Friday, March 5, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Risk Management’s Tower of Babel

by James Bone
November 18, 2014
in Risk
Risk Management’s Tower of Babel

I was a risk manager before risk management was cool!

It seems that everyone wants to be a risk manager today.  This is great news, because the more people that are thinking about risks, the better.  But there is uneasiness with risk management today that swings between a necessary evil and a “risk as a service” set of expectations.  The truth, as usual, lies in the details.

To date, no central self-regulatory group has emerged in risk management with the mission of defining the language of risk.  Risk management has developed from the ground up with a diverse and eclectic set of specialized risk standards that span industry, government, sovereign entities and the military.

Risk management has become “hip” and very confusing as well!

Should risk management be codified?

How an organization defines its risks shapes the expectations and duties of a risk manager.  How one measures a risk management program depends, in large part, on the success of its outcomes.  All too often organizational risk programs start with a definition of risks but fail to clearly define the expected outcomes of the program.

Vague definitions of risk outcomes are easily identified by statements such as “no surprises,” “proactive” and “look around corners.”  Even regulatory prescriptions such as “prevent, detect and correct” are less than informative.

Are these realistic outcomes or the wishes of management and regulators to not deal with uncertainty and the messiness of bad judgment?

Uncertainty — by definition — cannot be anticipated, including when it comes to the vagaries of human behavior and random events that can disrupt operations.  When unexpected events happen, is it a failure of the risk program or a chance event?  Risk happens, but all too often the inevitable second guessing of the risk program becomes a competitive sport inside and outside of organizations.

The imprecise use of the language of risk has led to unrealistic expectations of risky outcomes.  And yet codifying risk management may be easy in theory, but impractical in the real world.

There are benefits to standards and a common language in risk management.  The development of risk standards and frameworks has broadened risk awareness.   Less well understood is the difference between risks and uncertain events.

Humans, including risk managers, are still prone to judgment error and have not evolved the skills to “prevent and detect” uncertainty before it happens.   Judging a risk program when it fails to anticipate an uncertain event is like expecting risk management to accurately predict the weather 100 percent of the time.  We joke when the Weather Channel overstates adverse conditions, but careers are not ruined if the storm is more or less severe than expected.

Is the next milestone in risk management a fuller recognition of human behavior?  Standards and frameworks are less responsive to real-time risks.  The Bill Gross/Pimco dilemma is an interesting example of uncertainty.  And Gross is not the only example.   It is instructive that human behavior is hard to anticipate.   Maybe more instructive is the fact that most organizations don’t anticipate that uncertainty, not risk, is the big disruptor of organizational outcomes.

What is risk management?

Not surprisingly, if you research the definition of Enterprise Risk Management, you will get more than two dozen slightly different versions.  What other profession has 24 or more different definitions for one fundamental concept?

Risk, it’s complicated.

Let me give you one example of a definition for Enterprise Risk Management from a consultant in the health care industry.  A true quote:

“Health care risk management’s role was formally focused on claims and loss control. Over time, the risk manager graduated to an expanded focus on clinical risk in-hospital.  Unfortunately, the position remained reactive versus proactive, with a focus on [inspection check-off lists]… Today’s enterprise risk management approach must be system-wide, include a multidisciplinary approach and incorporate an integrated application designed to address risk across the continuum of care.  ERM’s goals must assist the organization in achieving its objectives, reduce uncertainty, minimize process variability, promote patient safety, maximize return on assets and enhance asset preservation while recognizing the diversity of risk possibilities.”

There are brilliant risk managers in every organization and a few may actually have many of the skills described above, but let’s assume that you are this person.   Would you be given the leverage and decision-making ability to accomplish all of the expectations described in this job description?  Risk management is seldom considered critical to strategic financial and business objective setting.

In reviewing each of the two dozen or more definitions of enterprise risk management, it is easy to understand why there would be some confusion given abstruse descriptions like the one above.

Risk management isn’t an effort conducted in the isolation of one department. Risk management is an outcome of grounded decision making across an organization.  Even great firms struggle with the challenge of coordinating the efforts of risk management and prioritizing the diversity of risks that are becoming more transparent.

Not all risks deserve the same attention

When things go badly in companies, “culture” is typically cited as the true cause.  Corporate culture may be overrated as a governance control, however.  Who is responsible for an organization’s culture?

In most organizations, senior management sets the tone for how aggressively or conservatively an organization pursues risky ventures.  Management incentives often determine which route is pursued, yet risk management is often judged by the outcome of the decisions that work out versus the ones that fail.

The uncertainty of choosing between the two is the real challenge!

Risk is in the eye of the beholder!

Research has shown that we each see risks differently.  Heads of state must deal with different risks than their counterparts in nonprofit organizations.  Is it realistic to expect a framework to account for the nuances inherent in all organizations?  Some managers are risk adverse while others are risk takers.  Aligning the organization with the risks taken is the art of risk management.

Removing the Tower of Babel

Let’s simplify the language of risk.  If risk is in the eye of the beholder, we must be able to discuss risk using terms that everyone understands.  The importance of developing a common understanding of risks should not be underestimated.  A lack of agreement on risks is one of the leading causes of a failure to execute.

But in order to simplify the language of risk, it is important to talk in terms of how we each experience risk.  Even very powerful people like Bill Gross have fears.  Would things have turned out differently if communication had not broken down?  We will never know the answer, but it is clear that risk management is as intimate as a broken relationship.

Sometimes, risk management is just about listening and being heard.


Tags: corporate governance
Previous Post

Supplier Risk Management – Interconnected Processes

Next Post

Understanding and Reducing Business Travel Risks for Employees

James Bone

James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors.
James is a frequent speaker at industry conferences and contributing writer for Compliance Week and Corporate Compliance Insights and serves as faculty presenter and independent consultant for several global consulting firms specializing in governance, risk and compliance, IT compliance and the GRC vendor market. James created TheGRCBlueBook.com to provide risk and compliance professionals with transparency into the GRC vendor marketplace by creating a forum for writing reviews on GRC products and sharing success stories on the risk practices that are most effective. James is currently attending Harvard Extension School for a Master of Arts in Management with an emphasis in accounting and finance. James received an honorary PhD in Letters from Drury University in Springfield, Missouri and is a member of the Breech Business School Hall of Fame as well as the Missouri Sports Hall of Fame. Having graduated from the Boston University Graduate School of Education, James received his M.Ed. in Management and Organizational Design in 1997 and a Bachelor of Arts in Business Administration from Drury University in 1980.  

Related Posts

blue road sign with arrow on black asphalt background

Dynamic Risk Governance: Linking Strategy and Risk Management

February 15, 2021
three red dice on green felt tabletop

The COVID Trio: 3 Top Risks from a Year of Upset

February 4, 2021
Deloitte: Global Risk Management Survey, 12th Edition

Deloitte: Global Risk Management Survey, 12th Edition

February 2, 2021
illustration of businessman holding giant shield to protect him from falling arrows

Is Your Risk Culture Aligned With the Realities of the Digital Age?

February 2, 2021
Next Post
Understanding and Reducing Business Travel Risks for Employees

Understanding and Reducing Business Travel Risks for Employees

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights