Home > Risk > Stop managing and start taking risk

Stop managing and start taking risk

December 9, 2018 Leave a comment Go to comments

Don’t do that, the risk is too high!

You need to spend more money on cyber/fraud prevention/anti-money laundering/(fill in the blank) because there is a high risk of something really bad happening.

You can’t announce the new product/roll out the new system because it’s not ready. We haven’t fixed all the bugs.


The people who shout these warnings are focused on risk. If they see it as high, they see red. STOP signs. DANGER!

stop signdanger


But, what about the people who are trying to get something done?

Do they see prudent, business-oriented people or do they see the boy who called wolf (from Aesop’s fable) or Chicken Little calling out that the sky is falling?

Do they see people who are helping them or getting in the way of running the business?


In a recent RiskMinds video (thank you for sharing, Alexei Sidorenko) Nassim Nicholas Taleb, who is famous for talking about black swans, tells us that there should be no risk management and we should be studying risk taking.

In fact, in his Amazon bio, he says he “spent two decades as a risk taker before becoming a full-time essayist and scholar focusing on practical and philosophical problems with chance, luck, and probability”.

I couldn’t agree more.

Focusing on avoiding hazards (things that might go wrong) is a recipe for failure. You only succeed in life and in business by taking the right level of the right risks.

It all comes down to helping leaders make informed and intelligent decisions. Informed means having as good information as you can about what might happen, both good and bad, on your way to achieving your objectives – whether your objective is to grow revenue or lose weight. Intelligent means involving the right people, considering your options, leaving your biases behind (see here), and taking the time to think things through.


Taleb is asked what he sees as the greatest risk. His answer (in my translation) is that when you are not taking risk intelligently (and that can mean steaming ahead through the shoals when the need requires) you are putting your future and its success ‘at risk’.


Unfortunately, most practitioners see their job as requiring them to call out that the sky is going to fall if we don’t delay/spend money/change our practices/etc.

A list of risks is not a list of ingredients for success.


What emphasizes the scale of the problem is that the interviewer doesn’t understand what he is saying. She doesn’t hear the point that we shouldn’t be making a list of risks but enabling better risk-taking. Instead, she wants his help to prioritize her list of risks.


In Risk Management, a recent article purports to guide information security practitioners on how to assess and manage the security of information. But nothing is said about understanding how a security incident could affect the business and the achievement of its objectives.

The author is managing data security risk, not helping people take the right level of cyber risk.

By the way, the only way you can eliminate cyber risk is by closing the business (and it’s questionable whether it is totally eliminated even then). The question for business leaders is how much cyber risk should they take; or, putting it another way, how much should they be spending on cyber defense, detection, and response?

These are business decisions, not risk decisions.


There are too many articles, frameworks, and standards that focus on managing risk, and not nearly enough discussion on taking the right risk (after weighing the consequences) through informed and intelligent decisions.


What do you think?

  1. December 10, 2018 at 1:19 AM

    Hi Norman,

    I could not possibly agree more. Risk management is not about managing risks – but about managing/optimizing performance. Risk adversity needs to be replaced with intelligent risk taking, a concept I have advocated for some time now.

    To quote racing icon Mario Andretti “If everything is under control, you are moving too slow” – which is true for business as well.

  2. Gregory Sosbee
    December 10, 2018 at 5:35 AM

    You are correct Norman, but the issue is deeper than just the risk manager. As was pointed out in the 1998 Oxford Study, the purchase of insurance and derivates are better classified as “Management Protections” rather than Shareholder Value protections. Protecting personal income (including bonuses) is Human Nature, but all too often gets in the way of “the greater good of the Owner(s)”. Having the Board/Owner(s) set the organizational risk profile as the first step in an effective ERM Program hopefully will avoid much of this “me first” attitude by Management.

    Yes, risk managers need to step up and provide risk profile information for critical organizational strategic (and some tactical) decisions. However, Management also has to change their view of risk.

    • Norman Marks
      December 10, 2018 at 7:08 AM

      I would phrase his differently, Greg. The risk manager needs to understand the decisions that will be made and provide the information the decision-makers need. Its not a risk profile, but information on what might happen under each option.

  3. December 11, 2018 at 12:12 AM

    We keep talking in semantics but fail to implement. You can talk about ‘informed’ but there is a number of studies and articles that show that in most cases either not all information that should be present actually is or people are so biased that they don’t take the right decision even when sufficiently informed. That’s when checks and balances and controls enter the playing field.
    When introducing stakeholders and looking at performance this becomes even more complex. Then Anglosaxon world is more focussed on short term and shareholders. The Rheinland model more on long term and other stakeholders as well.
    You can cut wages and increase profit for shareholders, history shows that it will finally lead to social disruptions.

    • Norman Marks
      December 11, 2018 at 6:24 AM

      The first step is to recognize we have a problem. As you infer, there is insufficient acknowledgement that current practices don’t lead to success. We all need to speak out and influence as many as we can.

  4. December 14, 2018 at 9:10 AM

    Hello Norman. How can i get in touch with you? I came across your article from 2009 on “Can the CAE Be the Chief Risk Officer (CRO), or Report to the CRO?”. Im facing this issue at the moment and would like to seek your advice on the matter. Just to share, i am the head of internal audit for a statutory body.

  5. Anonymous
    January 25, 2019 at 11:11 AM

    Rightly said that you only succeed in life and in business by taking the right level of the right risks.

  6. Sohail Gulamhusein
    January 25, 2019 at 11:26 AM

    Agree that risk taking should be studied and the right level of the right risks need to be taken in order to succeed in life and in business.

  1. December 9, 2018 at 11:13 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: