Why are risk managers so bad at root cause analysis?

It’s puzzling, isn’t it? Risk management, a field that has been formalized and standardized in non-financial companies since the 1990s and accepted widely by 2009 with the publication of ISO31000, somehow doesn’t seem to make the seismic shifts we anticipated. As I leaf through articles in Forbes, I find more “risk management has failed again” than “success” stories.

Risk managers worldwide have been scratching their heads over the issue. Every risk management conference, every risk survey, many academic studies and working groups tried to identify the barriers to risk management effectiveness. But the irony is stark; the conclusions drawn often seem to be skimming the surface, leaving the root causes untouched. So, what’s going wrong?

In my eyes, the answer is clear, albeit a bit harsh: risk managers must be really bad at the basic skill of root cause analysis. Now, before you argue, let’s dig a little deeper.

Year after year, common culprits are identified for the pitiful performance of risk management: lack of integration, poor application, need for staff education – the list goes on. However, these reasons seem more like red herrings, distractions from the real issues at hand.

Instead, I argue that the root cause is the fundamental flaws in the design of risk management itself. Let’s take the most popular example – the concept of ERM. It’s not that our staff need better education or that somehow we are implementing it wrong. ERM is flawed by design. It is nonsense to even attempt to implement ERM across the organisation. Here is a challenge, write any ERM principle in the comments below and I will explain how it is flawed and what’s a better alternative. There are many practical and useful risk management ideas under the umbrella of ERM but the way these ideas are brought together and packaged as ERM is just bad business.

What about the next favourite, qualitative risk assessments – a cornerstone of current risk management practices. They’re often disregarded, not because employees lack the knowledge to comprehend them, but because they’re inherently misleading. Decision makers ignore risk managers with their risk workshops not because they are evil, they see right through the flaws in the methodology to realise what a waste of time that is. Risk workshops meant to uncover hidden threats but are often just echo chambers, where loud voices dominate and real risks are overlooked.

Another red flag? Risk appetite statements. They’re pretty on paper, but in practice, they’re vague, subject to interpretation, and rarely tied to actual business decisions. Because risk appetites for existing business decisions are already documented in completely different places.

Even the risk reporting system is part of the problem. Lengthy, risk-centric, disconnected from decisions or performance, they are more likely to confuse than inform. They end up buried in the inboxes of executives, who have little time to decode them.

Flawed by design, effective ERM is an oxymoron.

So, where does this leave us? It seems clear that there’s a fundamental issue with the way we approach risk management. It’s not about patching holes or making minor adjustments; it’s about revisiting the drawing board. Making a better risk appetite statement or better heatmap is like rearranging the deck chairs on the Titanic.

If you’re a risk manager, this might be tough to hear. But I believe it’s a necessary reality check. We need to acknowledge the inherent issues within our current risk management models before we can make meaningful progress.

What do you think? Are we missing the mark on the root cause of risk management’s limited effectiveness? I’d love to hear your thoughts.


4 thoughts on “Why are risk managers so bad at root cause analysis?

  1. I have a little knowledge about this field till now but as per my openion Actuaries are mostly suited for the risk management role.They are highly profecient in mathematical and statistical skillsets along with business knowledge.They have highly skilled knowledge of future risk forecasting with implementing various modelling skills like ALM(Specially Liability side),stress testing,scenario analysis and proper pricing of complex financial derivatives product.

  2. Other than the Ishikawa, what if analysis and the 5 Whys approaches to root cause analysis; there is not much to guide risk managers on the step by step process for root cause identification. True root cause analysis requires investigative thorough process/design reviews which can be time consuming, expensive and sometimes inconclusive.

    Root-cause cannot be standardized because it is required on a diverse and sometimes complex processes and risk managers are expected to have infinite knowledge on all issues which is not practical (For example, root cause for power supply disruption versus root cause on system scripting error or specialized equipment failure etc. would require knowledge on electrical engineering, software development and equipment specific knowledge). This leads to the question; who should manage risk, the risk owner or the risk manager.

    If the risk owner is able to identify and remediate his/her risks, root cause analysis will most likely be done by someone that has knowledge and expertise on the incident and thus, will save time and money as well as offer effective solutions. This seldom happens as risk owners are reluctant to flag their own issues in fear of being blamed while others ask what risk managers will be doing if they start doing the risk managers job.

    There is a lot of improvement required for root-cause analysis improvement and this will only happen if the risk based approach is effective, risk culture is matured and there is efficiency in the risk management processes.

    1. Your comment is valid but seems to be missing the whole point of the article. Hint, the article is not about root cause, it is just an analogy

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.