Norman’s list of top (downside) risks
Everybody seems to be sharing their list of top risks with potentially significant negative effects on the organization.
Of course, every organization should determine what are its greatest sources of downside risk to the achievement of its own objectives, given its unique facts and circumstances.
Blindly following someone else’s list is a risk in itself.
But these lists are food for thought. Here is my list of 15 things to consider. (Of course there are more.) It’s nothing like the other lists I have seen!
In fact, I would suggest that they are usually not included in either the CRO’s or the CAE’s list of top risks.
These are not necessarily in order of their significance. That’s for each enterprise to decide.
- Cash and cash flow. Cash is king, but if you don’t have the liquidity to be agile, you will become a pauper.
- Selfish executives, very often including the CEO, who put their interests ahead of the team and the organization.
- A failure to innovate. (Such as with products and services, technology adoption, and so many more areas.)
- Poor quality product development, production, and management.
- Inattention to customers and their feedback.
- An unwillingness to take risks. It’s often more dangerous than taking too many.
- Poor decision-making processes.
- Decision-makers who know it all and don’t listen.
- Unreliable, incomplete, or untimely information.
- Stale technology and infrastructure.
- A lack of loyalty to employees. (An example is fast and across-the board layoffs, with slow training and staff development. Another is unwillingness to pay performing individuals.)
- Poor teamwork.
- Human Resources inhibiting the hiring of the people you need to excel.
- A blindness to reality, both to the current situation and to what lies ahead.
- A board that is dominated by the CEO.
What do you think of them?
What would you change, delete, or add?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I usually treat lists like this as biased and therefore read them bottom up.
Also these are the ‘Known Risks’. The ‘Unknown Risks’ are more important.
Can you explain what that means and its practical benefits use?
Great article Norman. I’m relatively new to your work and I’m curious what you mean with “downside” risks?
Good question. Per the global risk management standard, ISO 31000, risk is the effect of uncertainty on objectives. That means, and CISO ERM agrees, risk can be positive as well as negative. I try to make it clear what I am talking about.
Thanks Norman…I haven’t heard it distinguished in that way.
I would add; information which is irrelevant, incomplete, inaccurate and not used.
Yes. Could modify my point on information
believing your own BS/propaganda
I would leave out poor management. It’s too much of a container concept whereas the specific risks are allready in the list (negelect of staff, self interest, poor decision making, blindness to reality, etc.)
My experince is that using this kind of phrasing does not help to pinpoint specific threats and design the right mitigation strategy.
(Wim Schreuder)
I hear you, but we need to be aware that poor leadership sinks every ship.
Non compliance with statutory/regulatory issues
I thoughth about that, but it rarely causes the ship to sink.
Refreshing that not many risks on the list appear in the typical lists published out there e.g. cyber, climate change, regulatory etc…. Norman, many if the risks on your list are internal in nature to the organization and to a large extent within their control compared to those with external sources where you really only control the extent of the impacts and your ability to respond quickly.
That is true – although the ability to respond to what happens outside is 100% dependent on your people and systems.