Friday, December 13, 2019
Corporate Compliance Insights
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

12 Reasons Risk Management Fails

by Alba Keqa
November 17, 2016
in Risk
Preventing risk management failures

with contributing author Bogdan Dragomir

Risk management has gained increased attention and interest in recent years, both from industry professionals and academics. The main focus of thorough risk management is the continuous identification and treatment of the potential risks. Its objective is to add maximum continual value to all the activities within the organization. In addition, in developed and emergent countries, capital markets have become more significant and as a result, nonfinancial corporations and banks have recognized that the number, type and extent of their threat landscape and inherent risks have increased significantly. Finally, a wave of unpredictable payment-related enhancements can be considered both a source of risk and a method to mitigate.

Risk management has also gained attention considering the ongoing and widely publicized failures having roots in its erroneous implementation. Risk management failures prohibit organizations from meeting their goals, thus determining repetitive – and sometimes of exponential magnitude – business and project failures. Although the risk management approach varies among firms, enterprise risk management is an organizational pivot point in achieving corporate goals. Risk and performance are inevitably connected. By establishing a reliable and controlled process for managing risks, organizations can determine the predictability of their outcome. Enterprise risk management enables enhanced decision-making, consequently enabling significant cost savings. Additionally, if properly implemented, risk management connects risks across various levels in the organization and, in leveraging other processes such as program management, enables threat-to-opportunity conversion.

While considering the valuable role of risk management, it is also essential to understand the many circumstances in which risk management failures may occur.

Enterprise risk management can adjust with the business hypothesis and intensively help in overcoming potential business failures. In the risk management failures and challenges literature, authors Matei et al. (2012) emphasize that organizations fail because of unexpected losses created by three main factors:

  1. insufficient capital,
  2. model errors and
  3. risk ignorance.

Consequently, management system and risk mitigation may be unsuccessful for more delicate and indirect reasons. At this point, there are three other well-known reasons why risk management fails:

  1. agency risk,
  2. shifts or changes in the threat landscape and inherently in the form of risk and
  3. incremental failure.

Agency risk refers to the risk that a manager or employee, unintentionally or decisively, does not succeed to pursue procedures intended to manage and moderate risks. Next, there is often an affinity for risk to shift or change form. Although an organization may moderate its risk by acquiring insurance, these proceedings do not decrease systematic risk in the economy. Furthermore, there is a tendency for risk management process to fail incrementally across a long period of time. The incremental failure is frequently caused by an extensive incubator duration coming from an evenly degradation of the risk management processes that gather over a long period of time.

Once risks are identified and quantified, they must be inferred at the organizational upper-management level. Inability to properly communicate risks to the top management may cause overall risk management failure. These failures are an indicator of unnecessary risk acceptance and/or exposure. In the risk management failure literature, Stulz (2008) showed that failures in risk management can be divided into six classes:

  1. mismeasurement of known risks,
  2. failure to take risks into account,
  3. failure to communicate risks to top management,
  4. failure to monitor risks,
  5. failure to manage risks and
  6. failure to use appropriate risk metrics or measurement systems.

Risk management failures can be caused by the use of improper risk metrics, which induces inaccurate measurements. A practical example is weather forecasting. The most common risk metrics in modern risk management is “Value at Risk” (VaR). Despite the fact that VaR has been proven to be a quintessential risk measure, meaningfulness is directly dependent on the quality of the associated answer and inherent question.

Taking into account the factors that may be accountable for risk management failure, it is consequently appropriate to affirm that operators and operational failure are the two main groups into which risk management failures may fall.

How to Avoid or Overcome these Failures

As discussed above, risk management failures can cause consequences for the organization in both time and costs. Therefore, understanding the strategy of how the organization is making profits and the risks inherent in the business model is essential in order to avoid such failures. Subsequently, top management must recognize empower and manage positions of trust; the employees whose activities can subject the organization to considerable or significant risk events must be carefully selected, trained and continuously evaluated. Establishing responsibility for outcomes and building a procedure for timely escalation – in addition to building a common risk language, shared definitions, a common culture of risk awareness and comprehensible procedures for measuring, monitoring, communicating and dealing with risks – are some of the main things an organization should consider when targeting a mature risk management approach.

Communication is another key process within any organization. Communicate regularly about risks that are more complex to measure and for which results cannot be forecasted with minimal confidence. Available, defined and detailed risk appetite is vital when defining unacceptable risk exposures.

Taking into consideration risk management failures, organizations should consistently manage risks by identifying, assessing, evaluating, prioritizing and monitoring them, continuously looking for opportunities to improve their risk stance. Concrete plans to support these processes should be enforced top-down.

These plans should balance: 

  • Risk and benefit
  • Risk and cost.

With all of the above in place, a useful and proven scheme for effectively managing many risks may be applied to streamline risk management and align it with best practices. Such a solution involves adopting an internationally recognized standard, such as ISO 31000, which is built on the most relevant best-practice scenarios from organizations worldwide and is general enough to reduce or eliminate bias. ISO 31000 explains the mechanism of risk management implementation. It provides a framework for implementing a risk management suite, rather than merely a framework for supporting the risk management process. Moreover, with due cognizance of its own internal and external contexts, an organization must recognize the applicable and relevant laws and should put into practice a system of controls to attain compliance. Additionally, ISO 31000 distinguishes the significance of feedback by means of two mechanisms: communicating and consulting, and monitoring and reviewing performance. Communicating and consulting ensures the engagement of relevant internal and external stakeholders while monitoring and reviewing guarantee that the organization observes risk performance, thereby gaining knowledge of experience and practices.

This piece was originally shared on the PECB blog and is republished here with permission.


Previous Post

The First Step to ERISA Compliance?

Next Post

Framework for a Third Party Risk Management Program

Alba Keqa

Alba Keqa is an Account Manager for Risk & Management at PECB. She is in charge of conducting market research while developing and providing information related to Risk and Management standards.

Related Posts

stack of newspapers on laptop

The Social Construction of a Scandal

December 9, 2019
"bias" on green post-it note on pink background

The Curious Case of Bias in Risk Assessments

December 3, 2019
double exposure of android bust over binary code

The 3 Final Pillars of the Cognitive Risk Framework

November 22, 2019
hazy image of businesspeople facing front, concept of future team

Preparing for Generation Z – The Future of the Front Line in Risk Management

November 19, 2019
Next Post
My Compliance Office: Framework for Third Party Risk Mgmt Solution

Framework for a Third Party Risk Management Program

Free Downloads

OFAC whitepaper cover
Compliance Job Interview Q&A
Reputation Risk Management Research

RSS SEC Litigation News

  • John Special, Defendant, and Michael Murphy, Relief Defendant, John Kenneth Davidson December 12, 2019
    SEC Obtains $3 Million Settlement in Insider Trading Action
  • Palm Beach Atlantic Financial Group, LLC and William A. Smith December 11, 2019
    SEC Charges Florida Resident and His Corporate Entity for Fraudulent Securities Offerings
  • Nanotech Engineering, Inc., Michael James Sweaney (also known as Michael Hatton), David Sweaney, and Jeffery Gange December 11, 2019
    SEC Obtains Asset Freeze to Halt Alleged Offering Fraud

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks Big Data blockchain board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management corporate culture corporate governance culture of ethics cyber risk data analytics data breach data governance decision-making Dodd-Frank DOJ due diligence fcpa enforcement actions GDPR GRC HIPAA information security internal audit internet of things (IoT) KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • Audit
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • HR Compliance
  • Leadership and Career
  • News
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights