Home > Risk > Are you too risk-averse?

Are you too risk-averse?

February 15, 2021 Leave a comment Go to comments

In a recent article, my good friend Jim Deloach asks a very interesting question:

How many senior executives and directors can name a chief risk officer who has advised them that the organization is too risk averse?


The title of the article is an odd one, which I will discuss before venturing into the body of his thinking. It is Is Your Risk Culture Aligned With the Realities of the Digital Age?

“Risk culture” is a term that has crept into use over the last few years, but it is unclear to me what its purpose and value is.

Jim doesn’t (wisely) define it in this article, but others have:

  • “The norms of behavior for individuals and groups within an organization that. determine the collective ability to identify and understand, openly discuss and act on the. organization’s current and future risks” (McKinsey)
  • ‘Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees.” (North Carolina State’s ERM Initiative)
  • “The values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose” (Institute of Risk Management).

Dr. David Hillson (a.k.a., the Risk Doctor) has in interesting discussion of risk culture on the PMI website: The A-B-C of risk culture: how to be risk-mature.

I have written several posts on culture generally and risk culture in particular. You can use the search box at the top right to find them.

The general point in my various blog posts is that there are many, often competing dimensions to an organization’s culture. While you want decision-makers to exercise caution when needed, they also need to be entrepreneurial when that is appropriate as well. You desire imagination and creativity, not simply awareness and trepidation about what bad stuff might happen.

In addition, you don’t want everybody in the organization to have the same attitude towards taking risk. You want sales, marketing, and product design to think one way, and accountants and treasury staff to think another.

So, I hesitate to talk about “risk culture”; instead, we can either talk about organizational culture (with all its complexities) or whether the key decision-makers are making informed and intelligent decisions that involve (as they all do) taking risk to seize opportunities.


Jim gets it totally right when he says:

The ground rules for risk and reward are well known. These rules hold that one must take risks to grow, and typically, the more risk one takes, the higher the potential return. They also suggest that a risk-averse mindset often leads to a lower return. These canonical laws have been embedded in business and finance since before any of us were born.

He also makes a point that I have been making for a few years:

Given the pace of change in the digital economy, the realities are such that it’s not just a matter of taking risk to grow or generate greater returns, it’s also a matter of survival. Bottom line: Organizations must undertake more risk than they may be accustomed to taking if they are going to survive. Refusal to take risk means accepting the risk of growing stale and becoming irrelevant. This is no time to be comfortable with the status quo.

Jim has a very interesting couple of tables that contrast a “traditional view” of risk-taking to one that is “fit for the digital age”. He explains that we need to move “from a fragmented, siloed model focused narrowly on myriad risks to an enterprisewide approach focused on the most critical enterprise risks and integrated with strategy setting and performance management”.

There are a number of excellent points in the tables, which I encourage everybody to not only read but also reflect on the depth of meaning behind each of them. For example, he suggests that today we need to:

  • Move from avoiding or mitigating risks to taking them within limits – something I have written about in these pages
  • Maximize the upside while managing the downside. In other words, taking the right level of the right risks; don’t just try to manage and mitigate them out of context of what you are trying to achieve
  • Be proactive and agile
  • Do all of this continuously, not periodically
  • Move away from managing a list of risks and towards managing outcomes
  • While he still (sadly) mentions risk appetite, it is essential to ensure an acceptable likelihood of success
  • Leave heat maps behind in favor of Monte Carlo, scenario (what-if) analysis, and other techniques
  • Integrate all our thinking and actions around achieving our objectives as an organization
  • Ensure decision-making is high velocity and high quality

Another point he makes refers to cyber and why it should not be assessed in isolation:

…an overly cautious approach that eliminates too much risk might limit or delay innovation opportunities that offer significant upside. Therefore, managing cyber and privacy risk in isolation may not be in the best interests of the business. If a company is evaluating whether to apply digital technologies to enhance its processes, launch a new product or service or differentiate customer experiences, it also needs to consider how much exposure to cyber and privacy risk it is willing to accept.

In the digital age, risk management must help leaders make the best bets from a risk/reward standpoint that have the greatest potential for creating enterprise value. This means that the creation and protection of enterprise value in the digital age depend on the organization’s ability to pursue compensated risks and opportunities successfully and either avoid or transfer uncompensated risks or reduce them to an acceptable level. A risk-informed approach fit for the digital age is one that is strategic in considering the impact of risk on strategy and performance; balanced in evaluating both opportunity and risk; integrated with strategy setting, planning and business execution; and customized, reflecting organizational business needs, expectations and cultural attributes.

His final points echo much of what I have been saying here and in my books. (That is not to say that he is simply following my thinking; he is a highly intelligent individual and independent thought leader, recognized as such by boards and professional associations for his many contributions – see his profile at the end of the piece. I am pleased to see us aligned on many fronts today.)

He says this very well indeed – note especially the highlighted portions:

In the digital economy, risk management must contribute to reshaping strategy in advance of disruptive change. Integrating more sophisticated quantification and monitoring capabilities into the day-to-day activities of the business in executing the strategy and focusing on the risks and opportunities that matter can help management frame a composite risk profile fit for the digital age and provide more granular information on key aspects of the strategy as well as costs and benefits expected from alternative scenarios.

In the digital age, it is all about maximizing the upside while managing the downside, thus fitting the profile of companies best positioned to compete, thrive and win with an obsessive focus on growth and improving the customer experience. If the organization does not advance its digital maturity, another risk arises. We call it “digital risk,” or the risk of choosing not to get uncomfortable in the digital age. Accordingly, a traditional approach to risk management might be the biggest risk that an organization faces when it seeks to grow and defend share against new entrants.

In the digital age, becoming a leader entails revisiting risk mitigation strategies with an eye toward accepting more risk and exploiting the upside potential of market opportunities. For example, rather than merely mitigating risks to the execution of the strategy, companies should also use scenario analysis (Monte Carlo and/or “what if” analysis) to assess the impact on the achievement of strategic objectives and desired corporate risk profile of alternative scenarios. This analysis contributes to a more robust strategic decision-making process.


Wrapping this up:

  • The traditional ERM practice of a periodic list of risks has little value beyond compliance.
  • It is far better to ensure your decision-makers are able to weigh all the things that might happen, both the pros and the cons, and make an informed and intelligent business decision.
  • These times require agility in the support of fast decision-making, recognizing that fear can easily prevent success.
  • Move from doom to success management.
  • Don’t be afraid to tell decision-makers and management in general when they are being too risk averse. That is part of your job.

I welcome your thoughts.

  1. February 16, 2021 at 3:57 AM

    I am proud to state, that in my days as head of the LEGO Group strategic risk management, I did exactly that – advising the C-suite to take on more risks.

    I have been allowed to tell the story, so here it goes:
    – We did (and I expect, still do) have a board approved risk tolerance statement telling that consolidated losses compared to planned profits may not exceed X with a likelihood of more than Y%. (X and Y are confidential, and probably also changed by now). This told us what was acceptable, and beyond that was not.
    – We did use data-based analytics, ranges and Monte Carlo simulation to calculate the risk exposure vis a vis the risk tolerance.
    – We found ourselves in a situation, where we were tracking behind on one of the company’s key performance metrics, and at the same time, we were no-where near exploiting the defined risk tolerance. Real life was more risk averse than it needed to be.

    Based on that, I wrote a memo to the C-suite outlining this stating something like “Guys, we are tracking behind on this metric, and yet, were are cruising at low speed on our risk exposure. I suggest we take on more risks to catch up on performance. Our risk tolerance allows us to do so”. Then I suggested some measures, which could be taken.

    Responses from the C-suite:
    CEO: Literally and within the hour “Thank you. Interesting thought, but it’s not that easy”
    CFO: Longer mail with a more in-depth rationale with the same message
    CMO: Keep it coming, I love it (but then again, he was the one to take on more risks)
    COO: No direct response, yet it was out of his “turf” anyway
    Actual action: A little her and there, yet eventually, we met the target

    Intelligent risk taking is about taking risks, nor about avoiding everything and anything.

    • Norman Marks
      February 16, 2021 at 6:25 AM

      Thank you for sharing, Hans.

  2. GSosbee
    February 21, 2021 at 8:02 AM

    Everything in your “Wrapping this up” is spot-on except the first bullet point – “The traditional ERM practice of a periodic list of risks has little value beyond compliance.” Any program that views ERM as a periodic list of risks isn’t practicing risk management in an ERM environment as ERM is a dymantic view of options on how to deal with uncertainty involving organizational assets.

  1. February 15, 2021 at 11:01 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

<span>%d</span> bloggers like this: