Some of the conclusions of a recent risk survey make very grim reading. RiskVision, in collaboration with the Ponemon Institute, performed a ‘global Enterprise Risk Intelligence survey’ that concluded:
- three-quarters of organizations lack a comprehensive risk management strategy;
- 52 percent of organizations lack a formal budget for enterprise risk management;
- 44 percent said lack of resources was a key obstacle to achieving their risk management goals; and
- 43 percent struggle to ‘get started’ with risk management.
How depressing is it to read that 43 percent struggle to get started? Consider that these responses were from 641 paid risk professionals. That means they represent organizations that actually employ somebody with enough interest to complete a survey like this, meaning this sample is better than the true average!
Risk guru Norman Marks reviewed the survey results and was typically honest and perceptive in his analysis.
The results are disturbing, but unfortunately what I had anticipated.
If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?
Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
I am tempted to copy the whole of Marks’ post because I agree with all of it. But you should just go read it instead.
Marks is refreshing because he is both a genuine expert and unwilling to repeat the mindless mantras that get spouted by other so-called experts who sell bad ideas that never work in practice (or sell trumped-up software based on those bad ideas). But as much as I admire Marks, I wish he would sometimes go further still. I chipped in my tuppence, for what it is worth:
Surely there is a psychological dimension which gets insufficient attention. If you tell an exec you can help them make a ‘better’ decision it implies they’re not already making the best decision. Their resistance is natural unless you can make a compelling argument for the methods you advocate. However, many of the methods used by risk managers are too basic to be convincing.
As you state, business leaders are not idiots. Why would they change their mind about an important decision just because you presented them with long lists of subjective opinions cobbled together from low-energy meetings with lots of their underlings?
There is an analogy to evidence-based policy generation in the public sphere. Risk management has the chance to succeed if it supplies superior evidence to back a superior risk evaluation and superior risk mitigation. Otherwise it is just another opinion, and business leaders are entitled to have different opinions to risk managers.
You mention technobabble, but I think risk managers are guilty of something worse: pseudoscience. That’s why it sounds like babble. Good data, good statistics, good analysis – do risk managers have the information, skills and technology to really appraise risk, as opposed to trying to make essentially subjective judgments sound much more objective than they really are? Who cares about the so-called appetite of the organization if we have not identified a useful and objective measure of risk to begin with?
Finally, I would like to observe that psychology rarely gets treated as an important component of risk management but we all instinctively know that persuasion is a part of any management job. Furthermore, we know that there are common cognitive biases which affect the perception of risk and hence decision-making. Nobody familiar with the work of Nobel-prizewinner Daniel Kahneman would argue otherwise. This psychological aspect is real science, not technobabble, but there is not much effort to formally address the implications within the realm of professional corporate risk management. We should not be surprised if business leaders have a low opinion of risk management, and do not allow it to influence their decisions. Professional risk managers also seem to have little knowledge of the way common psychological biases affect decision-making – whether made by themselves or others – and so fail to allow for them in their own work.
Regular Commsrisk readers may sense where my argument is leading. We need to demystify risk management whilst simultaneously making it more empirical. We need to swap the pseudoscience of lists and heat maps (I hate heat maps) for real science that involves lots of data and statistics. We also need the science of psychology as well, because no amount of data will lead to better decisions if you do not understand why human beings suffer from cognitive biases and how often these biases affect real decision-making.
If that sounds like a lot to ask for, then I admit I ask a lot! But it is better that we admit there is a lot of hard work to do and start finding real solutions instead of kidding ourselves that mumbo-jumbo and technobabble will make us valuable and respected business advisors. A surplus of mumbo-jumbo and technobabble explains why these survey results are so poor, and yet so predictable.
Perhaps we need to step back from trying to manage every kind of risk and at least show we can manage some kinds of risk – whether they are generic financial risks like variability in forex and interest rates, or risks that are specific to certain business models, like the risk of failing to produce a billable record for every network transaction. Maybe we need to break down the challenge into manageable pieces, before we start building up again. And when we build up, we need to work to a realistic and viable design, instead of relying on supposedly comprehensive lists and dictionaries of technobabble.