Home > Risk > Those lists of greatest risks all miss the BIG one

Those lists of greatest risks all miss the BIG one

When something goes wrong, 99.999999% of the time it’s because somebody made a poor decision (at least in hindsight).

You ask the individual responsible, “What were you thinking?”

That is quickly followed by, “You weren’t thinking, were you!”


The BIG one, the root cause of failure and the greatest source of harm to any organization and its success, is the likelihood of a wrong decision that has major ramifications.

I discussed this in World Class Risk Management and extended the discussion in Making Business Sense of Technology Risk, where I made a distinction between strategic decisions (which include setting objectives and strategies) and tactical decisions.


We should be concerned if the likelihood of poor decisions, especially but not limited to important ones, is higher than we can tolerate.


What are the root causes of poor decisions?

There are many, including:

  • Poor framing of the decision
  • The wrong people making the decision
  • Relying on information that is not complete, accurate, or up-to-date
  • Not seeking all relevant information
  • Cognitive and other bias
  • Not including others that either have relevant information or who might be affected by the decision
  • Not considering all relevant options
  • Poor identification and assessment of what might happen, both good and bad, for each option
  • Failing to understand the ramifications of the decision when it comes to the achievement of enterprise objectives
  • Putting personal or team benefits ahead of those of the organization
  • Haste
  • Delay
  • Poor communications
  • Inadequate change management
  • Politics
  • Pressure
  • Incompetence
  • ….and so many more


As you look at your own decisions, those of your team, your peers, your partners, and elsewhere across the extended enterprise, do you have reliable assurance that informed and intelligent decisions will be made?


What can and should you and others do about it?


I think there are roles for both risk and audit practitioners.


I welcome your comments.


  1. Jane Rollin
    March 1, 2019 at 5:23 PM

    Fabulous points and really clearly outlined. I once ran an internal risk group of senior managers and informally called them ‘the department of paying attention’, just because I felt the need for them to be more aware would support better decisions. I think there should be a lot more paying attention and question asking.

  2. David Beer
    March 2, 2019 at 3:46 AM

    Agree fully Norman. When reviewing fatal accidents whenever the incident was not caused by errors of the people involved it could always be traced by to a previous decision – often by Management when creating policies etc

  3. March 2, 2019 at 7:49 AM

    YESSS ! you are right. And this idea works particularly well for boards which are taking most of the transforming decisions in a company. A risk mapping should include this topic. Board structures are important, but less than processes. See https://bit.ly/2EHQxsI

  4. March 2, 2019 at 8:22 PM

    Facilitating and supporting the consistent achievement of Decision Quality, should be the primary objective of the uncertainty(risk) management process.

    [see Spetzler, C., H. Winter, and J. Meyer, (2016) Decision Quality: Value Creation from Better Business Decisions John Wiley & Sons: Hoboken, NJ]

    Uncertainty management – as a sub-set/discipline of Decision Analysis – serves to support the various elements of the Decision Quality framework and setting DQ as the primary objective for the risk management process is IMO the only way in which we can consistently and explicitly incorporate uncertainty into the decision-making process – irrespective of the “level/type” of the decision at hand.

  5. March 2, 2019 at 9:09 PM

    we cannot judge the quality of a decision by its outcome – poor decisions can have good outcomes and vice versa – it’s called luck

    decision outcomes are typically over the horizon and beyond our control – therefore, let’s focus our attention on that which matters and which we can control – the quality of our decision-making process – Decision Quality

    • March 3, 2019 at 2:12 AM

      Quinton, how do you define a ‘poor’ decision. If it is a good outcome, isn’t it a good decision? Don’t we make our own ‘luck’?
      How would you rate an MD explaining a disastrous takeover by saying, ‘Our decisions were good, we were just unlucky’?

      • March 6, 2019 at 12:59 AM

        dmgriff – I’s not that easy. The guy who wins on his lottery ticket has not made a better decision than the other guy who just lost the money he paid for his.

        Good decisions can only be judged on the basis of which they were mad, anything else is Monday morning quaterbacking.

  6. March 3, 2019 at 2:07 AM

    Norman, you mention, ‘Failing to understand the ramifications of the decision when it comes to the achievement of enterprise objectives’ but you don’t state one of the root causes of poor decision making is the failure to clarify the objectives in the first place. Without clarifying your objective(s) you can’t identify the opportunities benefiting, or risks threatening, their achievement. If you don’t identify opportunities and risks, you have another root cause of poor decision making.

    The role of audit is to ensure that proper recruiting and training is in place for all employees, relevant to their level of decision making. Thus every audit should include these in its programme.

    • Norman Marks
      March 4, 2019 at 4:32 AM

      I agree with that, except that selecting the objective is a decision. I did mention framing the decision, which should include understanding why we are making the decision and so on.

  7. Anonymous
    March 3, 2019 at 8:46 PM

    Norman, I like dmgriff question “how do you define a “poor” decision? My view is that the verdict or conclusion is an AFTER EFFECT, something happened and that decision made is now deemed poor. In a company, can the subordinates really can question the Senior Management decisions or even the BOD decisions? These are LEARNED people with vast experience. In Malaysia there was a Local Drink Manufacturer, in the early days you can find the brand in every town and village because they distribute they own products, well in place. New Management decide to save cost and remove the structure and rely on agents, immediate saving of the fixed costs and labour costs, the result the end of the dominance in the market and now merely in existence only. Hind sight poor decision!

    • Norman Marks
      March 4, 2019 at 4:30 AM

      I agree that the way to assess a decision is not by the outcome, although that might trigger the review. Instead, the assessment should be based on the way the decision was made – as described in my post (and my books). Was the right person or people involved in making the decision; was the decision based on reliable information; and so on.

  8. March 4, 2019 at 5:17 AM

    Norman, As so often before – I fully agree. There is significant value in managing risks the way we have always done. There is A LOT more value in embedding systematic and explicit risk management into decision making.

    Decision focused risk management is NOT about risk avoidance, but ALL about optimizing performance through intelligent risk taking. Using the risk management frame of one company “We make money by taking risks, and we lose money, when we do not manage the risks, we are taking”.

    • Norman Marks
      March 4, 2019 at 5:21 AM

      Hans, do you think it might be harder or easier to focus management attention on the quality of decision-making processes vs the management of risk?

      • March 6, 2019 at 1:04 AM

        Norman, I expect it to be easier as you focus on looking at and driving performance which is at the heart of decision makers – rather than looking at risks which most likely will not happen anyway.

        Some risk management, like currency hedging, insurance programs, safety measures etc. is all about managing risks. This is what Alex Sidorenko calls Risk Management 1.

        Decision focused (AS’s Risk Management 2) is NOT about managing risks, but all about intelligent risk taking.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

<span>%d</span> bloggers like this: