaps!

  7. Kaya Kwinana
    February 3, 2018 at 6:44 PM

    The CRO must either resign or commit to learning and understanding risk management rather than relying on hearsay or doing what others are doing.

    The CEO must either resign or invite the CRO for advice on how to establish adequate and effective risk management in the company.

    Intrinsic in risk management is the notion of individual, not committee, responsibility – a swear word to most C-Suites.

    Risks are addressed at the level at which they arise. The process owner’s boss determines the risk treatment strategy for each risk identified by the process owner. The process owner develops controls in line with the applicable risk treatment strategy and gets the approval of his/her boss before implementing them.

    The rest of the executive team must hang their heads in shame. Management must manage, even before told how to. Risk management is management in the sense that it requires deliberate action to be taken to achieve organisational objectives. Regular reporting to the appropriate person is part of the deliberate action required if timely action is to be taken if things do not go as well as expected. In this case, COO to CEO.

    The CRO report should have been met by the CEO saying, “Yes, I know. I have already communicated the risk treatment strategy to the COO, approved the controls the COO put in place and the ongoing monitoring reports indicate the residual risk related to the project is now acceptable.”

    The concept of risk includes opportunities and threats. Objectives will normally have both opportunities and threats. One wants to reduce risk attendant to threats and increase it for opportunities, the limit for each particular risk being what the process owner’s boss deems is acceptable risk to the company – the misunderstood concept of risk appetite.

    In short, an increase or decrease in risk taken by an organisation is only appropriate after due consideration of whether the risk is an opportunity or threat,.inherent risk, and the risk appetite.

    • February 3, 2018 at 7:09 PM


      Your post exemplifies what I’ve said above. Who in the real world will understand what you’ve said? Certainly not most of the CEO’s I’ve dealt with.

      Your last paragraph will tie most normal humans in knots – and many in the risk management profession (and I use that term very advisably) would disagree with all the concepts your throw in and how you use them. Just for one thing, risk is risk – it’s not a threat or an opportunity. Threats may be risk sources, but opportunity is not the antonym of threat. An opportunity is just a set of circumstances that makes it possible for you to do something – if you wish. Only late we will find out if the outcomes were advantageous or not.

      Also, don’t start me on the crazy, meaningless concept of risk appetite!

      However, the point I’m trying to make is that this liturgy of terms and concepts the risk management profession has dreamt up is largely irrelevant to most people. None of this seems remotely useful to them when they want help to make sufficiently-certain decisions. Indeed, those of us in the profession can’t even agree on what the various terms like ‘risk’ mean.

      Normal people don’t see the need to ‘manage risk’, let alone think about inherent risk, risk appetite, risk treatment, residual risk etc. When we use this language their heads spin and they glaze over.

      We are becoming a secret, religious society with its own language and icons, that increasingly isolates itself from the rest of mankind. We may feel we are creating value by intoning the secret phrases and going through our rituals, but the rest of the world just thinks we are nuts.

      • Norman Marks
        February 3, 2018 at 7:21 PM


      • msfedorov
        February 3, 2018 at 8:37 PM

        I do agree. CRO should not be making risk reporting to the board and being sent out when real discussion begins. That is weird situation. In this case this person is not a CRO but some middle manager allowed to the board meeting.
        Being a CRO (or real risk manager), to my mind, is helping others make right decisions and see better through uncertainties in the business. And at least operate the term business understands and use.

        • Norman Marks
          February 7, 2018 at 7:12 AM

          That is a major part of my point: that the CRO has the title but not the intent or capability to do the job the way it should be done

      • February 4, 2018 at 9:33 AM

        Grant, i agree with you, in part! there is a tendency to surround risk management in jargon that people don’t understand However companies in the UK have got to report on their ‘principal risks’, so they don’t have the luxury of forgetting the ‘secret society’. Nor do internal audit, who have to report on the management of these risks.
        An understanding of risks in an organisation is good. I’ve attended risk workshops where the attendees have really appreciated the additional perspective it has given them. Risks are part of our every day life, as is risk appetite.For example: my objective is to get to the other side of this busy road. I may get hit by a car. I’ll look carefully before crossing. Does that sufficiently reduce the risk when I am pushing a baby in a pram? No, so I will cross at a controlled crossing.
        It ain’t rocket science, it’s just been made that to justify high priest’s salaries.

      • Kaya Kwinana
        February 6, 2018 at 7:55 PM


        Terminology can be a help or hindrance, even within the profession. Its use is always dependent on the target audience. My target audience was risk managers, not “normal people” which by your admission you are not.

        The terminology helps with brevity. What you referred to as “A process that in most organisations is relegated to a tedious, once-a-year activity to produce a register of information that most people never look at again” is an annual risk assessment, a clear indication of inadequate and ineffective risk management.

        Everyone knows what you mean when you use the term “risk assessment”, even though it has 3 meanings:

        1. inherent risk assessment per COSO 2004, (I am not a fan of COSO 2017)
        2. objective setting, risk identification, inherent risk assessment and risk response per COSO 2013 and
        3. the whole process of compiling/completing risk register records, from control/internal environment to monitoring (using the COSO models).

        It would be easier for the “normal people” to google “risk assessment” than your description. They should be encouraged to do so that they are not solely dependent on one point of view. The terminology enables them to broaden their understanding through access to different perspectives.

        The lack of unanimity is not as catastrophic as you make it out to be and certainly does mean that all that is not agreed about is wrong. You are entitled to your opinion regarding risk appetite. I feel the same about many of the explanations thereof and of other concepts. In time you will appreciate that the fundamental purpose of risk appetite is to help determine the appropriate risk treatment strategy for each risk.

        As a CRO, I would be ashamed of publicising the fact that CEOs I have worked with, would not understand what is meant by “inherent risk, risk appetite, risk treatment, residual risk etc.” That would be like gloating at my failure as a CRO.

        The first conversation a CRO should have with a CEO, whoever of them is new in the organisation, is regarding the risk management system in place in the organisation. If the CRO is new, the language used by the CEO gives an indication of the CEOs grasp of risk management concepts. If the CEO is new, the CRO will pitch the communication at the appropriate level by checking understanding of whatever technical terms he/she uses, toning them down if necessary.

        The CRO’s job is to help the CEO establish adequate and effective risk management and then the organisation on how to implement the established system of risk management.

        Norman’s example is about crisis management, fighting fires. Adequate and effective risk management would have seen to it that the CRO’s report is the way the CEO wants it to be in terms of presentation and what it addresses, rather than have that discussion when it is presented.

        I see a hustler when a supposed professional eschews the use of “jargon” when talking to other professionals. Certainly, as a CEO I would be unhappy with a CRO who says “risk is risk”, when explaining the concept of risk.

        • Norman Marks
          February 7, 2018 at 7:14 AM

          My story is not crisis management. It is management, pure and simple.

          The CRO should not be a tame follower of the CEO. He or she should provide leadership with the information they need when they need it. the CEO doesn’t always know in advance what is needed.

          • Kaya Kwinana
            February 7, 2018 at 10:15 PM

            Risk management is anticipatory while crisis management is reactionary.

            “(T)he CEO doesn’t always know in advance what is needed.”

            On the simple issue of reporting, surely you are not suggesting that the CEO and the CRO could not have agreed on the content and format of the reporting expected from the CRO?

            The CEO in your example clearly had different expectations to those of the CRO – “It sounds like your risk report tells us about enterprise-level risk in a number of categories, but doesn’t help us with specific programs and projects.”

            That is an objective setting issue per COSO 2004.

            Does the CEO have a system whereby when an objective is set, governance, compliance, timing, performance, ICT, fraud and reporting expectations, at least, are specified and considered?

            If not, when will they be specified and considered? After the fact?

      • Kaya Kwinana
        February 7, 2018 at 4:55 AM

        One should, of course, start by explaining new concepts to someone who is not expected to know them and thereafter provide the technical name for that concept, so that one does not have to use a long-winded explanation of the concept one is about all the time.

        A name is given to a known concept. Doing it the other way round is, of course, not helpful and can be counter-productive.

        The term “risk” is itself a technical term in risk management – “jargon” you might say – whether one agrees with its definition or not.

        When one attributes an ordinary usage sense to the term “risk”, in a risk management setting, then misunderstandings result and they are not solved by saying no technical words should be used because the technical terms are ordinary words which are given.specific meaning in a risk management setting.

      • ds
        February 8, 2018 at 10:11 AM

        I’d argue that the problem is different than becoming a secret society. I think there are professions where the concepts of risk very much make sense and everyone knows that management of risk is necessary and valuable. Banking an finance, large scale construction, mining, oil and gas exploration and extraction, etc.

        Where I think risk management went off the rails is when someone decided that everyone should benefit from the same rigor and discipline and so risk management professionals (or more properly risk management copy cats) started popping up in every industry, trying to make a case that they are relevant when in fact they don’t even understand the profession in the first place.

  8. joe
    February 3, 2018 at 8:32 PM

    Great blog, Norman. It is human nature to have silos. Very few CROs can have enough time or resources to really get into the kind of level of business insights a country or org manager can have.

    The scenario you described doesn’t include risk treatment, which should’ve been tied to executives’ pay and bonuses.

    Also, I believe Risk Management’s biggest impact to a business is risk awareness. This assumes the HR department did the right things and hired the right people. What I see more often is people are hiring their friends and families and then you know what happens.

  9. Norman Marks
    February 4, 2018 at 6:43 AM

    Re the CRO and his (or her) being sent out of the meeting.

    Let’s examine the facts.
    1. The CRO provided the executive leadership with a list of risks
    2. The CRO did not pay attention to the fact that risk levels were rising in a number of areas because of the Poland project
    3. The CRO was in a great position to see that there should be a cross-functional discussion about the Poland project and what was happening. Was it still the right thing to do?
    4. The CRO clearly does not have the confidence of the executive team. They don’t understand why he knew about all the Poland-related risks and yet had not said anything about it to the executive team. Instead he said everything continued to be fine

    The CRO has the title.

    Is he (or she) acting as an effective CRO?

  10. Bogdan Dragomir
    February 4, 2018 at 1:08 PM

    hmmm, while not completely off it seems there is a fundamental flaw in your understanding. Risk is a condition that can have positive or negative effects on organization objectives. Managing the organization ABILITY to achieve its objectives entails managing risks. What you might want to consider is managing risks to create competitive advantage through negative risk conversion into an opportunity at that point you can say your risk management is as mature as it can get.

    • Norman Marks
      February 4, 2018 at 1:35 PM

      Surely, its about understanding what might happen (both good and bad) and making informed decisions.

      Sometimes you need to accept (or take) a risk (possible harm) because there is a greater possibility of reward.

      It’s not always about mitigating or converting the negative possibilities. Sometimes it is about increasing the positive – and that may be totally separate from the negative.

      In this example, the CRO is risk-centric. The executive team are objective-centric.

      Good business decisions are needed.

      In this case, the viability of the Poland option appears to be decreasing but that will require consideration of all the possibilities – including what can be done to increase the upside.

      What the discussion so far has not covered is whether the potential events causing concern for Poland will also apply to Croatia.

  11. February 5, 2018 at 11:32 AM

    Hi Norman, your blog is nicely aligned with our IFAC thought paper From Bolt-on to Built-in Managing Risk as an Integral Part of Managing an Organization (May 2015), which positions risk management and internal control as it was originally intended—as a highly relevant and useful process for decision and execution support, and as a process that boards and management naturally use to ensure their organization makes the best decisions and achieves its objectives.

    In the final chapter of this paper we present a model that demonstrates how risk can be managed as an integral part of managing an organization: not by requiring people to jump through the hoops of the risk management process (which they hate anyway) but, instead, to instill good risk management considerations in their own planning and control cycle. After all, nobody wakes up in the morning with the intention to “manage risks.” Instead, people want to get their job done and achieve their objectives.

    The paper concludes: “The most important feature of this model is the almost total invisibility of risk management and internal control terminology, as risk is managed as an integral part of managing the organization. This also corresponds with the main objective of an organization, which is not to effectively manage risk, nor to have effective controls but to ensure that it makes the best decisions and achieves its objectives.”

    Sounds familiar, doesn’t it?


    You can retrieve the paper, for personal use free-of-charge, via the following link: https://www.ifac.org/news-events/2015-05/new-thought-paper-released-ifac-tears-down-risk-management-silo

  12. February 6, 2018 at 1:33 AM

    Excellent post Norman, thank you very much.

  13. Ravindra Tiwari
    February 6, 2018 at 5:34 PM

    Dear Norman,

    Excellent post !!

    One of thought which come to my mind, although I might be wrong.

    I thing risk assessment exercise was not comprehensive/correct one and as you rightly suggested, it should be done based on objectives.

    As per my experience risk assessment should be done at few levels. It should be done at individual unit/branch level, Head of Department or executive leadership level and also finally with CEO level. At each level single point of contact (SPOC) or in-charge person should join with team member from risk department. Risk department should work as facilitators to identify risk based on objective listed by SPOC/in-charge person.

    I think here risk assessment exercise was not done in correct way at Head of Department or executive leadership level or CEO level. In case it would have been done in proper way then enterprise level comprehensive risks for Poland market would have come into consideration, as I am sure department heads/CEO might have mentioned their objectives for entering Poland market and what could bad happen in that case.

    I hope this makes sense.

    And also your article is great to explain the approach to risk management (i.e. by objectives) and helped me lot to enhance my awareness. I tweeted this on my twitter account @auditguide2077 just to educate others.

    Ravindra Tiwari
    Founder CEO Iunique.org
    iunique.org coming soon with a mission to spread knowledge of best practices on audit and risk management

    • Norman Marks
      February 7, 2018 at 7:16 AM

      Thank you, Ravindra. Perhaps we should stop talking about risk assessment! It’s about understanding what might happen and how that might affect the achievement of objectives. You don’t succeed in life if you only worry about what might go wrong.

  14. Ayse Nordal
    February 7, 2018 at 6:24 AM

    There are several elements in this scenario which reveal weaknesses of the company’s risk management:
    A) It is unacceptable that the CRO does not take the developments in the internal and external context into account, in accordance with ISO 31000: 2009 2.10 and 2.11 or COSO: 2017 Principle 6. The company’s risk management is not an iterative and dynamic process which is responsive to change.
    B) It is unacceptable that the CRO responds a critical feedback by saying that “he is following the risk framework and what the consultants told him”. Who is the risk manager here?
    C) It is unacceptable that the CRO is sent out and he is not involved in decision making.
    D) It is unacceptable that the CRO did not try to present the group a deeper analysis of the situation, for instance “a root -cause analysis” to be able to give a better picture of the

    I would like to see an analysis of the company’s risk maturity. Where do you think they would end up?

    Excellent example Norman !

    • Norman Marks
      February 7, 2018 at 7:18 AM

      Thank you, Ayse. Management can be quite effective in managing what might happen (risk) without a CRO. In this example, I not persuaded the CRO is value-add.

  15. Roger
    February 9, 2018 at 4:23 PM

    An excellent scenario, as proven by the interesting responses.

    It shows where we end up if we wrongly imagine ‘risk’ as a toxic by-product, rather than as uncertainty of outcomes. That wrong image for risk is also behind the existence of a CRO who is just another voice in the boardroom. The proper role for a CRO, if there is one, is to ensure that the other C-levels properly understand the spread of uncertain outcomes implied by their choices. That clearly hasn’t been the goal – Norman Marks put it neatly as the lack of ‘intent or capability’ to do that.

    The risk representation methods followed (not chosen) by the scenario CRO are inadequate in that
    (a) they don’t recognise the potential for (uncertain) benefits from expanding into Poland, reflecting a profit or other strategic objective
    (b) they don’t provide a comparative view of risk-based prospects with and without the Poland expansion.

    Using red/yellow/green to represent risk ‘levels’ is never helpful for making decisions, and it is misleading in its very conception. It is based on the same faulty idea of risk as a toxic by-product. Norman Marks and Grand Purdy (among others) make a good point that the very idea of ‘risk management’ (separate from management) is based on the same faulty image of risk.

  16. Sophia Caporicci
    March 9, 2018 at 1:51 PM

    Hi! Excellent blog, and I would like to share this with my coworkers but I would need to have it translated. Would that be ok?

    • Norman Marks
      March 9, 2018 at 2:02 PM

      Certainly ok

  17. dragica grbavac
    March 13, 2018 at 4:24 AM

    i think it is a grave error to exclude the CRO from the conversation at the big table.
    our experience indicates the highest level of integration, results and understanding when everyone owns their risks and the CRO advises on key decision points .

  18. October 9, 2018 at 7:42 AM

    hi thanks for the information

  19. Hennie
    May 1, 2019 at 5:55 PM

    Been going through old blogs 🙂

    Here’s a controversial thought: What if, in years to come, the CRO is not a traditional 2nd LoD “risk manager” anymore, but get re-branded (and re-hired) as “Head of Risk & Performance”… Or simply: Chief Performance Officer – although one could argue, that’s the CEO! 🙂

    I.e. If we’re not managing performance and progress against strategy first, then we’re making “risk management” into an industry of its own (red alert!). Although, if risk is inherent in trying to run businesses and achieve strategy, what I really want from my Head of Risk and Performance is someone that can use the right amount of analytics and mathematics to give me insight into how I can perform better, where I’m not performing as expected, where I’m likely to miss the mark (and not achieve strategy). If he does that first – gives me insight into performance management (by using the right modelling and analytical tools), he’s automatically helping me manage the risk of not doing so.


    • Norman Marks
      May 2, 2019 at 7:02 AM

      Hennie, I think you are on the right track. One reader saw my blogs about eliminating the word Risk and changed his function to something like Decision Support. Without the 4-letter word and its negative connotation, he was able to get much more of a welcome from operational management and help them make informed and intelligent decisions to take the right risks.

  1. February 6, 2018 at 2:48 AM
  2. February 8, 2018 at 8:02 AM
  3. May 19, 2018 at 1:45 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: