It’s puzzling, isn’t it? Risk management, a field that has been formalized and standardized in non-financial companies since the 1990s and accepted widely by 2009 with the publication of ISO31000, somehow doesn’t seem to make the seismic shifts we anticipated. As I leaf through articles in Forbes, I find more “risk management has failed again” than “success” stories.
Risk managers worldwide have been scratching their heads over the issue. Every risk management conference, every risk survey, many academic studies and working groups tried to identify the barriers to risk management effectiveness. But the irony is stark; the conclusions drawn often seem to be skimming the surface, leaving the root causes untouched. So, what’s going wrong?
In my eyes, the answer is clear, albeit a bit harsh: risk managers must be really bad at the basic skill of root cause analysis. Now, before you argue, let’s dig a little deeper.
Year after year, common culprits are identified for the pitiful performance of risk management: lack of integration, poor application, need for staff education – the list goes on. However, these reasons seem more like red herrings, distractions from the real issues at hand.
Instead, I argue that the root cause is the fundamental flaws in the design of risk management itself. Let’s take the most popular example – the concept of ERM. It’s not that our staff need better education or that somehow we are implementing it wrong. ERM is flawed by design. It is nonsense to even attempt to implement ERM across the organisation. Here is a challenge, write any ERM principle in the comments below and I will explain how it is flawed and what’s a better alternative. There are many practical and useful risk management ideas under the umbrella of ERM but the way these ideas are brought together and packaged as ERM is just bad business.
What about the next favourite, qualitative risk assessments – a cornerstone of current risk management practices. They’re often disregarded, not because employees lack the knowledge to comprehend them, but because they’re inherently misleading. Decision makers ignore risk managers with their risk workshops not because they are evil, they see right through the flaws in the methodology to realise what a waste of time that is. Risk workshops meant to uncover hidden threats but are often just echo chambers, where loud voices dominate and real risks are overlooked.
Another red flag? Risk appetite statements. They’re pretty on paper, but in practice, they’re vague, subject to interpretation, and rarely tied to actual business decisions. Because risk appetites for existing business decisions are already documented in completely different places.
Even the risk reporting system is part of the problem. Lengthy, risk-centric, disconnected from decisions or performance, they are more likely to confuse than inform. They end up buried in the inboxes of executives, who have little time to decode them.
Flawed by design, effective ERM is an oxymoron.
So, where does this leave us? It seems clear that there’s a fundamental issue with the way we approach risk management. It’s not about patching holes or making minor adjustments; it’s about revisiting the drawing board. Making a better risk appetite statement or better heatmap is like rearranging the deck chairs on the Titanic.
If you’re a risk manager, this might be tough to hear. But I believe it’s a necessary reality check. We need to acknowledge the inherent issues within our current risk management models before we can make meaningful progress.
What do you think? Are we missing the mark on the root cause of risk management’s limited effectiveness? I’d love to hear your thoughts.