Volumes have been written on the cause of the crisis the world is in, surveys have been done and many fingers are pointing in every direction—a couple of these are pointing straight at us, the Risk Professionals.

It is time for us to accept that risk management, as we know it, failed; and for as long as we try to re-direct or break the fingers pointing at us—we will be stuck in this crisis. It is time to renovate risk management. The past is no longer a roadmap for the future.

Let us come clean and move on, the earlier the better for all. Which other industry has so many frameworks, so many different processes and so many different standards, regulations and so-called guidance documents? Which other industry has so many people claiming to be experts and trying to squeeze a quick buck out of something nobody can ever be an expert in?

Too many "somebodies" out there who are “certified” by nobodies, too much education done by non-educators.

Any process older than 5 years is outdated; we live in a world of dynamic change, the pace of which is ever increasing and with it, the levels of Risk Exposure. The basic Risk Management Cycle is one of these outdated processes.

Let us look at Risk Identification: we tried in many different ways to identify all the risks—until a volcano sneezed and we realized that we have not; and can never, identify all the risks. Let us accept that and move on. The size of your risk register is not related to, nor is it an indication of the effectiveness of your risk management process.

Next we get to Assessment and Analysis: Those who thought they were good at risk identification moved on to quantification. Sadly, many are still stuck there, thinking that models can control and mitigate risk. Some in the alternative movement is to justify the great cost of their models by using the results for good purposes, like calculating economic capital etc.

Thinking of which; the gross income of most banks dropped since 2008, so how cool is it for those using the Basic Indicator or Standardised approach for Operational Risk—in a time when their operational risks increased significantly, their capital charge has come down. Can this create a passion to improve Operational Risk Management to an AMA level?

Risk reporting, control and treatment: How wrong did we get red, amber, green!

Now everybody wants every risk to be green, because green is good.
Green on a risk report is perceived to mean “do nothing”, but that is the quickest way for those risks to shoot to red. Then we get to amber, what a
nice place to be- all risks are under control and we choose to overlook the fact that those controls might not be efficient or can be completely ineffective.

DANGER ZONE- those risks in the red zone, the bad zone. The red zone is where you make the most money, but it is also the place that requires the most effort in risk control. For as long as red is perceived as bad we will be stuck with average risk management effort (amber) or no risk management effort (green). So the red zone is the best zone with the biggest returns—if you are prepared to put in the effort.

We already know that the effectiveness of your risk management process is not linked to the size of your risk register. Similarly, it is also not linked to the thickness of your executive risk report. Anyway, we have sanctified board risk reports to the extent that the difference between what the top thinks and the bottom knows is so big that those in the middle are just slipping into the ditch. Trouble surely comes when people are working harder at keeping their jobs, than doing their jobs.

If you have a formal monthly risk report it is generally 28 days too late, frightening to think some have a quarterly risk report, or as a friend commented recently, an ANNUAL risk report! It is thus not about the size,
its all about the timing; having a risk nervous system that runs accurate risk information from all points inside the organisation (and outside) and having "live" dashboard reporting on the company intranet. The earlier people know, the better the decisions and the smaller the losses.

Secondly, the sole purpose of many risk management processes is to produce the risk report, often that is the sole purpose of the risk management department. The outcomes of a risk management process are much more than models and risk reports. What do you do with the information you have? If your risk management department cannot show a Return on Investment—get rid of them!

Processes and Systems: Most organisations have taken the easy way out
(note: not the cheapest) and they built impressive risk management systems worth millions of dollars; but failing to address the fundamental issue of people. All risk management efforts are worthless without a risk nervous system—and only humans can add that.

We already know that there are no risk management experts; and in fact, we do not need any risk management experts! All we need is for each and every employee to know the basic risk management skills and principles; use them to evaluate the risks associated with his/her job and do something on a daily basis to mitigate and control those risks. Risk Management success lies in embedding an effective risk management culture!

Prevent your business from crash-landing, change the way you see and approach risk management and execute that transformation; put in the effort and embed an effective risk management culture in your business, delivering good risk governance and building sustainable competitive advantage.

Welcome to transformation, be the change to want to see!

Votes: 0
E-mail me when people leave their comments –

Transformational Nonconformist-It is time to Think Differently about Risk; Transformative change requires Disruption!!

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • @Richard,


    Need is the mother of invention. We hear this every now and then and this adage reminds me that "need" is a form of discontent. One is not satisfied of status quo and thus; would pursue a change. If a risk professional is dissatisfied with the results, he will change the process involved to a certain degree. Change is part of the evolution. As a whole, evolution never stops. Change never really stops. Change brings risk, so change in a sense is representing risk. I believe in the saying that, if it aint broke, don't fix it. Of course, you have to remember that although I am saying this, it is a matter of perspective. One person can run with it for years satisfied, but another think its broken. The only thing that will not change is the truth. The challenge is, who has the full truth on his side?

    As I've said a few threads back, "I think that one needs to evolve only when presented with a new challenge that a current risk process or combination of processes cannot effectively resolve or respond to. If today’s approaches and methodologies proves sufficient to manage and bring risk under control, then it must be a good process. Why change it? There’s no need to evolve. Apparently, the author sees a complete and dismal failure of current processes."


    Rufran (071515)

  • Thanks Rufran for your input. It certainly elaborates the timing of the risk event. Could you perhaps comment on the question about how we pursue, how we provide value in, how we evolve the practise of... managing risks. Thx.

  • The contemplated risk now, is the risk of dying...

  • Well, I hate to put it on the table of discussion once more but the forest fire is no longer a risk.


    It is already a problem. If it remains uncontrolled, and unmanaged, it becomes an issue. The animals scampering to safety are all driven by their survival instincts much like a man suddenly faced by a life or death situation during a terrorist attack. He is also driven by instinct on how to survive.


    The time to manage a life-threatening problem is so short that his actions might not qualify as management but pure luck. If he dies from a bullet wound, like those tourists who were recently attacked in Tunisia, then tough luck. If he survives, then great luck. He is probably in the right place at the right time despite being in the midst of chaos.

    A problem is a negative risk that has occurred. In a logical sense, it is no longer a risk, as it is now certain and in the present, just like the fire. It is now a hazard because it exists. A problem, although not a blanket rule, usually needs quicker and prompter response, sometimes in seconds or minutes.


    8028847872?profile=originalSource: Frago, R., (2015).Risk-based mangement in the World of Threats and Opportunities: A P...


    Rufran (071315)

  • Offence unitended Simon, glad you don't take it this way.

    I'm trying to push myself harder, to think what really is the value of what we do in risk management. If I can connect with what you say Mansoor, just because we see animals escaping forest fires, we need not assume they had particular skills in perceiving risks and responding accordingly to save their lives. We just don't see the animals burned to a crisp, only the escapees! If there is an 'art to risk management', then how does this differ from good luck? What actual practices can we systematically embed, what risk instincts can we embed, what risk empowerment might we deliver to an organisation, that will make it consistently, even predictably "lucky"?

  • Mansoor Bin Hamed Mansoor Bin Hamed, via Risk Culture Builders group on Linked-In

    Fundamentally the risk management process is right because you cannot avoid something unless you have identified it and assessed it. But how we identify, assess and treat is the question with varying and not a definite answer. It's the art part of risk management. Every business, organization, industry, processes, objectives, culture and people (most important) differ. There is no right fit but with the right approach, risk professionals can add value to business. In my view everybody in the organization , from the CEO to the security at the entrance should know their job as risk management contributors. Standards, systems and processes are just tools. It's us who need to determine how we use it. Ever imagined how most animals escape the wild forest fires? They don't follow any standard or etc but they have an embedded risk or danger management thought process

  • @ Richard Cross. Thanks Richard, the idea was to encourage discussion, but there are some answers and suggestions on my blog, here is the part about the role of Human Resources:

  • Well, that was disappointing! Like watching a move with interesting characters, engaging plot, lots of suspense and as you get to the conclusion, you find that there is in fact no meaning or completion to the story.

    Yes risk management practices need to evolve (of course they do, it's a relatively immature discpline/ profession).

    Yes there are aspects of a risk management process which have not delivered perfect results in the past and can be improved.

    Yes, we can all think of myriad inadequacies in the way that risk management is implemented and practised - indeed - leaving many risks inadequately mitigated (probably).

    Absolutely, the vision of the risk management team often seems to be to execute the process rather than delivering some value-adding result (shame on them!).

    And the offered answer is to disavow expertise, promote a universal risk culture, change the way we see things, execute transformation, try harder, bla bla bla. Sorry. Not good enough. What specifically should we do apart from beat ourselves up that we operate in an imperfect world, with imperfect tools and imperfect processes. Of course we do! Risk management is always going to be the art and science of focusing attention and resources in the places where they will likely have the greatest effect. Risk management can never be perfect as it operates in the sphere of uncertainty. It can only seek to be self-learning, wise, attentive, profound and intelligent.

    If I had any critique to offer, it would be along the lines of the expansiveness of what we do. How do we think better? How do we become more perceptive, adept at perceiving change, effective in communicating stories of meaning and significance, building credibility and systems (of thought and action) which are continuously improving and designed to eliminate error? Just try harder and be transformative sounds wise but does not pass muster, in my opinion.

  • Great to get some more comments, as I said at the end "be the change you want to see!

    Those who support the current processes, please give us examples of how they worked to add vale and help businesses improve and grow? Millions of words have been written in 100's of studies after the Global Financial Crisis; I have not read them all, maybe somebody did see one that found that risk management "worked" and no improvement is needed?

  • @ALL,

    The article made a motherhood statement that “any process older than 5 years is outdated; we live in a world of dynamic change, the pace of which is ever increasing and with it, the levels of Risk Exposure. The basic Risk Management Cycle is one of these outdated processes.”

    Then each process was described starting with risk identification and simply put down.

    One must accept that risk-based management is not a perfect science. We cannot consciously manage what we have not identified. We can however unknowingly avoid an unknown risk by some stroke of luck, but who will know we unconsciously avoided it before the risk comes about? It is unknown after all.

    Unknown risk that suddenly rears its ugly head is fully appreciated only hindsight. This concept is part of the risk framework that need not change because no modern man has a divine capacity to foresee the future!

    I was waiting for the author to offer a tangible solution to those he underlined, but as usual, there was none offered. He mentioned people and culture, but what about it? No offense meant but the author’s brief discourse seems to highlight a key indicator of his own risk culture. How one strike a balance to all these differences is a good focus of discussion.

    RCF (070715)

This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!