No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Risk

5 More Common Risk Management Failures

by Jim DeLoach
May 2, 2016
in Risk
is your organization guilty of these risk management missteps?

In last month’s column, we introduced five common risk management failures along with indicators of each:

  • Poor governance and “tone at the organization”
  • Reckless risk-taking
  • Inability to implement effective enterprise risk management
  • Nonexistent, ineffective or inefficient risk assessment
  • Not integrating risk management with strategy-setting and performance management

The warning signs provided for each of the above failures provide a diagnostic for the Board and management to check the health and vitality of their organization’s risk management.

Below we detail five more common risk management failures, along with warning signs for each. As with the first five failures discussed last month, we separate the warning signs for these additional failures into organizational, process and behavioral indicators.

#6: Falling Prey to a “Herd Mentality”

Several years ago, I participated on a panel at a conference for directors and executives in Utah. During my remarks, I talked about how lax regulation, financial innovation gone awry, nonexistent underwriting standards, over-the-top leverage and short-term motivations driven by incentive compensation programs contributed to the global financial crisis. But more important was the sheer volume of activity by all of the contributing parties – mortgage brokers, lenders, mortgage insurers, investment banks, credit default swap issuers and institutional investors.

When I used this unprecedented environment as a context for discussing the role of risk management, a director asked how a bank could avoid taking on the risks of subprime lending when its competitors were all in. In response, I pointed out that few of the market players knew when to stop, as limits were virtually nonexistent, and that led to heavy concentration and counterparty risks.

It is one thing to engage in legitimate business activity. It is quite another to know when the risks of doing so have reached an unacceptable level. Too much of a good thing can become a bad thing when following the herd. Eventually there will be a mad scramble for the seats when the proverbial music stops.

Some key indicators of this issue are:

Organizational indicators:

  • Management continues to execute the same strategy and business model, regardless of whether market conditions may be invalidating the critical assumptions underlying the strategy.
  • The organization focuses on its current profitable product portfolio and markets without regard to identifying new market trends, emerging risks and underserved niche opportunities and considering breakthrough innovative ideas to change the status quo.

Process indicators:

  • The risks underlying execution of the strategy are not evaluated periodically to ensure the strategy remains on target.
  • Management approaches the planning and budgeting process with a single-point estimate or view of the future; alternative scenarios are rarely considered when conducting periodic stress tests of financial performance.
  • Scenarios used to stress test financial models are not extreme enough to assess the implications of disruptive change in the marketplace.
  • Management does not monitor changes in the external environment for signs that point to the need to re-examine and challenge the entity’s operating model.

Behavioral indicators:

  • The organization is too insular in its outlook, leading it to bypass “reality testing” its assumptions about markets and the business environment.
  • Management is so in love with the business model that the organization fails to view the world from the perspective of its customers’ experience and capitalize on the vulnerabilities and shortcomings of its competitors.
  • The organization is too reliant on a single market niche and takes no significant steps to diversify.

 

#7: Misunderstanding the “If You Can’t Measure It, You Can’t Manage It” Mindset

A prevalent view is that if one cannot measure a risk, one cannot manage it. While there is some truth to this assertion, many tend to use it as an excuse to do nothing at all with respect to understanding and addressing a difficult-to-measure risk. Because inability to measure a risk will not make it go away, solely managing the measurable is not good enough and ignores important issues. Leaders cannot bury their heads in the sand. Even if initial efforts to quantify a critical risk are crude at best, the improved understanding, awareness and resulting communications of the risk more than justify the effort.

Key indicators of this issue include:

Organizational indicators:

  • Management believes that risk measurement and risk management are the same thing.

Process indicators:

  • For the priority risks, the organization does not determine:
    • The extent of relevant data and information available for each risk.
    • The additional information needed to understand the risks and the available sources to use for purposes of developing key risk indicators (KRIs).
    • Whether alternative risk responses (such as avoid or share the risk) are appropriate for risks for which more data gathering or insight is not feasible.
    • Whether substitute or surrogate measures are available, e.g., if no direct information is readily available, the metrics currently used (often in the form of key performance indicators [KPIs]) might serve as relevant lead or lag indicators.

Behavioral indicators:

  • There is tolerance for risk exposures that management knows are significant but lacks data and information as to how large they really are (see failure #8).
  • The organization lacks a continuous-improvement mindset in risk management and, in particular, risk measurement.
  • The organization is too preoccupied with what its financial models indicate and is reluctant to encourage the exercise of judgment based on the data and information available.
  • The firm is inundated with reams of data; however, very little of it is useful information from a decision-making standpoint in dealing with key risks.

 

#8: Accepting a Lack of Transparency in High-Risk Areas

Lack of information for decision-making leaves management with little insight as to what is really happening in the business. Transaction complexity and volatility can obscure the full picture when management must make decisions. If this environment clearly exists within the organization and management does not seek to correct the situation, that in and of itself is a warning sign. Dysfunctional, excessive risk-taking is fostered by an inability to see the full picture. Simply stated, complexity masks the true economics.

When facts are clarified and management and the Board can discuss everything out in the open, the best decisions result. Accordingly, it is vital that executive management creates an open, positive culture with respect to risk that fosters risk awareness and effective risk management across the enterprise. Transparency enables all stakeholders, including the Board of Directors, to understand both how the firm’s business model is performing and the risks inherent in the business.

Key indicators of this issue include:

Organizational indicators:

  • An enterprisewide view of the critical risks is inhibited due to a high level of decentralized decision-making, proliferation of risk management silos and ineffective oversight.
  • Executive management has not created an open, positive and risk-aware environment where people can raise their hands, express concerns and raise issues with confidence that their careers or compensation will not be threatened.
  • There is a lack of focus, discipline and control around improving risk management capabilities over time as the business environment changes.

Process indicators:

  • Policies with respect to establishing accountability for the largest risk exposures are either nonexistent or deficient.
  • The entity’s risk appetite statement does not address unacceptable risk exposures.
  • Performance is evaluated after the fact due to the lack of data analytics and lead KRIs that offer a more anticipatory view.
  • Reports are not submitted to executive management and the Board regarding the organization’s largest risk exposures undertaken by different business units and activities, with appropriate commentary on the ones that are being managed well and those that are not.

Behavioral indicators:

  • Unexpected surprises occur periodically as a result of previously unknown risks.
  • There are “multiple versions of the truth” with respect to certain risks.
  • The Board of Directors desires greater transparency to size the magnitude of the organization’s exposure to risk, yet the Board is not satisfied it is getting such transparency.

 

#9: Ignoring the Dysfunctionalities and “Blind Spots” of the Organization’s Culture

Everyone knows that an organization’s culture can have a huge impact on its ability to prevent the occurrence of unacceptable risk events, as well as identify new and emerging risks in a changing business environment on a timely basis. Openness, transparency and accountability are topics every organization should be considering on an ongoing basis, with an eye toward improving its culture continuously. More importantly, firms should pay attention to the root cause of management’s missing the warning signs that something is either wrong or isn’t working, particularly in situations that objective parties can recognize easily when armed with the benefit of 20/20 hindsight.

The following are key indicators that organizational dysfunctionalities and blind spots may exist:

Organizational indicators:

  • Gaps and overlaps exist in risk management ownership responsibilities.
  • There is inadequate linkage between risk management and priority business issues.
  • There is a lack of open dialogue among the people who matter regarding risks and opportunities.

Process indicators:

  • There are reward systems incentivizing or encouraging extreme entrepreneurial risk-taking.
  • Escalation processes to ensure that significant problems are recognized and addressed promptly are either nonexistent or ineffective.
  • There are no consequences or actions taken to address violations of established policies and limits related to the largest risk exposures.

Behavioral indicators:

  • The culture surrounding entrepreneurial risk-taking activities is too disproportionately strong relative to control activities.
  • There is pressure to achieve unrealistic targets and executive resistance to bad news.
  • Internal competition is fostering a warrior culture.
  • There is tolerance for obvious conflicts of interests.

 

#10: Not Involving the Board of Directors in a Timely Manner

Lack of Board involvement with significant issues on a timely basis results in management not receiving the benefits of the Board’s experience with respect to managing critical risks. The Board needs to be involved with such matters timely to discharge its risk oversight responsibilities. From the perspective of the shareholders, the Board is the last line of defense.

Key indicators of this issue include:

Organizational indicators:

  • Directors are not fully knowledgeable of the priority business risks facing the company.

Process indicators:

  • The organization’s risk profile is rarely, if ever, discussed at the Board level in a meaningful way.
  • The Board is not satisfied that management’s strategy-setting process appropriately considers, in a robust manner, the risks inherent in the business model.
  • Management does not engage the Board in substantive discussions regarding the enterprise’s risk appetite and whether the entity’s risk profile is consistent with it.
  • Directors lack confidence in management’s process for identifying emerging risks.
  • The Board is not satisfied with the risk reporting it receives.

Behavioral indicators:

  • The Board is only engaged in occasional, ad hoc treatment of risks and risk management.
  • Management habitually informs the Board after the fact when significant risks are undertaken.

 

Closing Thoughts

In summary, coupled with the five risk management failures we discussed last month, we have now introduced 10 common areas where risk management fails. The key indicators we offer for these failures provide the basis for a diagnostic that the Board and executive management can use to evaluate the health and viability of the organization’s risk management capabilities.


Tags: Data Governance
Previous Post

Terrorism, Human Trafficking Risks Driving New Compliance Training & Monitoring

Next Post

Ponemon Institute Releases Report on Tone at the Top and Third-Party Risks

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

data privacy leader concept

Who’s Minding Your Data? The Case for Dedicated Privacy Leadership

by Daniel Barber
June 16, 2025

As state privacy laws multiply and AI introduces new vulnerabilities, the question isn't whether you need dedicated privacy expertise —...

abstract obscured data colorful

NIST’s Differential Privacy Guidelines: 6 Critical Areas for Secure Implementation

by Michelle Drolet
June 16, 2025

Standard de-identification methods remain vulnerable to sophisticated attacks, but differential privacy offers mathematical guarantees that scale with emerging threats

doj building sign with flags

‘Reasonable Steps’: What the DOJ Expects From Your Bulk Data Transfer Compliance Program

by Alexandra P. Moylan, Alisa L. Chestler and Michael J. Halaiko
May 5, 2025

Sample provisions offer blueprint for compliant data brokerage with foreign entities

data security program concept cameras

Your Sensitive Data Is Now a National Security Matter: The DOJ’s New Data Security Program

by Randall Cook, Vince Mekles and Rachel Woloszynski
April 29, 2025

90-day implementation window closing on regulations affecting companies with genomic, biometric, health and other personal information

Next Post
Ponemon Institute Releases Report on Tone at the Top and Third-Party Risks

Ponemon Institute Releases Report on Tone at the Top and Third-Party Risks

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights