Home > Risk > Decision-making and the practitioner

Decision-making and the practitioner

McKinsey has shared three articles with insights into effective decision-making.

It is not surprising that McKinsey’s surveys of executives found widespread dissatisfaction with both the quality and speed of decision-making. Yet, in today’s world it is essential to make informed and intelligent decisions without unnecessary delay.

The articles are:

What may surprise you is that McKinsey doesn’t talk about either risk or the quality of information!

There’s a great opportunity for risk and audit practitioners.

If the success of your organization hinges on the quality of decision-making (and it does), then what are you doing to ensure it is as good as it can be?

Surely, effective decisions at the speed of the business (and of risk) require:

  • Insight that is reliable and timely on what might happen and how it might affect the achievement of objectives
  • Quality information on the current state
  • An understanding of the enterprise goals and objectives
  • Guidance on which risks should be taken and by whom (for example, desired rate of return; delegation of authorities; risk criteria; how to assess the net effect of what might happen, considering both the upside and downside; processes to include everybody who needs to be involved in the decision; and, how to overcome cognitive and other bias)

The risk practitioner should:

  • Help provide quality and timely information on what might happen, addressing all significant potential effects on objectives (both good and bad)
  • Make sure decision-makers know when there are issues with the quality of the information
  • Use their tools to help decision-makers evaluate and select from available options

The audit practitioner should:

  • Provide assurance on all of the above
  • Share their advice and insight on how to improve decision-making, both its quality and speed

What do you think?

  1. Grant Purdy
    May 15, 2019 at 4:41 PM


    I’m afraid I have to disagree with you. While I’m no supporter of the way McKinsey talks about the black art of risk management, when I read the articles you’ve highlighted I see much evidence that they are suggesting that decisions should be supported by a proper process that appreciate uncertainties in context when compared with an organisation’s purpose. This, after all, is the true role of that whacky witchcraft some people call risk management.

    They even use the word risk’ – ‘though in several, different ways!

    The points that McKinsey make (and I most admit they are not clear because of the normal McKinsey jargon overload) is that:
    – decision makers need to hold conversations when decisions are to be made;
    – decisions should be framed in terms of the opportunities presented and the organisation’s purpose;
    – the outcomes from decisions are often not sufficiently certain because the decision makers are not fully aware of the assumptions (internal, external and wider) that form the context for a decision;
    – there is insufficient monitoring of decision outcomes and for changes in context.

    From this I see lots of opportunities for the more enlightened people (previously erroneously labelled ‘risk managers’ and auditors) to assist decision makers to have effective and efficient conversations about whether the decisions they are making, and have made previously, are providing sufficient certainty that the intended outcome will be achieved and that this outcome will contribute to the purpose of their organisation.

    All these previously ill labeled and ill directed people need to do is simply to move on and just put all the risk management/audit claptrap behind them. Refuse to use the confusing jargon and whacky confections – replace them with plain language, normal concepts and logical thoughts. Work in the real world, rather than someone else’s artificial one.


  2. Norman Marks
    May 15, 2019 at 4:45 PM

    Grant, I don’t see any disagreement – unless you think the McKinsey pieces are complete. They have a lot of good advice; my point is that there is room for the practitioner to add value.

    • Grant Purdy
      May 15, 2019 at 4:56 PM


      You said “What may surprise you is that McKinsey doesn’t talk about either risk or the quality of information!”

      That is not true. This is exactly what they talk about, but they don’t always uses the ‘r’ word (thank goodness).

      Also the statement that they should include: “Guidance on which risks should be taken and by whom (for example, desired rate of return; delegation of authorities; risk criteria; how to assess the net effect of what might happen, considering both the upside and downside; processes to include everybody who needs to be involved in the decision; and, how to overcome cognitive and other bias)”

      Your statement is typically jargon-rich and mis-informed and is, quite simply, not the way that normal people think and make decisions. Who, anyway, knows what ‘risk’ or ‘risks’ means? Let alone what are ‘risk criteria’ and why these matter (they don’t) to normal decision makers.

      You also missed, as far as I can see, the major contribution that audit folk can make – which is in providing independent monitoring of decision outcomes and changes in context (assumptions) after decisions have been made.

      You and I might be about to see through the haze of the risk management claptrap, but I’m afraid we are very much in the minority.

  3. Norman Marks
    May 15, 2019 at 5:06 PM

    Grant, I respect you and your opinion – but don’t think I am mis-informed. I am talking (primarily) to practitioner who should understand what I am saying. If they don’t we have a different problem. BTW, I don’t agree that auditors should be monitoring (and second-guessing) outcomes. Their job is to provide assurance, advice, and insight on the processes used for making decisions, not the decisions themselves.

    • May 15, 2019 at 5:37 PM

      Sorry Norman.

      This is not about matters of opinion, it’s a question of facts.

      “Desired rate of return” is not a risk – by anyone’s definition. It is an expression of an outcome.

      Neither is delegation of authorities and so on.

      Incidentally. I’ve yet to see a delegation of authority statement that explicitly says who can take what risks. They are normally just about signing off on expenditure or investment levels and ‘risk’ or ‘risks’ (whatever those terms mean) are never mentioned or explained.

      Normal people don’t think about “which risks should be taken and by whom” when they make a decision. In fact, most people don’t even know what ‘risks’ means and even if they do, they can’t agree a definition.

      As for risk criteria, well..!

      The point we should be making is that people whose professional standing and organisational position are based on the rituals, jargon and beliefs of ‘risk management’ or ‘internal audit’ are never going to exert any real influence on decision makers if they persist in using confected language and requiring an organisation to adopt conflicting and unnatural methods.

      The primary reason for the lack of uptake of ‘risk management’ in support of decision making is that it is seen as artificial, disconnected from day to day operations and increasingly irrelevant.

      ‘Risk management’ is generally perceived as hindering rather than helping decision makers to achieve sufficient certainty about the outcomes of their decisions. Even, if it is producing modest improvements, this is only through absorbing a disproportionate amount of resources and causing irritation or reducing organisational agility in the process.

      If these practitioners want to make a difference, they should focus on obtaining a better grasp and awareness of the method by which decisions of all types are actually made; enhancement of the relevant skills and conceptual understanding of each step of the process will then provide them the key to assisting improved decision-making.

      Finally, and incidentally, how can auditors “provide assurance” on the processes for making decisions if they don’t look to outcomes? This is not ‘second guessing’ but rather using their skills to find out ‘what’ really happened so that they can then diagnose ‘why it happened.

      It would certainly be nice if the IIA, RIMS, IRM etc. helped develop the skills of their members on the basics of decision making and not just provide training that perpetuates irrelevant self-indulgent confections.

      • Norman Marks
        May 15, 2019 at 7:51 PM

        Grant, I mostly agree. Where I differ is that I never said delegation of duties or other things in my list were risks. I said they provided related guidance. BTW, I have seen a delegation of risk-taking

  4. Grant Gillingham
    May 15, 2019 at 10:09 PM

    Speaking of training and awareness specifically to decision quality, SDG provides some great looking courses both online and on campus, not to mention their book Decision Quality is worth a read. https://sdg.com/all-courses/

  5. May 16, 2019 at 1:24 AM

    Norman, Grant, isn’t there a danger that we’re getting tied up in terminology? I think we are agreed that good decision making is at the core of an organization achieving its objectives. So let’s start with objectives, they need to be clearly defined, which might seem obvious but failure to properly define objectives can be the start of poor decision making.
    Next comes the need to consider what decisions have to be made to achieve these objectives. In practice this can be quite difficult and one solution is to look at the circumstances which benefit or threaten the achievement of the objectives and then look at the decisions which manage these opportunities and risks. Having done this exercise the information required to inform these decisions can then be derived. Sounds complex but my site at http://www.managing-information.org.uk gives examples.
    There is one important feature of decisions. Decisions can’t change the past. This implies that historical information is only of any use when it can assist in predicting the future. Thus information to the board should only consist of forecasts with no historical accounts. Bit revolutionary? This Linkedin (https://www.linkedin.com/pulse/board-pack-steamed-up-too-much-information-david-griffiths/) article, extracted from my website, looks at how auditors and risk managers can assist the board in examining the relevance of the information.

  6. May 16, 2019 at 1:48 AM

    Mark, I fully agree. Too many risk managers and auditors are continue doing, what they have always done – and still hope to get listened to more by executives. This is close to Albert Einsteins definition of stupidity (keep doing the same thing, and keep expecting new results).

    A re-branding needs to be invoked, one where we do not talk about risks as such, but make a deliberate effort to define “what do we need to do to make this decision/project/endeavor a success that meets or even exceeds our targets.

    Both risk managers and auditors does and should have a basket full of tools to make this happen – what we need is the mindset/will/drive to step up to the task.

  7. May 18, 2019 at 1:46 AM

    Norman, re-reading the McKinsey articles leaves me with the impression that there are many directors not doing a very effective job. Is this due to lack of training or lack of competence? In your roles for the risk and audit practitioners you have hinted at the need for training but possibly all new directors should have a formal training session to understand risk and audit. Maybe all employees should have training in decision making, consistent with their responsibilities?

    • Norman Marks
      May 18, 2019 at 7:09 AM

      Few have training, whether in college or afterwards, in effective decision-making. I think that’s a huge issue and one internal auditors should consider and, if possible, risk practitioners point out.

  1. May 19, 2019 at 1:33 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: