The State of Risk Management

Norman Marks recently posted some thoughtful comments on the state of risk management after reading the latest Ponemon survey, “The Imperative to Raise Enterprise Risk Intelligence.”

The survey showed some expected results like the centrality of reputation and cyber risk concerns. It also found little recent progress in bridging silos between legal, IT and finance, which is needed for operational risk management to be effective. Sadly, half of the polled organizations lack a formal budget for enterprise risk management.

The Ponemon report differentiates ERM from enterprise risk intelligence by characterizing ERM as the application of rigorous and systematic analyses of organizational risks and enterprise risk intelligence as the insight needed to drive business decisions related to governance, risk and compliance.

Noting that only 43 percent of respondents said risk intelligence integrates well with the way business leaders make decisions, Marks astutely observes that we should not be surprised that ERM lacks budget. If the CEO and board don’t think risk management works, then why fund it?

Marks writes often on the need for an overhaul of ERM doctrine. I share this view. In his post on the Ponemon report, he offers eight observations, each implying a recommendation for fixing ERM. I strongly agree with six and a half of them, and would like to discuss those where I see it differently.

His points 4 and 5 are:

4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.

5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.

My interviews in recent months with boards and CEOs indicated those leaders thought almost the exact opposite. They suggested that risk managers should support business decisions by doing a better job of

  • identifying risks – more accurately, identifying unwanted outcomes (hazards, in my terminology)
  • characterizing hazards and investigating their causes, effects (and therefore severity) and relevant systems
  • quantifying risks by assessing the likelihoods for each severity range of each hazard
  • Enumerating reasonable responses, actions and mitigations for those risks

Note that this list is rather consistent, at least in spirit, with Basel II and some of the less lofty writings on risk management.

My understanding of the desires of business leaders is that they want risk management to be deeper and better, not broader in scope. Sure, silos must be bridged, but risk management must demonstrate much more rigor in its “rigorous and systematic analysis” before ERM will be allowed to become Enterprise Decision Management.

It is clear, from ISO 31000’s definition of risk and the whole positive-risk fetish, that ERM aspires to be in the decision analysis and management business, but the board is not buying it. “Show us core competencies first,” says the board.

Thus I disagree with Norman on point 4. On point 5, I almost agree. Point 5 is not a fact, but a fact with an interpretation. Risk practitioners don’t connect with business executives. Norman suggests the reason is that risk managers talk technobabble. I suggest they too often talk gibberish. This may include technobabble if you take technobabble to mean nonsense and platitudes expressed through the misuse of technical language. CEOs aren’t mystified by heat maps; they’re embarrassed by them.

Norman seems to find risk-appetite frameworks similarly facile, so I think we agree. But concerning the “techno” in technobabble, I think boards want better and real technical info, not less technical info.

Since most of this post addresses where we differ, I’ll end by adding that Marks, along with Tim Leech and a few others, deserves praise for a tireless fight against a seemingly unstoppable but ineffectual model of enterprise risk management. Pomp, structure, and a compliance mindset do not constitute rigor; and boards and CEO’s have keen detectors for baloney.


3 thoughts on “The State of Risk Management

  1. It is time to revisit the Cost Of Risk. That frequency of attack is proportional to attack surface is a proven hypothesis. Mean Time Between Failure is reasonably compile per firm size. The magnitude of losses remain proportionate to online record counts, the fixed costs of recovery, the variable costs of recovery and the Mean Time To Repair. Quality Functional Deployment allows break outs of losses assigned to the component parts of a loss. Thus, we actually can price the losses of leaving a system unpatched or unworking Antivirus. It is even possible to patching queue to trade speed reliability and staff costs against time waiting in line to patch known vulnerability. But when will bengin paying a software vendor 15% less for delivery of known flawed code? If is was defective factory parts you would, right? It is time to leave “high”, “medium” and “low” or even risk on an non-cost calibrated scale of 1 to 5 in the dust. How much project budget is a 4 worth to fix anyway?


  2. Achieving business objectives on any scale thrives on a balanced diet of strategic direction, clearly defined process and product/service architecture, managing change from within/out, **risk control**, and independent input, wrapped in an implementation plan so that unfavorable variation can be detected.


  3. Bill…is a board ever going to say they are happy with the level and quality of risk analysis?. Of course not. They have an explicit requirement to ensure a risk management framework is effective as part of their corporate governance responsibilities. It is not in their interests to ever say privately they are satisfied. Hence for the last 30 plus years we have had surveys repeating the same thing over and over again…and consultants using them to start a sales conversation, over and over again. The aspect that is interesting to me is that such apparent unhappiness by boards with the quality of risk analysis never ever spills over to them concluding their risk mgt frameworks are ineffective in any way with this then being highlighted in their annual report (as is the case here in Australia and Malaysia where organisations are encouraged to comment on their risk mgt frameworks…I wonder why?). The other interesting thing is that boards have the power and clout to get better risk analysis but they choose not to?. All part of the entire corporate governance myth around risk mgt. In regards to the Marks comments, all that is really being said in my view is that we do risk analysis to assist decision making to achieve business objectives. Somewhere along the line the context step in the RM process got forgotten about with the fixation on coming up with a list of risks to fill up a risk register. Instead of really understanding why in the first place we are doing this risk analysis which is to support decision making in relation to objectives, and which by the way does not happen according to when a Risk Committee meets but is happening all the time in an organisation. Better risk analysis at the point decisions are made in regard to objectives is not something any risk practitioner (let alone Marks) would ever disagree with, I think. Doing risk analysis for the sake of doing it to fill up a risk register so that there is something to report to a Risk Committee on a quarterly basis…that is something I am sure you would agree, no one should support. But it goes on all over the world, because formal risk mgt ( as typically defined by risk registers, reports and Risk Committees) has become nothing more than a convenient way for directors to quickly and conveniently say they have met their RM Corporate Governance responsibilities. The big issue for me here is the lack of real substance behind why and how organisations have been allowed to treat the meeting of their RM CG respobsibilities in such a superficial way. But is it in anyones interest to address this?. Probably not as proven why formal risk mgt remains in the state it is in today. Rgs Glenn


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s