Home > Risk > CEOs are not idiots when it comes to risk management

CEOs are not idiots when it comes to risk management

CEOs got to the pinnacle of their organization because they are anything but idiots.

Yet, if you consider the small number of organizations where risk management is considered as providing a strategic advantage (according to the latest study by the ERM Initiative that number is 20% of all organizations), one of these alternatives must be true:

  1. Even mature risk management doesn’t provide a strategic advantage. In fact, it is doubtful (as indicated in the report as the sentiment of most organizations) that the value of risk management exceeds its cost.
  2. People don’t know how to design a risk management program that delivers value in excess of its cost, to the point that it provides strategic advantage.
  3. CEOs are idiots.

I pick the prize behind door number two.

Here’s the problem.

If all you do is manage the downside, you are not helping manage the upside.

I have been saying for at least a decade that management needs to take risks to survive and thrive, and that means balancing the potential harms that may occur against the potential rewards.

Yet, time and again I keep seeing risk management portrayed as understanding, assessing, evaluating, and addressing potential harms.

That is not how you or anybody else that enjoys a modicum of success make decisions.

The ERM Initiative talks about risk management being an effort to build a risk profile or list of “risk exposures”. Even this limited approach to risk management seems to have been achieved by a small percentage of organizations. Just 6% of the largest organizations report robust risk management processes and 28% say they are mature.

There’s a big difference between maintaining a list of potential exposures and an environment where everything of significance is considered when making a decisions.

In other words, if organizations are to optimize results, they need to set aside managing risk (downside) and instead do what it takes to make informed and intelligent decisions.

For ten years, the ERM Institute has been working with IBM to assess whether organizations have mature processes that deliver risk profiles.

Isn’t it time for them to assess how many organizations are able to make, with confidence, intelligent and informed decisions?


I welcome your thoughts.

  1. Kathryn Tominey
    June 11, 2019 at 9:53 AM

    Hmmm – Boeing has been taking risks that were costly starting in mid-90’s refusing to invest in electronic manufacturing travelers against pleading by manufacturing mgt. Cost plenty but sales staff got bonuses. Forced retirement of experienced staff then hired them back to help fix the problems.

    Mid-2000’s outsource design. engineering, manufacturing all over the world without associated source surveillance. Leaving critical engineering oversight to cheaper junior staff to save money. Failed miserably and cost but no one had to refund their bonuses.

    MCAS debacle – knowingly took chances with mission critical safety systems to increase profit margins and secure their annual bonuses. That has sure paid off!! Or cutting QC on military planes leaving trash in engines. Or metal shards in wirei f harnesses and getting rid of people who reported the deficiencies. Probably going to be costly but at least they ousted the mgr.

    Company after company taking huge chances with reputation as well as bottom line. Just to increas their annual bonus – confident that BoD will not ask for the return of those multimillion dollar bonuses.

    No they are not dumb. Just corrupt.

  2. June 11, 2019 at 10:23 AM

    Norman, you are right but unfortunately, when it comes to ‘box ticking’ it’s easier to ‘assess whether organizations have mature processes that deliver risk profiles’ than ‘ assess how many organizations are able to make, with confidence, intelligent and informed decisions?’. And ticking boxes is what much of corporate governance is about.
    The first provision in the UK’s Corporate Governance code requires, ‘The board should assess the basis on which the company generates and preserves value over the long-term. It should describe in the annual report how opportunities and risks to the future success of the business have been considered and addressed, the sustainability of the company’s business model and how its governance contributes to the delivery of its strategy.’ The code also states, ‘Reporting should cover the application of the Principles in the context of the particular circumstances of the company and how the board has set the company’s purpose and strategy, met objectives and achieved outcomes through the decisions it has taken.’
    I’m not sure how well companies report their performance and quality of decision making but I’m sure it would be improved if the audit committee had to formally report on the application of all the principles, especially the first.
    David Griffiths

  3. Grant Purdy
    June 11, 2019 at 8:08 PM


    In agree with you. CEOs and indeed most senior member of management are rarely idiots. While they are all involved in serious decisions most days that will directly affect whether their organisation achieves its purpose, most (in the world) do that without any reference whatsoever to any of the paraphernalia of modern day risk management.

    These guys are (mostly) not mugs and can spot a scam at ten paces. Which is why, of course, all the variously badged or codified risk management approaches (ERM and all the other variants of three letter acronyms) are largely ignored by most organisations in the world or, as those who have believed the hype and attempted to adopt them have found, fail to deliver, despite the investment of great effort and expense in attempted implementation.

    The uncomfortable truth is that the unwieldy corporate ‘risk management’ edifices that some misguided organisations create are not only unsuited to ensuring effective decision-making, but actually have little or no impact on decision-making. There is also scant evidence that adopting such edifices leads directly to improvements in organisational performance. If anything, the opposite might occur by creating a false sense of confidence that just having the paraphernalia of ‘risk management’ (like stroking a rabbit’s foot) somehow leads to sound decisions and improved performance.

    Savvy CEOs quickly spot that ‘risk management’ hinders rather than helps them achieve sufficient certainty about the outcomes of their decisions. Even, if they are convinced (normally by the risk management practitioners or consultants who have most at stake!) that it produces modest improvements, they quickly spot it absorbs a disproportionate amount of resources and causes irritation or reduces organisational agility in the process.

    Maybe that’s why “Just 6% of the largest organizations report robust risk management processes and 28% say they are mature” – whatever ‘robust’ or ‘mature’ mean.

    If I was running an “ERM Initiative” for 10 years and achieved such abysmal results, I think I’d conclude that I was doing something fundamentally wrong!

  4. Anonymous
    June 11, 2019 at 11:53 PM

    “CEOs got to the pinnacle of their organization because they are anything but idiots.” I would like to add that they are GREAT survivals hence like the chameleon they are able to adjust their colors according to their situation. Put anything on the table, they will have the skills to address the issue, not necessary solving the issues. When it comes to RM, compliance MUST be number, the rest is a bonus, this is from the context over in my country.

  5. Richard Fowler
    June 12, 2019 at 5:30 AM

    Risk management is useful in strategic decision making. But if executive management is not using risk management effectively, that does not negate its usefulness. You’ve noted before that risks are events or actions that impact the organization’s objectives; I’ll add that strategic decision making is rarely an objective in itself. RM can and is used to address the operational, compliance and financial risks faced every day. RM is used to address strategic risks a well, but strategic risks may not occur daily. Organizations manage risks every day to make sure that products and services are delivered, that contracts are being fulfilled, that employees are safe, that systems are secure, etc. CEOs help drive those objectives. They are not idiots, because they know that their organization cannot grow tomorrow if it cannot function today.

    • Roger Estall
      June 13, 2019 at 7:50 AM

      Richard, I have to admit to not understanding anything of what you are saying. That said, the word ‘risk’ has so many meanings (both formal and informal) so it is possible that you may be using your own meaning and therefore be making perfect sense to yourself. But if you were using, for example, the meaning that ISO 31000 attaches to the word ‘risk’ then the following observations in your post make no sense:
      “risks are events or actions that impact the organization’s objectives” – this completely disregards the fundamental and inseperal ingredient of uncertainty
      “strategic risks may not occur daily” – if by ‘strategic risks’ you mean risks associated with strategy, then given that strategy is omnipresent how can the associated risks not also be omnipresent. Incidentally, the idea of risk ‘occurring’ implies that risks are an externality that come and go, whereas surely they are just an integral property of the decision from which they arise
      Even the idea that risks can be ‘managed’ is dubious. Risk is risk and risks are what they are – a product of decisions which can only be changed by changing the decision, which is hardly ‘management’.

    • Norman Marks
      June 13, 2019 at 11:31 AM

      Richard, are we not talking about risks to objectives – and anything of significance is therefore a ‘risk’ to strategies, aka a strategic risk. The idea of separating operational or compliance risks from strategic risks makes little sense to me. If an operational risk is serious, it will affect the achievement of strategies and objectives. Nu?

  6. Anonymous
    June 13, 2019 at 8:36 AM

    Norman, completely agree with your premise that risk management is about optimizing strategic decision-making. Risk = uncertainty about an outcome. Progressing through uncertainty requires a decision to be made. The focus of risk management should be optimization of decision making which ultimately leads to optimal strategic outcomes (i.e., minimization of negative strategic outcome, maximization of positive strategic outcome). The focus on negative outcomes unfortunately is a legacy of risk management that most organizations can’t shake.

  7. Gregory Sosbee
    June 13, 2019 at 9:03 AM

    I agree number two is the correct answer. Unfortunately for the risk management community, they are mostly to blame. Beginning in 1998 I told anyone who would listen that the risk management community had to grow to encompass all forms risk if the community were to survive.

    What I have found is very few risk managers understand that risk management direction begins with the Board/owner(s). Not only is this group responsible for organizational wealth protection and growth, but they are also the only organizational unit that can provide management on how they want risk management managed.

    • Norman Marks
      June 13, 2019 at 11:34 AM

      Gregory, I’m not totally with you on the last point. They can establish the goal and leave it to management to achieve it, by making informed and intelligent decisions. They can provide some measure of guidance when it comes to putting the organization in jeopardy, but day-to-day guidance on which risks to take should come from management.

  8. Grant Purdy
    June 13, 2019 at 5:22 PM

    The point that no one seems to have picked up on is that after 10 years of the “ERM Initiative” and nearly 30 years now since codes were published (AS/NZS 4360, ISO 31000, COSO ERM etc.) specifying what risk management should look like, such surveys consistently report that “Just 6% of the largest organizations report robust risk management processes and 28% say they are mature”.

    It’s often said that the definition of insanity is doing the same thing over and over and expecting a different result!

    While most of the readers this blog are probably members of the risk management cult with its own, arcane language and rituals, surely the uncomfortable truth is that the rest of the world regard all this chicanery as a complete waste of time and energy!

    Clearly, they’ve come to the view that ‘risk management’ is hindering rather than helping them achieve sufficient certainty about the outcomes of their decisions or even, if it is only producing modest improvements but absorbing a disproportionate amount of resource and causing irritation or reducing organisational agility in the process.

    It’s time for it to go and for us in the cult who have attempted to practice this religion to move on. We’ve failed guys!

    Let’s just accept that let’s not do what we normally do: change the three letter acronym that attempts to describe this belief system and invent even more jargon and perverse concepts to bamboozle normal people with.

    We have to stop “doing the same thing over and over and expecting a different result”!

  9. June 17, 2019 at 9:31 AM

    Hi Norman,
    One thing we can do is to stop talking about Governance, Risk and Compliance. Aligning Risk with two downside bedfellows is inherently negative.
    Why not Goals, Risk and Culture instead?
    And whilst we’re at it, let’s stop reinventing the wheel with ERM, SRM, resilience and all the other new fangled terms as pseudonyms for risk management done properly. ‘Keep it simple, stupid’ applies as much today in risk management as it did in IT in the 1980s.
    Lets stop inventing unnecessary concepts, such as risk culture (why not pure culture?) and risk appetite/tolerance/capacity (business appetite?). If we don’t speak the language of business, expect more people to question our value…
    I do not under estimate the value of Risk Management, executed well, but too many are too quick to over complicate what should be inherently simple.
    And let’s not confuse risk management with much of what gets labelled ‘risk management’ but is either compliance (anywhere) or pricing (banks).

    • Roger Estall
      June 17, 2019 at 4:24 PM

      I don’t think you are going far enough with your proposed spring-cleaning of the jargon box Steve. How about the elephant in the box …… the expression (which has no common meaning) ‘risk management’?
      You might like to consider this question: “If risk management is the answer, what was the question?”
      And remember too, that before either this expression, or its paraphernalia (which you quite understandably criticise) emerged on the scene a mere few decades ago, most organisations of all types were able to successfully pursue their purposes. The only way they could do that was by making sound decisions about the opportunities available to them. What’s wrong with harnessing and consistently applying (jargon free) good decision-making without confusing everyone with the myriad of (conflicting) contrivances that fall under the risk management label – despite it having no common meaning. It’s almost dystopian! Certainly surreal.

  1. June 12, 2019 at 1:46 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: