Home > Risk > Risk, purpose, and objectives

Risk, purpose, and objectives

January 17, 2021 Leave a comment Go to comments

People talk about integrating risk management into strategy-setting and objective-setting, but I have yet to see any good guidance (and that includes from COSO) on that topic.

But should we be talking about risk and strategies (or objectives) or risk and purpose – or even be using the four letter word that starts with R?


If you have been following my blog for a while, you would have seen multiple and often lengthy comments by Roger Estall and Grant Purdy. They are the authors of Deciding: A guide to even better decision making, a book I have recommended.

Roger and Grant describe their book on Amazon:

This book is intended to help decision-makers of all types make even better decisions. The central thesis is that whether ‘Deciders’ realise it or not, all decisions are made using what the authors describe as ‘the universal method of decision-making’. The adequacy of each decision therefore depends on how skilfully the method is applied, whether Deciders achieve ‘sufficient certainty’ about the outcomes that will flow from the decision and the contribution made by those outcomes to the organisation’s Purpose.

Note their focus on Purpose and “sufficient certainty”.

They have also, in the book and in their comments on my posts, trashed the word risk and the idea that it should be ‘managed’.

The idea that we should avoid the work ‘risk’ is something I suggested earlier in Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking[1]. My introduction on Amazon was:

Why is risk management so often a review of what might go wrong? Norman Marks suggests that this ‘doom management’ approach should be replaced with ‘success management’. What might happen that could affect our success, both the good and bad? Is that OK? Now let’s do something about it. Norman’s new book has advice for the CEO, executive team, individual executives, and the board. It focuses especially on the need for decisions to be intelligent and informed, because those are where risks are taken. His earlier book, ‘World-Class Risk Management’ gave more in-depth guidance for the risk practitioner. This easily read and consumed book is designed for those in leadership positions who are interested in making risk management a competitive advantage.

My suggestion to use ‘plain English’ (instead of risk practitioner technobabble) is because the four-letter word risk evokes a negative knee-jerk reaction from executives. They see risk management as something that prevents them from doing their job; it’s a compliance exercise that makes little contribution, if any, to making quality business decisions and achieving their objectives. In addition, it is what I describe as “doom management” when we should be trying to make the informed and intelligent decisions that lead to taking the right risks for success.

The plain English way to talk about risk and opportunities, I suggest, is to talk about “what might happen”. Grant and Roger prefer to just forget about either the word or the concept it is supposed to represent.


While I talk about “an acceptable likelihood of achieving enterprise objectives,” my friend Grant[2] and his co-author Roger prefer to talk about “sufficient certainty about the outcomes that will flow from the decision and the contribution made by those outcomes to the organisation’s Purpose”.

We can quibble about the difference between “acceptable likelihood” and “sufficient certainty”. But I believe (and Roger or Grant will correct me if I am wrong) that these are essentially the same idea.

But there is a clear difference between Purpose and objectives.


Here are some excerpts from Risk Management for Success. (This includes my attempt to help people ‘integrate’ the consideration of ‘what might happen’ into business processes, from setting the direction of the organization to executing on it.) My first drafts did not include a discussion of a Purpose statement, but Grant persuaded me that it was important to consider it; there is clearly a growing appreciation by leaders of its value.

It’s fair to say that pretty much every organization has a formal Mission or similar statement. A 2020 McKinsey Quarterly article, Purpose: Shifting from why to how, said:

Only 7 percent of Fortune 500 CEOs believe their companies should “mainly focus on making profits and not be distracted by social goals.

There is a growing recognition by CEOs and boards of the need to address expectations from the society within which they operate.

In an ideal world, that Mission or Purpose statement drives the longer term plans and goals for the entire organization.

McKinsey surveyed 1,000 people in US companies[3] and found that:

  • 82% said purpose was important
  • 62% said their organization had a purpose statement
  • 42% believe the purpose statement had impact


However, in the majority of cases it is aspirational and only sets out principles that may or may not inform how the organization operates from period to period. It may or not affect how decisions are made on the ground.

For example, here is the Purpose statement from BHP Billiton, an international natural resources company based in Melbourne, Australia[4].

We are BHP, a leading global resources company.

Our purpose is to bring people and resources together to build a better world.


I am sure many CEOs would agree … that a Purpose statement is important and, in some way, guides the organization’s strategy and actions. But it doesn’t guide every tactical decision[5].

I can certainly see that such a statement is very important in nonprofit organizations.

In any organization, it may influence strategic planning and decisions, such as in deciding on strategic acquisitions, and through them the objectives that decisions are intended to achieve.

Bain & Co[6]. tells us that:

By redefining their purpose and focusing on it, companies are better equipped to thrive in an ever-changing world. Consumer products company Mars has recently formulated its purpose as: “The world we want tomorrow starts with how we do business today.” And this philosophy is reflected throughout the organization in many ways, including its $1 billion investment toward becoming sustainable within a generation. Such focus can help a company to attract key talent, engender consumer trust and gain access to important resources such as sustainable supply chains.

How does Mars’ Purpose statement of “The world we want tomorrow starts with how we do business today” affect decisions such as whether to delay the implementation of a new computer system, where to set prices for a new service, or how much to invest in compliance or cyber?

In a 2016 study, PwC surveyed US business leaders. While 79% said that “purpose is central to business success”, only 34% thought that it was consistently used “as a guidepost for decision-making.”

That percentage may be growing, especially if CEOs recognize that they need Purpose or Mission statements that are more meaningful to decision-makers down and across the extended enterprise.

For Mission or Purpose to be an effective “guidepost”, it has to be translated into objectives that the organization, its management and staff work to achieve each period.

The Mission or Purpose statement is something that should be considered in assessing risk management. Some organizations will see it as a higher priority than others.

Where it connects with the running of the organization is that each period’s objectives and strategies should be consistent with and advance its purpose or mission.

How does risk management figure in setting the Mission or Purpose?

Understanding what might happen could but is unlikely to affect the setting of Mission or Purpose statements such as those above.

However, it is an essential ingredient in setting longer-term strategic plans and then the objectives for each period so that the Mission can be achieved.

I see it as an optional element in assessing decision-making and risk management.


Management and the board agree on objectives and compensate individuals based on performance against those objectives.

The objectives have to be aligned with the Mission and the Strategic Plan. In practice, enterprise objectives are proposed by executive management and reviewed (often approved) by the board.

While in an ideal world everybody has a long-range view and makes decisions that are right for the organization in the long-term, in practice most are driven by short-term goals and objectives – and their compensation.


Grant pointed me to the McKinsey piece I quoted in the book. More recently, McKinsey has repeated their advice. This is from this month’s Organizing for the future: Nine keys to becoming a future-ready company:

Top-performing organizations know that purpose is both a differentiating factor and a must-have. A strongly held sense of corporate purpose is a company’s unique affirmation of its identity — the why of work —and embodies everything the organization stands for from a historical, emotional, social, and practical point of view.

Future-ready companies recognize that purpose helps attract people to join an organization, remain there, and thrive. Investors understand why this is valuable, and factor purpose into their decision making: the rise of environmental, social, and governance (ESG)–related funds is just one of the ways they acknowledge that purpose links to value creation in tangible ways.

Nonetheless, few companies harness purpose fully. In a McKinsey survey of employees at US companies, 82 percent said organizational purpose is important, but only half that number said their purpose drove impact. [The same survey quoted in their earlier piece.]

A December 2020 piece reinforced my and McKinsey’s observation that while Purpose is a great idea, it drives very few tactical or even strategic decisions.

The concept of “corporate purpose” is at risk of becoming a vague aspirational statement like “mission” and “vision” were years ago. These statements were put on boardroom walls, but they didn’t really change the way companies conducted business.

There are no rules of thumb that companies can follow in making these decisions. However, defining a clear corporate purpose and rigorously paying attention to long-term value creation can help executives make the difficult choices.


Let me see if I can summarize all of this (even though these are only a few excerpts from my book).

  • Many organizations have Purpose or Mission statements that have been approved by the board and both the board and management profess to believe in them. (However, finding CEOs who will put achieving Purpose ahead of their bonus may be a challenge.)
  • If you have such statements, it is important that they are achieved – but that is a longer-term endeavor rather than something that is achieved this period.
  • Objectives, which in my experience every organization has established to measure and reward organization and management performance for the period, need to be designed to achieve any defined Purpose or Mission over time. Purpose is too aspirational and distanced from tactical and even most strategic decisions to be a major influence on daily decision-making.
  • Management is biased in their decision-making by how they will benefit; they know that they will be rewarded for achieving defined objectives.
  • It is far more practical to focus on the achievement of objectives than Purpose, especially when it comes to decision-making and the consideration of what might happen (risks and opportunities). Purpose statements (such as that referenced above from BHP) are typically aspirational and do not have the metrics associated with them that provide specificity and clarity about direction to decision-makers.
  • We cannot have certainty about either the achievement of Purpose or objectives, but we can strive for an acceptable likelihood of achieving objectives – and that will lead to the achievement, in time, of Purpose.
  • Objectives, though, need to be rooted in an understanding of what has happened, is happening, and might happen – and that is where ‘risk’ management can help (although I prefer the label of success management or even simply effective management).
  • In an ideal world, we would dispense with the four letter word. But that is probably a step too far for most practitioners and almost certainly any regulator. However, we can change what we do so that it not only satisfies any compliance requirements but helps the organization succeed. That is what I recommend:
    • Comply with regulations first, but then
    • Extend your practice to help the organization and its people succeed.


I welcome your thoughts – and am looking forward to Grant and Roger’s comments. I encourage them to share excerpts from their fine book.



[1] Rated 5 stars on Amazon.

[2] Grant Purdy has been a member of the review panels of several of my books, including Risk Management for Success. That doesn’t mean he agrees with everything I have written! Grant has also been a great source of wisdom in my risk management journey. I don’t know Roger beyond his comments on my posts and his book with Grant.

[3] Purpose: Shifting from why to how, 2020

[4] Grant’s former company.

[5] The cynic in me says that for most organizations, the Purpose is to make money.

[6] A global consulting firm, their article is Giving people hope by reigniting your company purpose, 2020

  1. January 17, 2021 at 11:25 AM

    My first audit client was Mars and their location in Hacketstown, NJ. When you entered town, you could smell the chocolate. If Mars’ purpose is a sustainable operation in 10 years ok. But what about all the obesity you created.

  2. January 17, 2021 at 12:57 PM

    If you see risk as only “compliance” with the negative outcomes that burden the corporation, then how about inverting the view and seeing enterprise risk management (ERM) paradigm where risk management is viewed holistically on a portfolio basis across the enterprise. Starting with the Strategy captured in some definable and tangible way like Balance Scorecard.

    In that Scorecard are “actionable” strategic initiatives, in a portfolio of initiatives to implement the strategy. In that Portfolio are Projects performing the work to implement the Strategy.

    Then Risk Management with all its processes and practices “removes impediments to the success of the Strategy”

    Here’s how we’ve applied BSC Strategy and built and managed portfolios of projects that implement that strategy

    And a hands-on example

  3. January 17, 2021 at 2:40 PM

    I’ve often argued GRC should stand for Goals, Risk and Culture. That would at least help our thinking in terms of aligning risk with strategy and culture rather than with obedience with the law (compliance) or with systems of control (governance). One day, one day……

    • Norman Marks
      January 17, 2021 at 2:53 PM

      Governance, Risk, and Confusion

  4. January 17, 2021 at 8:23 PM

    “We can quibble about the difference between “acceptable likelihood” and “sufficient certainty”. But I believe (and Roger or Grant will correct me if I am wrong) that these are essentially the same idea.”

    Norman, the difference, of course, is not between the expressions “acceptable likelihood” and “sufficient certainty” but, as you point out in your previous paragraph, between “an acceptable likelihood of achieving enterprise objectives,” and “sufficient certainty about the outcomes that will flow from the decision and the contribution made by those outcomes to the organisation’s Purpose”.

    We are focused on ‘decisions’ as it is only by making decisions that organisations (and individuals) can pursue (or defend) their purpose. And we focus on outcomes because (as a matter of fact) that is what results from decisions. The problem is, that the outcomes might or might not be the outcome intended and, over the life of the decision, might or might not continue to ‘contribute’ in the same way if, for example, the context in which the decision was made, changes over time.

    As to ‘Enterprise objectives’ (and strategies etc) they of course are each the product of a decision which might or might not deliver the outcome intended either immediately or over time, or, therefore, contribute to the organisation’s Purpose. It is therefore necessary to have sufficient certainty about the outcomes of those decisions as well.

    I hope this will be helpful. Hereinafter, I’ll leave it to our book to do the talking in relation to any other comments!

    • Norman Marks
      January 18, 2021 at 8:10 AM

      Thank you, Roger. I don’t see any disagreement by you in your comment. One huge difference I see is that people often have a desired outcome that is not aligned with enterprise goals. That is something I have seen time and again.

      Perhaps people should read both books, especially as mine was after yours and I had the benefit of building on its ideas (where relevant).

      • January 18, 2021 at 8:28 PM

        And Norman, much more often they have personal, departmental, business level or project objectives that are not aligned at all with the organisation’s purpose.

        As you and I have discussed ad nauseum, the problem with the term ‘objectives’ is that, like the ‘r” word, it means so many different things and is obtained in so many different ways, where few involve some process for alignment with the organisation’s purpose. To some people they are outcomes, to others actions, action plans or even goals.

        The classic case is project objectives that involve budget and schedule achievement. To be frank, in my experience these are normally irrelevant when it comes to the achievement of true value for the organisation. And yet project managers and their lead bodies insist on listing them as their main criteria for success.

        So often I’ve had to encourage a major project ($100m+) to invest more money and time to significantly increase the resulting NPV, or to take more time completing the work to maximise utility or to optimise resourcing across a portfolio of projects.

        I can recall you recently suggested that the term objectives should be used as this is more familiar to people because they are ordinarily set during some performance management process. And yet I pointed out the world had long learnt the perils of performance-related pay and bonus arrangements based on setting objectives and KPIs. I drew your attention to the seminal work by Henry Mintzberg, written as recently as 1994 (!), called ‘The Rise and Fall of Strategic Planning which exposes and debunks the whole objective setting process. He shows that strategy cannot be planned by a process of setting objectives, because planning is about analysis and strategy is about synthesis and decision making.

        Finally, I just have to correct you conflating “mission statement” with purpose. They are not the same. An organistion’s purpose is as simple as it sounds: the highest expression of why the organisation exists. It reflects what the organisation wants to achieve and and the values to which it aspires. It is not necessarily written down and our book never mentions a “purpose statement” at all. On the other hand, mission statements, vision statements, objectives, KPIs etc etc are all artefacts of some planning process and are are likely therefore to have become distorted and contaminated by it.

        That is why, in simple English, organisations achieve their purpose by making decisions and, also why, it’s important that those making decision are clear what that purpose is. As you know, we give some useful suggestions in our book on how this clarity can be achieved.

        So Norman, you have certainly moved closer to my and Roger’s way of thinking over the last few years and we appreciate that. However, you still have a way to go to get back to the simplicity of the simple process that all humans ordinarily use for making decisions and in describing that using simple, unambiguous language that all people can understand and appreciate.

        • Norman Marks
          January 19, 2021 at 6:20 AM

          Thank you, Grant, for your comments.

          I can see that you are moving closer to my thinking: I have stressed the need, as you know, to ensure that you set the right objectives and that they should enable the achievement of purpose or mission over time.

          In your fine book, you didn’t provide an example of a Purpose statement so I did my own research. As I detail in my book and this blog, several organizations and consultants (including your former company) have a defined Purpose statement. However, it is no different in reality from the various Mission statements I have found.

          Whatever the intent, in reality organizations’ Purpose statements are no different from other organizations’ Mission statements.

          If Purpose is not documented, how can people know what it is and how can it be seen as influencing every day decisions.

          Over the more than a decade since we met in Melbourne and became friends, you have influenced my thinking – and I believe I have had some modest degree of influence on you. Both of us have progressed on our journey, sometimes in lockstep and at other times catching up with the other.

          Am I coming around to your way of thinking or am I ahead? I will leave that to other observers.

          • January 19, 2021 at 4:11 PM

            Oh Norman!

            And I thought the era of ‘alternative facts’ in the USA was coming to an end!

            I could write much pointing out where I disagree with most of what you wrote above, but what is the point? It will just bore your readers.

            Our respective books were written with different purposes in mind and, I believe, for different audiences. Roger and I wrote a book to help all those who make decisions (we call them ‘deciders’) – in fact, for all humans. We did not intend to write anything about ‘risk management’ and because our aim was to use clear and simple English and avoid confusing jargon, we avoided using the word ‘risk’ and certainly did not focus on to ‘trashing it’ – as you describe.

            Our aim was, simply, to help Deciders become more aware of the elements of the process we all use to make decision, to validate what they now do well and to show where improvement is possible.

            It was only after much thought, that we included an appendix, almost a codicil, that explained, based on our experience, the development of the ‘risk management’ cult, how it has been perpetuated and promulgated, why its foundations are fundamentally invalid and it lacks any credible scientific body of knowledge, how, in fact, it rarely improves the quality of decisions and, most importantly, how organisations might rid themselves of this millstone if it presently hangs round their necks.

            In some ways, we now both regret including that appendix because some in the ‘risk management’ and audit professions (who it might be said to have a vested interest) seem only to focus their attention on what is said in those few pages rather than on the rest of book.

            I don’t intend to say any more here or to continue this debate but I’ll end with a final note of agreement with you. Your readers should obtain copies of both books (from Amazon) and form their own opinions as to their usefulness.

  5. Richard Fowler
    January 19, 2021 at 6:58 AM

    I am fascinated by your post, Norman, as well as the discussion. From my limited experience, a related benefit of a well-formed Purpose Statement is the pride generated within the employees and management in what the company is doing. No one enjoys working for a company who’s purpose is only to make money. This also related to the McKinsey quote that suggests social goals are also important in a company’s purpose. A company that creates benefits not only for its shareholders but all stakeholders (including employees and the community) will have a greater retention rate. While rarely listed as a formal objective, this has a large impact on the success of any company.

    • Norman Marks
      January 19, 2021 at 7:14 AM

      I agree entirely, Richard. It can be inspirational. But does it affect decisions like whom to hire and whether to offer a discount to a new customer?

      Will any CFO permit 100% of profits to be spent on advancing social good? What about 20% if that means analyst expectations for profits will be dashed?

      There is a ‘risk’ with these statements as well: if management says this and then does not act accordingly, then where does it leave employees?

  6. January 20, 2021 at 4:34 AM

    Probably ought to remember that some organisations, for example charities, have their purpose written into the founding documents, which should be the start for any consideration of objectives.

  1. January 17, 2021 at 11:12 AM
  2. January 18, 2021 at 10:45 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: