Home > Risk > Risk in two rooms

Risk in two rooms

September 24, 2020 Leave a comment Go to comments

The twins, J and K, want a hot tub. They decide to approach their parents, A and Z, but separately rather than together.

J finds A washing the car in the driveway. A is interested in the idea and they share dreams of soaking in the hot tub after a long day at work and school (after homework, of course). They think about the possibilities of inviting friends and family over for a party with the hot tub at the center. Ahhh!!!

Meanwhile, K is chatting with Z in the garden. Z immediately thinks about the cost. They will have to cancel the planned purchase of new laptops for the twins. Then the hot tub will have to be cleaned, and that will fall to J and K. As they talk about how disruptive it would be to have new water and power lines installed for the hot tub, they hear a car – their car – driving away.

A and J are on their way to the store, excited at the opportunity to buy a hot tub with installation included. After all, there’s a sale on that ends today!

Did anybody make an informed and intelligent decision?


Each pair only considered one side, either the risks or the opportunity. Nobody considered both or found a way to see whether one side weighed heavier than the other.

This is what happens with traditional risk management. It provides a list of risks. It doesn’t help you figure out which risks to take.

This is what happens with the traditional board. The risk or audit committee talk about risks while another group talk about strategy and performance.

I am working on a new book that will talk about moving from managing risks to managing for success.

Is this something you do? Is it something you want to do?

I welcome your thoughts.

  1. John Wilson
    September 24, 2020 at 3:50 PM

    Hi Norman and thank you for another insightful article. I think the answer to this is very simple, but one which is not palatable to the risk and assurance ‘experts’. The simple answer is to eliminate risk functions and indeed I’d go as far as “taking the risk out of risk management”. I am a CAE for a very successful FTSE250 business and we don’t have any such functions. The secret to our success is an annual review and update of our business strategy and 5 year plans using simple SWOT analyses from all of the Senior Executive Team. This process also drives business objective setting and process improvement projects and is extremely effective with no “risk professionals” involved.

    • David
      September 24, 2020 at 8:59 PM

      Why not share the name of your very succesful FTSE250 business? I’m sure we’d all appreciate knowing which organisation is taking this approach; completely contra- to the approach of all leading executives and governance professionals (and regulators for that matter)… So that we can make sure we are not investing in this business.

      • John
        September 25, 2020 at 1:11 PM

        I have not named my company as my previous comment is based on my personal opinions and not a company statement.
        Our business identifies and manages risk effectively through the management team, and all of our business functions manage strategic, financial, operational and compliance risks. We do not however have a separate risk management function. Our approach complies with the principles and requirements of the UK Governance Code, which does not include any requirement for a dedicated risk function

        • David
          September 25, 2020 at 2:23 PM

          I was being polite as it is easy to find your company using a simple google search of your name.

          The Code requires organisations to: “establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives.”

          Who in the organisation drafts these procedures for the Board go review and approve?
          Who in the organisation compiles the information regarding internal control framework and principal risks?
          Etc etc.

          You have a risk function; you’re just pretending that you don’t for the sake of obtuse labels.

          • Norman Marks
            September 25, 2020 at 3:15 PM

            David, may I suggest that it might be better to ask John how his company manages risks and complies with regulations? It looks to me as if they are probably doing things very well. Certainly, they have moved beyond relying on managing a list of risks.

          • Anonymous
            October 1, 2020 at 6:31 AM

            David. For me good management includes good risk management without the need for a separate risk function. We do have sound procedures to manage risk in place but they are simply normal business processes and procedures. We do not have a separate risk function, no risk committee, no detailed functional risk registers, nor any of the other ‘bumfp’ that I commonly see in risk management discussions. Without sounding flippant our risks are managed as follows:
            Sales and Marketing – manage risks associated with pricing, customers and competitors
            Product Development – manage scientific and clinical risks associated with new drug development
            Manufacturing and Supply – manage production, supply and logistics risk
            Finance – manage financial and tax risk
            HR – manage people risk
            The business leaders for each of these functions provide an annual strategy update to the plc Board which includes a SWOT analysis, key objectives and performance, and management’s self-assessment on their key risks.

            My view is that the traditional 3 lines of defence model with separate risk functions typically results in exactly the scenario Norman has outlined. If you simply ask regular business leaders and managers to identify and report on their risks as part of the routine strategic planning process, they provide a much more balanced picture of risk and opportunity and do a pretty good job without any ‘risk professionals’

  2. steve fowler
    September 27, 2020 at 5:50 AM

    Hi Norman, when I first ‘discovered’ there was such a thing as risk management 20 years ago, I thought it odd that the majority of practitioners only focussed on the downside: worse still, they only focussed on one area of risk (safety, projects, credit risk etc) or one solution (insurance, governance, engineering etc). I was rapidly assured that as I was the one with ‘just’ a business background, I was wrong, and those with years of experience in ‘risk management’ were right. I never believed that then, and I still don’t believe it now. Many so-called professionals still labour under the mis-apprehensions sold by the risk management mafia, and several very well known professional bodies support them in these views.
    The emperor has no clothes! Risk management remains a useful set of tools, techniques and attitudes to the management of decisions and uncertainties. Now I know you Norman still use the GRC term and I understand why, but I’d argue that by lumping together risk with governance and compliance, we are actually reinforce the misapprehension that the subject is concerned with stopping people doing things. ‘Goals, risk and culture’ seems to be a much more accurate definition of modern risk managemet done well.It encompasses both the balance between what can go wrong and what we want to achieve, and the recognition that this isn’t just science, it’s people too.
    Oh, and one more thing. The ideas behind Enterprise RM are fine, but the concept has now been corrupted by too many consultants and software houses claiming it for themselves. It’s just risk management really. And as for the current fad for ‘Resilience’, don’t get me started: tht too is just good risk management and business continuity planning done well.

    Risk management belongs to everyone, not just risk managers, and the more that you can do through your book to make this clear, the better. It’s a worthwhile endeavour and deserves a wider readership than just risk managers.

    • Norman Marks
      September 27, 2020 at 7:35 AM

      Thank you, Steve

  1. September 25, 2020 at 6:52 AM
  2. September 29, 2020 at 9:50 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: