12 Reasons Risk Management Fails

with contributing author Bogdan Dragomir

Risk management has gained increased attention and interest in recent years, both from industry professionals and academics. The main focus of thorough risk management is the continuous identification and treatment of the potential risks. Its objective is to add maximum continual value to all the activities within the organization. In addition, in developed and emergent countries, capital markets have become more significant and as a result, nonfinancial corporations and banks have recognized that the number, type and extent of their threat landscape and inherent risks have increased significantly. Finally, a wave of unpredictable payment-related enhancements can be considered both a source of risk and a method to mitigate.

Risk management has also gained attention considering the ongoing and widely publicized failures having roots in its erroneous implementation. Risk management failures prohibit organizations from meeting their goals, thus determining repetitive – and sometimes of exponential magnitude – business and project failures. Although the risk management approach varies among firms, enterprise risk management is an organizational pivot point in achieving corporate goals. Risk and performance are inevitably connected. By establishing a reliable and controlled process for managing risks, organizations can determine the predictability of their outcome. Enterprise risk management enables enhanced decision-making, consequently enabling significant cost savings. Additionally, if properly implemented, risk management connects risks across various levels in the organization and, in leveraging other processes such as program management, enables threat-to-opportunity conversion.

While considering the valuable role of risk management, it is also essential to understand the many circumstances in which risk management failures may occur.

Enterprise risk management can adjust with the business hypothesis and intensively help in overcoming potential business failures. In the risk management failures and challenges literature, authors Matei et al. (2012) emphasize that organizations fail because of unexpected losses created by three main factors:

1. insufficient capital,
2. model errors and
3. risk ignorance.

Consequently, management system and risk mitigation may be unsuccessful for more delicate and indirect reasons. At this point, there are three other well-known reasons why risk management fails:

4. agency risk,
5. shifts or changes in the threat landscape and inherently in the form of risk and
6. incremental failure.

Agency risk refers to the risk that a manager or employee, unintentionally or decisively, does not succeed to pursue procedures intended to manage and moderate risks. Next, there is often an affinity for risk to shift or change form. Although an organization may moderate its risk by acquiring insurance, these proceedings do not decrease systematic risk in the economy. Furthermore, there is a tendency for risk management process to fail incrementally across a long period of time. The incremental failure is frequently caused by an extensive incubator duration coming from an evenly degradation of the risk management processes that gather over a long period of time.

Once risks are identified and quantified, they must be inferred at the organizational upper-management level. Inability to properly communicate risks to the top management may cause overall risk management failure. These failures are an indicator of unnecessary risk acceptance and/or exposure. In the risk management failure literature, Stulz (2008) showed that failures in risk management can be divided into six classes:

7. mismeasurement of known risks,
8. failure to take risks into account,
9. failure to communicate risks to top management,
10. failure to monitor risks,
11. failure to manage risks and
12. failure to use appropriate risk metrics or measurement systems.

Risk management failures can be caused by the use of improper risk metrics, which induces inaccurate measurements. A practical example is weather forecasting. The most common risk metrics in modern risk management is “Value at Risk” (VaR). Despite the fact that VaR has been proven to be a quintessential risk measure, meaningfulness is directly dependent on the quality of the associated answer and inherent question.

Taking into account the factors that may be accountable for risk management failure, it is consequently appropriate to affirm that operators and operational failure are the two main groups into which risk management failures may fall.

How to Avoid or Overcome these Failures

As discussed above, risk management failures can cause consequences for the organization in both time and costs. Therefore, understanding the strategy of how the organization is making profits and the risks inherent in the business model is essential in order to avoid such failures. Subsequently, top management must recognize empower and manage positions of trust; the employees whose activities can subject the organization to considerable or significant risk events must be carefully selected, trained and continuously evaluated. Establishing responsibility for outcomes and building a procedure for timely escalation – in addition to building a common risk language, shared definitions, a common culture of risk awareness and comprehensible procedures for measuring, monitoring, communicating and dealing with risks – are some of the main things an organization should consider when targeting a mature risk management approach.

Communication is another key process within any organization. Communicate regularly about risks that are more complex to measure and for which results cannot be forecasted with minimal confidence. Available, defined and detailed risk appetite is vital when defining unacceptable risk exposures.

Taking into consideration risk management failures, organizations should consistently manage risks by identifying, assessing, evaluating, prioritizing and monitoring them, continuously looking for opportunities to improve their risk stance. Concrete plans to support these processes should be enforced top-down.

These plans should balance: 

• Risk and benefit
• Risk and cost.

With all of the above in place, a useful and proven scheme for effectively managing many risks may be applied to streamline risk management and align it with best practices. Such a solution involves adopting an internationally recognized standard, such as ISO 31000, which is built on the most relevant best-practice scenarios from organizations worldwide and is general enough to reduce or eliminate bias. ISO 31000 explains the mechanism of risk management implementation. It provides a framework for implementing a risk management suite, rather than merely a framework for supporting the risk management process. Moreover, with due cognizance of its own internal and external contexts, an organization must recognize the applicable and relevant laws and should put into practice a system of controls to attain compliance. Additionally, ISO 31000 distinguishes the significance of feedback by means of two mechanisms: communicating and consulting, and monitoring and reviewing performance. Communicating and consulting ensures the engagement of relevant internal and external stakeholders while monitoring and reviewing guarantee that the organization observes risk performance, thereby gaining knowledge of experience and practices.

This piece was originally shared on the PECB blog and is republished here with permission.