Home > Risk > An idea to help drive effective risk management

An idea to help drive effective risk management

I have been thinking about how an organization can obtain assurance that risk (what might happen) is appropriately considered in decision-making.

As I have been saying for quite a while now, decision-making is where risk is taken.

We want all decision-makers to consider all the potential consequences of their decision (in fact, all the potential consequences for each option on the table) before making an informed and intelligent judgment.

We want to know that the right level of the right risks is being taken.

Looking at whether the organization’s risk appetite (a concept that frankly doesn’t work well for all sources of risk) has been exceeded is, at best, an after-the-fact control. It should not be satisfactory to management to know only after-the-fact that a poor decision was made.

So I had what might be a novel idea.

Let’s drive risk management effectiveness by improving decision-making – and let’s drive effective decision-making through the performance appraisal process!

Let everybody know that the quality of each individual’s decision-making will be a significant factor in assessing their performance; it will therefore affect their compensation and career progression.

I don’t know how many already assess decision-making as part of the performance appraisal process. I can’t remember it being a factor in the assessments I made and received over the years.

I did find one sample performance appraisal form on the Internet that we can look at. It has a section on decision-making:


The ability to make decisions and the quality and timeliness of those decisions.

  1. Exceptional decision making abilities. Decisions are made in a timely manner.
  2. Above average decision making abilities. Usually makes sound and timely decisions.
  3. Above average decision making abilities. Usually makes sound and timely decisions.
  4. Needs to improve decision making and/or timeliness of decisions.
  5. Unacceptable decisions and/or timeliness.

We can build on this.

How about something like this?


Makes timely, intelligent, and informed decisions after obtaining reliable information and consulting with others (including the risk management function) as appropriate. Considers options and their consequences. Balances the potential for reward against potential harms and other negative consequences before making significant decisions. Complies with corporate risk and other policies and guidance and stays within established risk limits.

  1. Exceptional decision making abilities. Decisions are made in a timely manner.
  2. Above average decision making abilities. Usually makes sound and timely decisions.
  3. Above average decision making abilities. Usually makes sound and timely decisions.
  4. Needs to improve decision making and/or timeliness of decisions.
  5. Unacceptable decisions and/or timeliness.

What do you think?

I welcome your comments.

  1. March 13, 2018 at 11:26 AM

    Reblogged this on Ransom Nformi and commented:
    Risk are accepted, mitigated or transferred at the point of decision-making

  2. March 13, 2018 at 12:32 PM

    Norman a good concept but how to measure fairly that is the question?

    Interesting to note that 31000 seeks Best Available information in Principle F. Often decision makers have to make do with something less than that . I think the term “optimum information” is more suitable to the real world where decisions may have to made dynamically.

    Decision making is core to successful RM but first I would start with a series of awareness sessions before introducing measurement of the quality of decisions. Role play exercises reflecting real scenarios would be a good start for managers at least.

    One other major point is to say that good decision making is not dependent on nor should it be judged on good outcomes.

    i guess an organisation would have to be well on the RM curve before evaluating decisions but the provision of well considered constructive feedback to decision makers would be very worthwhile

    • Norman Marks
      March 13, 2018 at 1:36 PM

      Sean, that’s a fair question. Of course, assessment by your manager is always going to be somewhat judgmental for pretty much attribute.

      I like the idea of training with role playing. Decision-making should be a core competency and included in any management training program.

  3. March 13, 2018 at 12:54 PM

    Norman, I’m a great believer in that ‘the proof of the pudding is in the eating’. If you want to judge decision making at an individual level then I would think that their ability to achieve their objectives was the real measure. After all, if they are lousy at decision making, they won’t achieve their objectives (unless we’re wrong of course). I admit that this is a simplification and couldn’t necessarily be applied to an individual decision, but averaged out over many.

    At a corporate level, I believe all major projects should be formally approved and that the approvals presented to the board should include:
    Clear objectives of the project
    The financial case for the project, independently audited
    Other ‘soft’ benefits
    Risks threatening the achievement of the project, including financial modelling, and their management
    Opportunities benefiting the achievement of the project
    Alternative scenarios to achieve the objective and why they were rejected
    How the project is to be managed, including reporting back to the board at specified stages, monitoring of opportunities/risks, reconsideration of the alternatives if circumstances change.

    • Norman Marks
      March 13, 2018 at 1:39 PM

      David, frankly I don’t want to judge people on their good fortune. Many succeed in spite of their rushes to judgment and lack of considered thought before making a decision.

      Rather than a section on “risks”, how about one on potential consequences? That takes care both of harms and the ability to take advantage of situations. It allows the balancing of the potential for loss and gain.

  4. March 13, 2018 at 1:12 PM

    I fully agree and making the quality of decisions, rather than the lucky/unlucky result be apart will drive culture.
    Have you done what can be considered reasonable or more to identify, address and treat risks – you should be praised for that.
    Have you done nothing, even the best results should not be dource of praise.

    But – we are impacting the way execs make decisions, and want them to approve that. Delicacy must be enforced

  5. Carrie Frandsen
    March 13, 2018 at 1:17 PM

    Norman, Thanks for once again pushing the envelope on risk management expectations! Now that both ISO 31000:2018 and COSO ERM 2017 clearly link risk management with decision making, the next step is setting accountability for decision making. I like your proposed performance review ‘decision making’ criteria – it captures the latest thinking on risk-informed decision making. At my organization, Problem Solving/Decision Making is a performance review core competency, so I think this area is evolving.

  6. Jesus Levy
    March 13, 2018 at 3:55 PM

    Well, I think that would be a great step to achieve embedding risk management into everyday decision making. If managing the business with risks in mind is a concept that should be i everybody’s minds, then how they perform should be in everybody’s performance evaluations, right?

  7. belogaku
    March 13, 2018 at 4:01 PM

    Good idea Mark.
    The problem is the results of decision making depend on many other factors not related and beyond the control of decision makers. Therefore to penalise the decision maker for poor outcome of the decision may sometimes not be fair.

    • Carrie Frandsen
    • March 14, 2018 at 2:16 AM

      Exactly right – so when you address the results of a decision (assuming that is ever done), you address the decision process as well.
      1) If/when risk management has been carefully done and followed through – then a bad result should not negatively affect the decision appraisal
      2) If/when risk management has been ignored, even the positive result should not positively affect the appraisal of the decision

      That said – decisions with good risk management will (I hope and expect) tend to be more successful than decisions without it. If that is not true – DROP risk management.

    • Richard Fowler
      March 14, 2018 at 5:32 AM

      How would we evaluate Thomas Edison’s decision-making performance? The story is that he failed 999 times before succeeding. Babe Ruth, the great baseball player, struck out many more times than he hit home runs. The important factor in decision making is making a decision, knowing that you are doing so with imperfect information. The true failure which should be evaluated in your performance criteria is NOT making a decision.

      • Norman Marks
        March 14, 2018 at 5:38 AM

        Richard, almost all decisions are made without even looking for information or talking and listening to others.

        That’s why we so often ask our kids, “What were you thinking? You weren’t thinking, were you!”

  8. msfedorov
    March 13, 2018 at 9:48 PM

    There are frameworks for decision quality, which include risk and uncertainty aspects. There is no need to reinvent the wheel. For example check the book https://www.amazon.com/Decision-Analysis-Professional-John-Celona/dp/0971056900 or
    https://www.amazon.com/Decision-Quality-Creation-Business-Decisions/dp/1119144671 and lots of other books and decision making.

  9. March 14, 2018 at 4:19 AM

    Thanks Norman, great article, Having been involved in several HCM projects in the past, where Performance Management is one of the key processes in the view of some companies, my opinion is that a KPI such as the one you suggest in this article would be a plus if integrated into the performance management/appraisal process.

    Of course “decision making” will have to be tied to objectives but I understand your point. Firms need better decision making and this is a crucial aspect when aiming to improve risk management effectiveness. Therefore assessing decision-making as part of the performance appraisal process in a firm can only bring benefits and up the overall thinking process, as well as cost/benefit analysis of given situations.

    We all know multiple cases where potential risks materialized into real damage due to poor, incompetent, untimely, not informed, decision-making processes.

    Thanks again.

  10. March 15, 2018 at 3:02 PM


    I’m sorry, but you are tying yourself in knots trying to assimilate current, screwed-up concepts of risk management into decision making.

    This is the false paradigm and paradox of standard like ISO 31000 that preach the virtues of an integrated approach and then advocate a process for the identification and modification of risk that is alien to normal decision making processes and the language of normal human beings.

    The only approach us ‘risky’ folks should take is to look at existing approaches to decision making and see how we can enhance them – from within – to ensure that uncertainties in assumptions that can lead to outcomes other than those desired are understood and if significant, acted upon.

    For my part I cannot see how most of the current artefacts of risk management such as lists of ‘risks’, risk registers, risk appetite statements etc. etc. can actually be used in decision making. This begs the question, of course, as to why we produce them and why regulators require them – but that discussion is for another day.

    • Norman Marks
      March 15, 2018 at 3:22 PM

      Grant, you have confused me. Are you disagreeing that we should have performance review questions on decision-making? Is the concept that we should discard the idea of managing risk and replace it with making informed decisions that take the desired amount of risk “screwed up”?

      • March 15, 2018 at 3:39 PM


        I think oversight arrangements (including Boards and Audit Committees) should probe decision making and should ask questions about how actual decisions have been made and are proposed to be made. They should enquire of the assumptions that are taken in support of particular decisions and question decision makers as to why they believe the outcomes are sufficiently certain and will support the organisation’s purpose.

        Such an approach is much more valuable that asking questions about ‘risks’ (whatever they are).

        If that’s what you mean by ‘performance review questions’ then we agree.

        However, as someone who has been in this field for a few years, I don’t understand what you mean by ‘making informed decisions that take the desired amount of risk’. That phrase does not seem to equate to the language normal humans use and the actual processes we all follow when making decisions. Sure, people bandy the risk word around all the time, but what do you really mean when you say “desired amount of risk”? This seems to be based on a fallacy – that you can somehow measure all the risk you face and compare it, somehow, to benefits.

        • Norman Marks
          March 15, 2018 at 6:53 PM

          Grant, I am talking about decision -making being assessed during the annual performance review.

          As for objectives, perhaps your experience is different from mine. I have always seen objectives or targets set by the board and management.

          As for desired level of risk, we need to recognize the reality impressed on so many organizations. Whether it’s risk appetite or risk disclosures, it’s out there and we have to live with it.

          Executives and board members understand the notion of taking risk. So I am trying to turn the discussion to that instead of managing risk.

          As for uncertainty, you and I see that term a little differently. I don’t see it as a lack of knowledge. We will always have a lack of knowledge about the future. I see uncertainty as what might happen. That is uncertain.

          So plain English is the way to go. On that we agree. I just think we have to recognize that we can’t get regulators and other stakeholders to switch over all at once. If we can change the discussion to taking risk, they will understand and risk practitioners (we need another term) can help.

          • March 15, 2018 at 7:37 PM


            Normally you and I agree, but that’s not the case here.

            In my experience, even strategic planners can’t seem to agree what is an objective.

            Also, we are not just meaning any old objectives here. The context for risk can only be the highest level objectives of the organisation – that express its purpose.

            I’m not sure directors and executives understand ‘taking risk’ at all. This confusion has been compounded by the often quoted but grossly misleading expressions ‘risk reward ratio’ or ‘balancing risk with reward’. Why can’t you maximise your return on an investment without incurring high risk? The root of this stupid expression seems to involving confusing the amplitude of volatility in price with risk.

            Most people, including ISO people (but that’s hardly authorative) think that uncertainty is concerned with an abscence of knowledge about the future.

            Just because regulators are confused should not stop us trying to do things that are sensible and which truly create value. Often we have to do things to keep regulators happy even if we know that they are a waste of time. It’s like paying taxes. With luck, the regulators will wake up eventually – unless unscrupulous consultants keep winding them up to create more business!

            I think we agree on normal language – but then why do you still assert your own interpretations of normal words? One thing we should have all learnt by now is that if we have to define a word to give it a special meaning to avoid ambiguity, then we are just ensuring that normal people won’t relate to it and, axiomatically, will be confused and will use it in an ambiguous way. That’s why I’ve given up on risk – and objectives.

    • March 16, 2018 at 2:18 AM

      I am not sure I understand your problem with systematically considering risks and opportunities in decision making. It is no different than considering the financial outcome and consequences – and I find it hard to believe that you perceive finance as an “add-on” to decision making.

      • March 16, 2018 at 6:01 PM


        I’m rather confused with your response. Organisation’s pursue their purpose by identifying and acting on opportunities. An opportunity is just a time or set of circumstances that makes it possible to do something. Are you suggesting somehow that these are the opposite to risks? Normal language and definitions suggest that opportunity is not the antonym of risk.

        For the life of me I can see how any normal person can practically use a list of risks (such as in a risk register) in making a decision. I can understand that they may want to appreciate the assumptions they make and the degree to which they are certain or uncertain, but this is not the same as facing decision makers with a list of risks.

        Its even more obtuse to think that a list of risk compiled at some time in the past and not pertaining to the context of the decision being made can somehow be used to inform it.

        Just try it out for yourself. Think of a decision your organisation is facing or has just faced and reflect on how the ‘holy’ risk register organisation are required to keep was actually used or could be used. I think you will easily see my point.

        The way we currently conduct this arcane practice we call ‘risk management’ can only be an add-on to decision making. If, as we aspire it becomes truly integrated, then none of the current language and artefacts we use are relevant and useful. That includes the words risk, risks and risk management.

        • March 19, 2018 at 2:06 AM

          Whereas I am suggesting upsides and downsides are considered in decision making, i.e. embedded in the preparation made for the decision (often a Business Case) – I do not expect this to lead to a risk register and all that – but rather a Monte Carlo modelling of the potential outcomes, based on which decisions can be made – implementing intelligent risk taking.

          Being too “busy” to think things through, and making decisions based on “top of mind” and “gut feeling” is surely inadequate in a competitive world.

  11. belogaku
    March 17, 2018 at 7:01 AM

    Mark’s idea is not new to me. Many banks i know practise this. Performance metric “percentage of accounts that turned non performing after say 2 years of approval” is an example. Everyone involved in the decision making i.e. proposing, recommending and approving of financing application carries this kpi.

    • Norman Marks
      March 17, 2018 at 7:05 AM

      Perhaps I am not clear. I am not talking about using metrics in performance appraisals. That is something different. I am talking about assessing decision-making as a general category, not specific decisions like credit approvals.

  1. March 14, 2018 at 1:15 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: