At the risk of sounding controversial, we believe risk managers sometimes need to take responsibility for providing an independent risk analysis not based on the information supplied by the management. Although rare, there may be situations where manager approving the project or making a decision has significant conflicts of interest or there may be suspicion of fraud.
Risk managers need to establish risk analysis methodologies that limit reliance on management information and internal data which may be tampered with. Risk analysis should be based on industry data, statistical information, verifiable data and external reliable providers etc.
Risk managers should also use communication channels that allow presentation of an alternative point of view to management. While the goal should be working with the business and providing the necessary support to make risk-based decisions, sometimes risk managers need to play the role of a policeman.
As a result, risk managers may be required to defend their position at the executive meetings, propose risk mitigation actions and even take responsibility for some of the risk mitigation. As someone who had to do it almost on a weekly basis, we can tell you it takes a lot of courage and bulletproof risk management methodologies. It’s difficult, but it’s the only way to become an equal participant in the decision making and not just an observer.
HERE IS A QUICK CHECKLIST TO TURN THIS SECTION INTO ACTIONS
| ☐ | Discuss with senior management the need for an alternative / opposing point of view on certain business decisions |
| ☐ | Consider having veto power for risk managers on certain types of business decisions |
| ☐ | Develop risk analysis methodologies that do not heavily rely on management information |
| ☐ | Establish an independent escalation channel to raise issues if management is ignoring risks |
USEFUL VIDEOS
| https://www.youtube.com/watch?v=r0ZDQZsTdXg |
Check out other decision making books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
