Tag Archives: alexei sidorenko

Building a Risk Culture Is Simple–Really

Yes, building risk culture is easy! Before I explain, let me first clear up a few weird misconceptions about risk culture that have been floating around in non-financial companies:

Making decisions under uncertainty is not natural for humans.

Back in the 1970s, scientists had a breakthrough in understanding how the human brain works, what influences our decisions, how cognitive biases affect our perception of the world and so on. Daniel Kahneman and Vernon Smith received a Nobel prize in economics back in 2002 “for having integrated insights from psychological research into economic science, especially concerning human judgment and decision-making under uncertainty.” I am amazed how many risk managers and consultants continue to simply ignore this research. Identifying, analyzing and dealing with risks is against human nature. Stop kidding yourself. The sooner we, as a professional community, accept this, the easier it will be to integrate risk management into decision making.

Managers do not take risks into account by default.

One of the biggest deceptions floated around is that most business processes already take into account risks and that decisions are made by management after careful consideration of risks. Not so. Naturally, managers do consider some of the more obvious risks, and there are exceptional cases where risk analysis is already integrated into the decision making. For the other 95% of the companies, existing processes and management tools ignore or purposefully hide significant risks. I bet that if risk managers, instead of running useless risk workshops, had a deep hard look, they would soon discover that budgets are overly optimistic, project plans are unrealistic and some corporate objectives are borderline naïve. Of course, the rest of the company is fine with how things are and will do everything to stop risk managers from getting involved.

See also: Building a Strong Insurance Risk Culture  

Making risk management everyone’s responsibility is just wishful thinking.

I don’t quite understand why, but there seems to be an idea that strong, robust, risk-aware culture is the ultimate objective. It sounds great, but it is physically impossible. And this is why I think so many risk managers have failed and so many more are struggling to make an impact. They are trying to move the rock that is not meant to be moved. This is probably the most important point of this article:

The only person in the company who thinks strong risk culture is a positive thing is the risk manager. The rest of the organization sees risk management as a direct threat to their personal interests, their income and their position in the corporate world.

Let me repeat: Most managers ignore risks and take uncalculated risks for a reason.

But not all managers and not all the time. And that’s where the risk manager comes in, trying to change the culture of CERTAIN individuals SOME of the time.

Risk management culture is not about hearts and minds.

By now, after reading everything I tried to communicate above, I hope you realize that management doesn’t care about risk culture. I mean they will still say the right words when the risk manager is present, but deep down nobody will care. The only chance for risk culture to stick is if it makes business sense for the individuals. And I don’t mean soft things like transparency, corporate governance and other nonsense, I mean direct impact on the bottom line or the personal security of an individual. The best examples of managers suddenly becoming very risk-aware were when I was able to show that by better managing risks individuals could protect their role, avoid prosecution, have a better business case for investors, save on insurance, save on financing costs or get higher bonuses.

And yet….  

And yet despite everything I said above, building risk culture is a piece of cake. Risk managers just have to realize that they won’t be able to convert everyone and that some people are beyond help. There is also no single solution that will do the job. It’s all about finding what makes each individual tick. It’s time-consuming, yes, but not difficult at all. Hence it can be equally applied by large corporations and small and medium-sized businesses.

Here are some practical ideas (make sure you click on the links in the article; each one leads to a short video explanation) to get you started:

  • Develop high-level risk management policy – It is generally considered a good idea to document an organization’s attitude and commitment to risk management in a high-level document, such as a risk management policy. The policy should describe the general attitude of the company toward risks, risk management principles, roles and responsibilities and risk management infrastructure, as well as resources and processes dedicated to risk management. Section 4.3.2 of the ISO31000:2009 also provides guidance on risk management policy.
  • Integrate risk appetites for different risk types into existing board-level documents; don’t create separate risk appetite statements.
  • Regularly include risk items on the board’s agenda
  • Consider establishing a separate risk management committee at the executive level or extend the mandate of the existing management committee – this worked like a miracle for me personally
  • Reinforce the “no blame” culture, on why to disclose and account for risks
  • Include risk management roles and responsibilities in existing job descriptions, policies and procedures and committee charters, not in a risk management framework document
  • Update existing policies and procedures to include aspects of risk management
  • Review and update remuneration policies
  • Provide risk awareness training regularly
  • Use risk management games
  • And, most importantly, get personally involved in business activities.

See also: Thinking Differently: Building a Risk Culture  

How to ‘Gamify’ Risk Management

In 2014, I collaborated with EY to develop Russia’s first risk management business game. It was great fun, and as a result we created a pretty sophisticated business simulation.

Participants were split into teams of 10, each person receiving a game card that describes a role (CEO, CFO, risk manager, internal auditor, etc.). At the start of the game, teams must choose one of four industry sectors (telecom, oil and gas, energy or retail) and name their company. The game consists of four rounds, in each of which teams must make risk based decisions. Each decision has a cost associated with it and a number of possible outcomes. Teams must analyze and document the risks inherent in each decision they make. The riskier the decision, the higher the probability of adverse outcome. At the end of each round, a computer simulation model chooses a scenario, and the outcome is announced to each team.

AAEAAQAAAAAAAAlVAAAAJDA3YTMxZGQyLTNjMWQtNDA1ZC1hNDkyLWYxODE4NWM2Nzc1Mw

The aim of the game is to increase the company valuation by properly weighing risks and making balanced business decisions. The winning team is the one that increased its company’s value the most after four rounds.

This game was successfully played by participants at two risk management conferences as well as postgraduate students at the Moscow Institute of Physics and Technology.

See also: Can Risk Management Even Be Effective?  

More information about first game is available here. Let me know if your company is interested in sponsoring the translation and running the game in English.

Risk management business game 2015

In 2015, I started working with Palisade to develop something a little different.

Just like in the previous version of the game, the participants were split up into teams of 10. However, the game mechanics have changed substantially. Each player still receives a card describing a role, but this time the card provides a complete history of the character’s role within the company and assigns each player a unique secret mission.

AAEAAQAAAAAAAAkXAAAAJDkyYjY4MWY2LTVjNzktNDIyOC04NjVjLWI5NTZiNDRhNmM3ZQ

The aim of the game is to successfully complete a merger between a large holding company and an innovative startup. The game, as before, consists of four rounds. The first round involves performing a risk assessment of the target company. Each team must identify 10 significant risks using only the information provided on the cards.

The second, third and fourth rounds are dedicated to the management of these risks. Each identified risk has between 5 and 10 possible mitigation strategies that can be selected by the team. Each team has a limited budget dedicated to risk mitigation, and each mitigation action has a cost.

The effects of each mitigation action selected by the teams was modeled using Palisade@Risk to determine whether it increases or decreases the value of the target company. The winning team is the one that increases the value of the target company more than the others and is then able to complete the merger.

More information is available here. Let me know if your company is interested in sponsoring the translation and running the game in English.

Risk management business game 2015 (online version)

With the help of eNano, we went even further and produced an interactive risk management business game (only available in Russian). This game combined an e-learning course and an interactive business simulator.

AAEAAQAAAAAAAAkkAAAAJDljMGRmYzkxLTM4NGMtNGU1MC05ZjdmLWJmYjViMDFhM2MwYg

Each participant takes on the role of general manager of one of three innovative companies. They then receive tasks that need to be completed throughout the e-learning course:

  • First, each participant needs to conduct interviews with all colleagues to identify and document risks;
  • Then he needs to evaluate risks using the information presented. Note that, just like in real world, most of the information presented is biased;
  • Then he needs make difficult decisions relating to risk mitigation given a limited budget;
  • During the last step, participants need to develop an action plan designed to improve risk culture.

All of these steps increase or decrease the company valuation. You can find out more about this course here.

Risk management game 2016

This game is the result of collaboration among Risk-academy, Palisade, Institute for Strategic Risk Analysis (ISAR) and Deloitte. Together we have created an amazing business game to teach non-financial management and staff how to perform risk modeling on day-to-day management decisions.

AAEAAQAAAAAAAActAAAAJGFkNTI0MWUwLTYxYzctNDhiNy1hNjRiLTYxNmYwMTBlYmVkNg

Participants will have to play a role of an aircraft engine manufacturing company. Each team has prepared a business case for a multimillion-dollar plant modernization. Unfortunately, the project plan have just been rejected by the board, so teams only have a couple of hours to conduct in-depth risk analysis and present an updated business case to the board.

See also: Risk Management, in Plain English  

The game is focused on risk modeling, requiring participants to identify and validate management assumptions, identify relevant risks, establish ranges and select possible distributions for each assumption, perform Monte Carlo simulation using Palisade@Risk and present the final results. All this has to be performed in limited time and with incomplete information… just like in real life. And just to add a little bit of drama, like in real life participants have to deal with unexpected “black swans” during the game.

The aim of the game is to prepare risk analysis for a multimillion-plant modernization investment project. The team with the highest risk-adjusted rate of return wins.

This game has also become one of the modules in the risk management training ran by ISAR; more information is available here.

Due to lots of positive comments, the latest risk modeling game is now available in English here.

What’s next?

The latest game was both hard and entertaining, so we began talks with our partners to turn it into an online risk quantification championship. The games will require online registration, have downloadable content and require proper risk modeling. Championships will run once a quarter, and winners will receive wonderful prizes.

Can Risk Management Even Be Effective?

Lately, everyone from government agencies to regulators to corporate board members seem to be talking about the need for more effective risk management. The challenging part is that, despite the guidance provided in ISO 31000:2009, the concept of risk management effectiveness remains vague. This article attempts to summarize the basic components of effective risk management, which should help risk managers to respond to the challenges set by regulators and shareholders.

The team at Institute for Strategic Risk Analysis in Decision Making (ISAR) and www.risk-academy.ru has been studying risk management for more than 15 years, and we firmly believe that effective risk management is only possible when all four criteria below are met. Each of these criteria is based on ISO31000:2009, the most widely used risk management standard in the world (translated and officially adopted in 44 of the 50 biggest countries based on the GDP).

1. Integrating Risk Into Decision Making

One of the most important tests of true risk management effectiveness is the level of risk management integration into decision making. ISAR research shows that companies achieve long-term advantage if they are capable of systematically integrating risk management into planning and budgeting decisions, investment decisions, core operational business processes and key supporting functions. Just consider an example of a large investment fund, which makes investment decisions only after an independent risks analysis and does simulations to test the effect of uncertainty on key project assumptions and forecasts. Another example is a large airline, which makes strategic decisions based on several quality alternatives with a risk assessment performed for each alternative.

For us it’s very important that risks are taken into account when investment decisions are made. That’s why risk assessments are mandatory for all investment decisions. Risks are identified and evaluated by both the project team and the back-office departments, including legal, finance, scientists, strategy and others. This ensures a more objective and independent risk analysis when making investment decisions.

–Konstantin Dozhdikov, Head of Risk, RUSNANO

 2. Strong Risk Management Culture

Human psychology and the ability of business managers to make decisions in situations of great uncertainty have a huge impact on risk management effectiveness. Nobel laureates D. Kahneman and A. Tversky, have conducted some exceptional research in the field of risk perception, showing that most people, consciously or subconsciously, choose to be ignorant to risks. Robust risk management culture is therefore fundamental to effective risk management. Take for example a large petrochemical company, which used online and face-to-face training to raise risk management awareness and competencies across all staff levels. The company also allocated resources to integrating risk management principles into the overall company culture. Another example is a government agency, which documented transparent discussion and sharing information about risks as one of the corporate values, which were later communicated to all employees.

See also: Risk Management, in Plain English

Training is one of the most important factors in the development of a risk management culture. Risk management can become an effective tool as soon as every employee understands what is it and how it applies to their personal area of responsibility. There are many different kinds of risk management training. It could be risk induction training offered to all new employees. Induction training should include a short explanation of the risks that might arise, information about a useful tool risk management and how to use it when making day-to-day business decisions. It is also useful to conduct separate specialized risk management training for department heads and key managers in order to help them integrate risk analysis into key business processes. The main thing is to remember that training is not supposed to be a one-time measure and, on the contrary, should be offered on a regular basis. Training sessions can be led by your company’s own risk manager or an external party, but either way the trainers must possess relevant competencies and qualifications.

–Lubov Frolova, Head of Risk , Tekhnodinamika

3. Disclosing Risk Information

Another criterion for effective risk management is willingness and ability of an organization to document and disclose risk-related information both internally and externally. A mature company not only documents the results of risk analysis in the internal decision making processes but also discloses information about risks and their mitigation to relevant stakeholders, where appropriate, in external reporting or on the company website. Because actual risk information may be sensitive and contain commercial secrets, the focus of disclosure should not be  on the risks themselves but rather on risk management framework, executive commitment to managing risks and culture of the organization. Many organizations tend to treat this formally, often copying and pasting risk management information in external reporting from year to year without any update.

Remember that disclosure of risk management information allows companies to both make and save money. For example, the insurance market reacts positively to a company’s ability to disclose information about the effectiveness of its risk management and control environment, offering a reduction in insurance premiums. Banks and investors also see risk disclosure in a positive light, allowing companies to lower their financing costs.

One large mobile network operator takes risk reporting particularly seriously. Its approach changed after an IPO. To this day, risk reporting as part of the annual report is not just a recount of the typical risks within their industry sector, but a reflection of key risk management changes and achievements over the last period. Risk reporting is composed of two parts: 1) A general description of events linked to risk management within the company; and 2) A description of key risks facing the company over the year. In the first part, risk managers give a detailed description of significant risk management events that occurred within the company that year. For example, there could be a description of how closely the company is aligned with the ISO 31000:2009 principles, or how the company has strengthened its risk culture. The second part describes common risk categories facing the company. This should point out the typical risks in the industry sector as well as the most significant risks identified over the past year. Additionally, the description of each risk should include the status of mitigation actions taken to manage the risk, their effectiveness and the anticipatory measures that the company intends to take in the future.

 4. Continuously Improving Risk Management

The final criterion for effective risk management has to do with the continuous improvement of the risk management framework and the risk team itself. One investment fund was able to do this with the help of regular assessment of the quality and timeliness of its risk analysis, annual risk management culture assessments and periodic review of risk management team competencies. For example, professional risk management certification helps to boost risk team competencies. One of the reasons behind the need for constant risk management improvement is rapid development of risk management discipline. The ISO 31000:2009 standard is currently being reviewed by more than 200 specialists from 30 different countries, including experts from Russia and members of ISAR. Some of the suggestions for the new version of the standard include the greater need for integration of risk management into business activities, including decision making, and the need to explicitly take into account human and cultural factors. These changes could have a significant impact on many modern non-financial organizations, raising questions about their risk management effectiveness.

See also: Risk Management: Off the Rails?  
Risk management, just like any other element of corporate governance, must be integrated into the overall management system of the organization. The ISO 31000:2009 international standard explicitly talks about the need for risk management to be adaptive, dynamic and iterative. As organizational risk maturity improves, so will the tools used by the organization to manage risks in decision making. Professional risk managers should not only develop risk management processes for the organizations but also improve their own risk management competencies.

As I am writing this, work is being undertaken on the update of both of the most widely adopted risk management standards (ISO 31000:2009 and COSO:ERM 2004). New versions are expected to be available in 2017 and promise to revolutionize our current understanding of risk management, not necessarily in a positive way. My experience shows that participating in international conferences, training sessions and certification programs constitutes a good way for risk managers to keep themselves in top professional shape.

I hope I will see you at the G31000 conference in Dubai on Oct. 12-13, 2016:www.g31000conference2016.org, where I will be presenting on the topic of risk management maturity.

We recommend executives and risk managers evaluate the current level of risk management maturity using the criteria for effective risk management presented in this article. If at least one of the puzzle pieces is missing, it is probably a bit premature to talk about effective risk management.

3 Fatal Mistakes by Risk Consultants

Warning: this article may upset some conservative risk managers

Risk management in modern non-financial companies is very different compared to say 5 years ago. The level of risk management maturity, for lack of a better word, has grown significantly.

As more and more companies across the globe are looking to implement robust risk management, the demand for risk management consultants is also growing. Unfortunately, not all risk consultants are able to generate long term value for their clients. Here are three reasons why:

A. Selling the wrong product 

Non-financial companies want to buy and many risk consultants continue to sell risk assessments, risk management frameworks, risk appetite statements and risk profiles. What do all these products have in common? I am being intentionally provocative here, so I will say all these products are missing the point completely. One thing they have in common is that they are designed to measure, capture or document risks, making us all believe that risks and their mitigation are the ultimate goals of the exercise. 

Over the years, this tendency to treat risk management as a separate, standalone (some go as far as say independent) process with its own inputs (data, interviews, experts) and outputs (risk reports, risk matrices, risk registers) created a whole community of risk consultants who seem to be missing the plot completely. Risk management is not really about dealing with risks. Risk management is about helping companies achieve their objectives and make better decisions.

See also: Risk Management: Off the Rails?  

OK, sometimes it may be useful to capture risks for the sake of risks and discuss them with the management team, but this should be more of an exception than a norm.

So if risk management is not about risk assessments or risks, then what is it about?

I believe that risk management is ultimately about changing how companies make decisions and operate with risks in mind.

The two modern trends in risk management by far are: integration into business processes / decision making and human and cultural factors. Yet, it seems most of the modern risk consultants completely ignore both of them. For example:

  • It is fundamentally wrong measuring risk level when instead you could measure the impact risks have on key objectives or business decisions using budget@risk, schedule@risk, profit@risk or KPI@risk.
  • I believe any qualitative risk analysis based on expert opinions is evil. More on this here.
  • It is wrong to have a risk management framework document when instead you can integrate risk management principles and procedures into operational policies and procedures, like budgeting, planning, procurement and so on. I bet this example upset quite a few of you.
  • It is a mistake to try and use a single enterprise-wide approach (sometimes referred to as ERM) to measure different risks. Different risks, different types of decisions and different business processes deserve unique risk methodologies, risk criteria and risk analysis tools.

Join the discussion in the G31000 group dedicated to ISO31000:2009 to find out more about the latest trends in risk management. As strange as it may sound, many risk consultants still have not read the ISO31000:2009 or are unaware of the changes happening to the most popular risk management standard in the world (officially translated and adopted in 65+ countries in the world and is currently being updated by 200+ experts from around the world).

The reality is that most risk management consultants sell completely wrong products. Management doesn’t care about risks – they care about making decisions that will hold in court, making money and meeting KPIs. No wonder why modern risk management is mainly lip service.

The funny thing is that corporate risk managers make exactly the same mistakes. They too need to show value from risk management and fail to do so by focusing on risks (their domain) instead of business processes or decisions (business domain).

B. Confusing risk management with compliance 

Did you know that unlike many other ISO standards, the ISO31000:2009 is not intended for the purpose of certification? This was a conscious decision made by the people working on the standard at the time. It is a guidance document.

Risk management is not just black and white. For example, risk management is about integrating decision making and business processes, but every organization will find its unique way of doing so.

Many consultants make a huge mistake on insisting on a single version of the truth. Non-financial regulators or government agencies make even bigger mistake by taking guidelines and making them compulsory. Like COSO:ERM in the US, a bad document made obligatory for listed companies. Read more about the new COSO:ERM:

By far the best way to assess risk management effectiveness is by applying a risk management maturity model. Just keep in mind that most existing maturity models were created by consultants who miss the big picture, see point A.

See also: Risk Management, in Plain English  

C. Failing to see the intimate details 

One of my good friends, Anna Korbut, a few years ago said an interesting thing: “Risk management is a very intimate affair.” I liked this phrase, so I have used it ever since. Risk management truly is intimate and unique. I have been working in risk management for over 13 years in 4 different countries, and I have seen close to 300 risk management implementations. Yet, every single one was unique in some way.

Unfortunately, many consultants fail to dig deep enough to see how risk management is really implemented into organizational processes and into the overall culture of the organization.

Risk management goes against human nature (see research by D.Kahnemann and A.Tversky), so most of the time risk managers use techniques that border line neuro-linguistic programming or building an internal intelligence network. Here are just two examples:

  • I personally created a table tennis tournament in the company where I used to work to get an opportunity to meet all business units in informal settings and build rapport. This had a bigger positive impact than monthly executive risk committee meetings where all the same department heads were present.
  • A colleague of mine created the whole operational planning procedure within the company to reinforce the need to discuss risks on a daily basis.

See also: Key Misunderstanding on Risk Management  

The key takeaway is: unless specifically asked, most risk managers will never disclose how they really build risk management culture within the organization or how they integrate risk analysis into the business. According to ISO31000:2009, risk management is coordinated activities to direct and control an organization with regard to risk. It consists of about 1000 small things that risk managers do on a daily basis, most of which may not directly relate to risk. Yet it is those small things that build risk management culture within the organization. Unfortunately, most risk consultants are quick to jump to conclusions and do not bother to dig deep enough to see all the nuances.

Risk management in every company is unique. It is risk consultant’s job to figure out how it all comes together to build better risk-based organization.

P.S. Remember, that if your consultant is showing signs of any of the above, it’s time to have an honest chat with him/her.

Risk Management: Off the Rails?

First, there was science…

Some sources suggest probability theory started in gambling and maritime insurance. In both cases, the science was primarily used to help people and companies make better decisions and, hence, make money. Risk management used the mathematical tools available at the time to quantity risk, and their application was quite pragmatic.

Banks and investment funds started applying risk management, and they, too, were using it to make better pricing and investment decisions and to make money. Risk management at the time was quite scientific. In 1990, Harry M. Markowitz, Merton H. Miller and William F. Sharpe won a Noble Prize for the capital asset pricing model (CAPM), a tool also used for risk management. This doesn’t mean risk management was always always accurate — just see the case of LTCM — but managers did apply the latest in probability theory and used quite sophisticated tools to help businesses make money (either by generating new cash flows or protecting existing ones).

Then, risk management became an art…

Next came the turn of non-financial companies and government entities. And that’s when risk management started becoming more of an art than a science.

Some of the reasons behind the shift were, arguably:

  • Lack of reliable data to quantify risks — Today, certainly, there is no excuse for not quantifying risks in any type of an organization.
  • Lack of demand from the business — Many non-financial organizations of the time were less sophisticated in terms of planning, budgeting and decision making. So, many executives didn’t even ask risk managers to provide quantifiable risk analysis.
  • Lack of qualified risk managers — As a result, many risk managers became “soft” and “cuddly,” not having the skills or background required to quantify risks and measure their impact on business objectives and decisions.

Many non-financial companies quickly learned which risks to quantify and how. Other companies lost interest in risk management or, should I say, never saw the real value.

Today, it’s just a mess…

What I am seeing today, however, is nothing short of remarkable.

Instead of being pragmatic, simple and focused on making money, risk management has moved into the “land of buzz words.” If you are reading this and thinking, “Hold on, Alex. Risk velocity is important; organizations should be risk resilient; risk management is about both opportunities and risks; risk appetite, capacity and tolerances should be quantified and discussed at the board level; and inherent risk is useful,” then, congratulations! You may have lost touch with business reality and could be contributing to the problem.

See also: Risk Management, in Plain English  

I have grouped my thinking into four problem areas:

1. Risk management has lost touch with the modern science.

These days, even the most advanced non-financial organizations use the same risk management tools (decision trees, Monte Carlo, VaR, stress testing, scenario analysis, etc.) created in the ’40s and the ’60s. The latest research in forecasting, modeling uncertainty, risk quantification and neural networks is mainly ignored by the majority of risk managers in the non-financial sector.

Ironically, many organizations do use tools such as Monte Carlo simulations (developed in 1946, by the way) for forecasting and research, but it’s not the risk manager who does that. The same can be said about the latest development in blockchain technology, arguably the best tool for transparent and accurate counterparty risk management. Yet blockchain is pretty much ignored by risk managers.

It has been years since I saw a scientist present at any risk management event, sharing new ways or tools to quantify risks associated with business objectives. That can also be said about the overall poor quality of postgraduate research published in the field of risk management.

2. Modern risk management is detached from day-to-day business operations and decision making. 

Unless we are talking about a not-for-profit or government entity, the objective is simple: Make money. While making money, every organization is faced with a lot of uncertainty. Luckily, business has a range of tools to help deal with uncertainty, tools like business planning, sales forecasting, budgeting, investment analysis, performance management and so on.

Yet, instead of integrating all the tools, risk managers often choose to go their separate ways, creating a parallel universe that is specifically dedicated to risks (which is very naive, I think). Examples include:

  • Creating a risk management framework document instead of updating existing policies and procedures to be aligned with the overall principles of risk management in ISO31000:2009;
  • Conducting risk workshops instead of discussing risks during strategy setting or business planning meetings;
  • Performing separate risk assessments instead of calculating risks within the existing budget or financial or project models;
  • Creating risk mitigation plans instead of integrating risk mitigation into existing business plans and KPIs;
  • Reporting risk levels instead of reporting KPI@Risk, CF@Risk, Budget@Risk, Schedule@Risk; and
  • Creating separate risk reports instead of integrating risk information into normal management reporting.

Risk management has become an objective in itself. Executives in the non-financial sector stopped viewing risk management as a tool to make money. Risk managers don’t talk, many don’t even understand business language or how decisions are being made in the organization. Risk analysis is often outdated, and by the time risk managers capture it, important business decisions are long done.

3. Risk managers continue to ignore human nature.

Despite the extensive research conducted by Noble Prize winners Daniel Kahneman and Amos Tversky (psychologists who established a cognitive basis for human errors that are the result of biases) and others, risk managers continue to use expert judgment, risk maps/matrices, probability x impact scales, surveys and workshops to capture and assess risks. These tools do not provide accurate results (to put it mildly). They never have, and they never will. Just stop using them. There are better tools for integrating risk analysis into decision making.

Building a culture of risk awareness is critical to any organization’s success, yet so few modern risk managers invest in it. Instead of doing risk workshops, risk managers should teach employees about risk perception, cognitive biases, fundamentals of ISO31000:2009 and how to integrate risk analysis into day-to-day activities and decision making.

4. Risk managers are too busy chasing the unicorn

Instead of sticking to the basics and getting them to work, many are busy chasing the latest buzzwords and innovations. Remember how “resilience” was a big thing a few years ago? Before that, there was “emerging risks,” “risk intelligence,” “agility,” “cyber risk” — the list goes on and on. It seems we are so busy finding a new enemy every year that we forget to get the basics right.

See also: Key Misunderstanding on Risk Management

Lately , consultants seem to have too much say in how modern risk management evolves. The latest installment was the new COSO:ERM draft, created by PwC and published by COSO this June.  The authors sure did “innovate” — among other “useful ideas,” they came up with a new way to capture risk profiles. That is nice, if risk profiling was the objective of risk management. Sadly, it is not. Risk profiling in any form does little to help executives and managers make risky decisions every day. For more feedback on COSO:ERM, click here.

To be completely fair, the global team currently working on the update for the ISO31000:2009 also has a few consultants who have a very limited understanding about risk management application in day-to-day decisions and in helping organizations make money.

I think it’s time to get back to basics and turn risk management back into the tool to help make decisions and make money.

I am interested to hear your thoughts. Please share and like the article and comment below.