Home > Risk > If risk management is the answer, what is the question?

If risk management is the answer, what is the question?

This insightful point was made by Roger Estell on my blog last week.

It merits our thoughtful consideration.


Let’s start with some thoughts about the fundamentals underlying any successful enterprise, whether large or small.

Let’s assume that we are all working together to deliver success for the enterprise.

Then how is success measured?


The executive team, from CEO on down, is usually measured based on whether the organization has achieved targets (or metrics) approved by its owners (of their representatives on the board).

Rather than (as in the case of COSO ERM and ICF) assuming that those are the right metrics to measure success, I suggest considering:

  • Have the best objectives been set? Were all opportunities and potential hazards of significance considered during the objective (and strategy) setting process?
  • Have the right targets been set? Are they too low, so that the executives don’t stretch as much as they should; if they are too easily achieved, there is a temptation to store opportunities for the next period. If they are too high, management may take a level of risk (a potential for harm in this case) that is beyond what the owners consider acceptable.
  • Have performance targets and incentives been established throughout the organization that are consistent with the targets set for the enterprise as a whole? Does everybody understand what is needed from them for the organization to succeed? Are there performance metrics that will lead management (at any level) to act in a way that is inconsistent with enterprise goals?
  • Are objectives, strategies, and related metrics adjusted as necessary when conditions change?
  • In other words, is there a reasonable level of assurance that the right objectives (and strategies) are set to deliver optimal levels of shorter and longer-term success.

In a video, Alexei Sidorenko talks about how he worked with the management team to ensure that the objectives they set had a reasonable likelihood of success. He used scenario planning and other tools to help management understand that the first targets they set were unreasonable, with only a 1% (or less) likelihood of being achieved. The target was revised and the new one, approved by management and the board, had a projected 70% likelihood of being achieved.

Management and the board accepted that there was a 30% chance of failing to achieve their objective. (A far more reasonable and practical approach than the concept of risk appetite, as the latter only considers the downside and not the big picture of upside and downside.)

Alex used the tools and techniques he learned for risk management to help the organization set reasonable and appropriate objectives, targets, and metrics for success and the measurement of executive performance.

The question to be asked first is: how can we assess the likelihood of success (achievement of our objectives) given a reasonable understanding of what might happen.

The answer is not really ‘risk management’, because success is not achieved by managing downside risk. We want to manage for success rather than for avoiding failure.

The answer is the use of the tools and techniques traditionally only used for assessing and evaluating the downside – and you can call that risk management if you like. I don’t.


Once the objectives, strategies, metrics for measuring performance, and so on are set, management has to run the business to achieve them.

Management runs the business by making decisions. We hope they are informed and intelligent decisions: informed about what might happen that would affect their achievement, both for the better and for the worse.

How do they get the information about what might happen, both good and bad, on which they will base their decisions?

How will they determine whether their decision will improve or negatively affect the likelihood of achieving their objectives? In Alex’s case, will each decision they make increase the likelihood of success to above 70% or will that likelihood drop below acceptable levels?

Is the answer to those questions ‘risk management’? Certainly, the tools and techniques used to assess adverse events and situations, and their effect on objectives, can be used to paint the larger picture.

But I don’t think the answer is ‘risk management’.

It’s also not ‘objective management’.

It’s effective and intelligent management. It’s the ability to make informed and intelligent decisions, which is the core of effective management.


We need to stop coming up with new words and phrases when all we need to address is the effectiveness of management. So stop talking about ERM, IRM, or even objective assurance, and start thinking about how to obtain reasonable assurance that the management of the organization, including how it sets objectives and makes related execution decisions, is effective.


I welcome your thoughts.

  1. June 21, 2019 at 9:09 AM

    Norman, thought provoking blog as usual. The need to consider whether the best objectives have been set and whether the related targets are realistic should be top of the CAE’s list of audits to be carried out every year, and during the year to make sure the board don’t change them to ensure they get their bonuses.

  2. June 21, 2019 at 9:56 AM

    I totally agree but am personally still guilty of using risk management term too much.

  3. June 21, 2019 at 12:10 PM

    ‘If risk management is the answer, what is the question?’ The question is, ‘How do you reduce the impact and/or likelihood of the risks which are threatening the achievement of your objectives to a level which you consider are acceptable?’ This question doesn’t remove the need for ‘the ability to make informed and intelligent decisions, which is the core of effective management’, it is another part of effective management.
    When you travel by plane, you expect air traffic controllers to have an objective that aircraft routes are set to ensure safety and efficiency and then make decisions about correct directions and altitudes based on quality information appearing on their computer screens. You also expect that the risk of their computer system failing has been considered and that alternative manual methods are immediately available and controllers have been trained to use them in realistic situations. You also hope that, should a controller make a bad decision, the computer will warn if two planes are going to collide. I would define these processes as ‘risk management’, although I don’t like the term. As an internal auditor I have always known them as, ‘internal controls’.

  4. John Fraser
    June 23, 2019 at 6:25 AM

    A competent board will recognize that during the year many unforeseen things will crop up and require resolving by management. Management needs to be recognized for how they address these things. If the board only rewards based on performance measures that are defined up front, management may focus too much on these factors and not address other critical issues. I have seen this too many times.

  5. John Fraser
    June 23, 2019 at 6:33 AM

    Irrespective of what you call it, if management does not do the two essentials of that for which we have no name (I.e. ERM) then the organization will not be run as well as it should. The two essentials are ‘prioritization’ and ‘conversations’. Management needs to prioritize objectives, risks and resources. The board, management and staff need to have meaningful conversations about the above. Call it what you will but the tools and techniques of true ERM can assist in making these processes more meaningful. QED

    • June 23, 2019 at 6:51 AM

      John, what are the tools and techniques of true ERM?

  6. Cong Do Thanh
    June 23, 2019 at 11:59 PM

    “It’s effective and intelligent management. It’s the ability to make informed and intelligent decisions, which is the core of effective management” – I couldn’t agree more

  7. June 24, 2019 at 2:06 AM

    So do we need quality management. Opportunity management and so on. I guess there is in most profit seeking business enough effort on the upside so downside RM provides the antidote. Overall I agree there needs to be a balance and RM is iterative so objectives should be changed if the risk review demands so.

    • Norman Marks
      June 24, 2019 at 2:58 AM

      If RM is seen as an antidote for optimism, focusing on the downside while others overestimate the upside, then I foresee disaster. Risk practitioners have the tools to assess the upside and allowing others to screw that up is not my position.

  8. June 24, 2019 at 6:50 AM

    To update the detectives’ motto: Follow the incentives.
    Management pursues the incentives, always for the rewards
    As currently arranged, risk management is an overhead and regulatory burden.
    Must use the positive side of risk. Create a comprehensive view of risk/return, where taking the RIGHT risks adds more to gains that expected losses.
    Remember that an asset is just a risk that has been funded!

  9. John Fraser
    June 24, 2019 at 7:06 AM

    Alex, I am sure you know the answer. Some might include: a policy approved by the board to show commitment to ERM, risk criteria as envisioned by ISO31000 to help prioritize sources of risks, risk workshops at all levels –
    i.e. board, executives, departments, risk assessments for major projects (I am still amazed at boards that approve major capital projects without asking for a risk assessment), the requirement for all resource requirements to be justified in terms of what sources of risks to objectives are being addressed. Most of these can have assessments of both the upside and downside addressed. At the end of it all it depends on how well these are understood, used and ingrained in management thinking and decision making.

  10. John Fraser
    June 27, 2019 at 5:24 AM

    Most of the things I listed were not being done or are not being done. Their purpose is to get management prioritizing and having conversations about risks which actually works in practice, assuming they are done with commitment by people who know what they are doing. I have seen many examples of window dressing but that was mainly people filing out forms etc without meaningful conversations.

  1. June 24, 2019 at 4:17 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: