No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

3 Fatal Mistakes Most Risk Consultants Make

by Alex Sidorenko
March 13, 2017
in Featured, Risk
Cage with man thinking inside

Is Yours Missing the Point?

The purpose of risk management isn’t solely to avoid and mitigate risks – it’s a key part, yes, but most risk professionals overlook the also critical bit about improving business processes and decisions.  Here are three common traps risk managers and consultants fall into.

Warning: this article may upset some conservative risk managers.

Risk management in modern nonfinancial companies is very different compared to, say, five years ago. The level of risk management maturity, for lack of a better word, has grown significantly.

As more and more companies across the globe are looking to implement robust risk management, the demand for risk management consultants is also growing. Unfortunately, not all risk consultants are able to generate long-term value for their clients. Here are three reasons why:

#1: Selling the Wrong Product

Nonfinancial companies want to buy, and many risk consultants continue to sell risk assessments, risk management frameworks, risk appetite statements and risk profiles. What do all these products have in common? I am being intentionally provocative here, so I will say all these products are missing the point completely. One thing they have in common: they are designed to measure, capture or document risks, making us all believe that risks and their mitigation are the ultimate goals of the exercise. 

Over the years, this tendency to treat risk management as a separate, standalone (some go as far as to say independent) process with its own inputs (data, interviews, experts) and outputs (risk reports, risk matrices, risk registers) created a whole community of risk consultants who seem to be missing the point completely. Risk management is not really about dealing with risks; risk management is about helping companies achieve their objectives and make better decisions.

OK, sometimes it may be useful to capture risks for the sake of risks and discuss them with the management team, but this should be more an exception than a norm.

So if risk management is not about risk assessments or risks, then what?

I believe that risk management is ultimately about changing how companies make decisions and operate with risks in mind.

The two modern trends in risk management by far are: 1) integration into business processes / decision-making and 2) human and cultural factors. Yet it seems most of the modern risk consultants completely ignore both of them. For example:

  • It is fundamentally wrong to measure risk level when instead you could measure the impact risks have on key objectives or business decisions using budget@risk, schedule@risk, profit@risk or KPI@risk.
  • I believe any qualitative risk analysis based on expert opinions is evil.
  • It is wrong to have a risk management framework document when instead you can integrate risk management principles and procedures into operational policies and procedures, like budgeting, planning, procurement and so on. I bet this example upsets quite a few of you.
  • It is a mistake to try and use a single, enterprisewide approach (sometimes referred to as ERM) to measure different risks. Different risks, different types of decisions and different business processes deserve unique risk methodologies, risk criteria and risk analysis tools.

Join the discussion in the G31000 group dedicated to ISO31000:2009 to find out more about the latest trends in risk management. As strange as it may sound, many risk consultants still have not read the ISO31000:2009 or are unaware of the changes happening to the most popular risk management standard worldwide (officially translated and adopted in 65+ countries and currently being updated by 200+ experts from around the world).

The reality is, most risk management consultants sell completely wrong products. Management doesn’t care about risks, they care about making decisions that will hold in court, making money and meeting KPIs. No wonder modern risk management is mainly lip service.  

The funny thing is that corporate risk managers make exactly the same mistakes. They, too, need to show value from risk management and fail to do so by focusing on risks (their domain) instead of business processes or decisions (business domain).

#2: Confusing Risk Management with Compliance

Did you know that unlike many other ISO standards, the ISO31000:2009 is not intended for the purpose of certification? This was a conscious decision made by the people working on the standard at the time. It is a guidance document.

Risk management is just not black and white. For example, risk management is about integrating into decision-making and business processes, but every organisation will find its unique way of doing so.

Many consultants make a huge mistake in insisting on a single version of the truth. Nonfinancial regulators or government agencies make an even bigger mistake by taking guidelines and making them compulsory. Like COSO:ERM in the U.S., a bad document made obligatory for listed companies.

By far the best way to assess risk management effectiveness is by applying a risk management maturity model. Just keep in mind that most existing maturity models were created by consultants who miss the big picture (see point 1). 

#3: Failing to See the Intimate Details

One of my good friends, Anna Korbut, said an interesting thing a few years ago: “Risk management is a very intimate affair.” I liked this phrase, so I’ve used it ever since. Risk management truly is intimate and unique. Working in risk management for over 13 years in four different countries, I have seen close to 300 risk management implementations, and yet every single one was unique in some way.

Unfortunately, many consultants fail to dig deep enough to see how risk management is really implemented into organisational processes and into the overall culture of the organisation.

Risk management goes against human nature (see research by D.Kahnemann and A.Tversky), so most of the time, risk managers use techniques that are borderline neurolinguistic programming or building an internal intelligence network. Here are just two examples:

  • I personally created a table tennis tournament in the company where I used to work to get an opportunity to meet all business units in informal settings and build rapport. This had a bigger positive impact than monthly executive risk committee meetings where all the same department heads were present.
  • A colleague of mine created the whole operational planning procedure within the company to reinforce the need to discuss risks on a daily basis.

The key takeaway is this: unless specifically asked, most risk managers will never disclose how they really build risk management culture within the organisation or how they integrate risk analysis into the business. According to ISO31000:2009, risk management is comprised of coordinated activities to direct and control an organization with regard to risk. It consists of about a thousand small things risk managers do on a daily basis, most of which may not directly relate to risk. Yet it is those small things that build risk management culture within the organisation. Unfortunately, most risk consultants are quick to jump to conclusions and do not bother to dig deep enough to see all the nuances.

Risk management in every company is unique; it is the risk consultant’s job to figure out how it all comes together to build a better risk-based organisation.  

P.S., Remember: if your consultant is showing signs of any of the above, it’s time to have an honest chat with him/her.


Tags: Enterprise Risk Management (ERM)
Previous Post

Politics as Unusual for Institutional Investors

Next Post

The Path to Compliance and Operational Excellence, Part 1

Alex Sidorenko

Alex Sidorenko

Alex Sidorenko is a risk expert with over 15 years of private equity, sovereign wealth fund risk management experience across Australia, Russia, Poland and Kazakhstan. In 2014, Alex was named the Risk Manager of the Year by the Russian Risk Management Association. As a VP at the Institute for Strategic Risk Analysis in Decision Making, Alex is responsible for risk management consulting, training and certification across Russia and CIS. Alex is the co-author of the global PwC risk management methodology, the author of the risk management guidelines for SME (Russian standardization organization), risk management textbook (Russian Ministry of Finance), risk management guide (Australian Stock Exchange) and the award-winning training course on risk management (Best Risk Education Program 2013, 2014 and 2015).

Related Posts

protecht series a

Protecht Group Lands $30M in Series A Funding From Arrowroot Capital

by Corporate Compliance Insights
February 22, 2022

Risk management software and services provider Protecht has secured a $30 million Series A funding round from Arrowroot Capital. Founded...

A rhino (symbol of risk) sits in profile in black and white.

Leverage the Power of Adhocracy to Identify Emerging Risks

by Jim DeLoach
January 11, 2022

Emerging risks are those that cannot yet be fully assessed but could, in the future, affect the viability of an...

man on tablet with cloud

COSO Releases New Guidance: Enterprise Risk Management for Cloud Computing

by Corporate Compliance Insights
July 28, 2021

Lake Mary, FL (July 28, 2021) – With increased need for more remote and flexible work environments as a result...

sparkles grey background with a winners cup

Eventus Systems Wins Trade Surveillance Product of the Year in 2021 Risk Technology Awards

by Corporate Compliance Insights
July 27, 2021

AUSTIN, Texas and LONDON (July 27, 2021) – Eventus Systems, Inc., a leading global provider of multi-asset class trade surveillance and...

Next Post
view of the NYC skyline from the Hudson River

The Path to Compliance and Operational Excellence, Part 1

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT