No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Risk Management’s Tower of Babel

by James Bone
November 18, 2014
in Risk
Risk Management’s Tower of Babel

I was a risk manager before risk management was cool!

It seems that everyone wants to be a risk manager today.  This is great news, because the more people that are thinking about risks, the better.  But there is uneasiness with risk management today that swings between a necessary evil and a “risk as a service” set of expectations.  The truth, as usual, lies in the details.

To date, no central self-regulatory group has emerged in risk management with the mission of defining the language of risk.  Risk management has developed from the ground up with a diverse and eclectic set of specialized risk standards that span industry, government, sovereign entities and the military.

Risk management has become “hip” and very confusing as well!

Should risk management be codified?

How an organization defines its risks shapes the expectations and duties of a risk manager.  How one measures a risk management program depends, in large part, on the success of its outcomes.  All too often organizational risk programs start with a definition of risks but fail to clearly define the expected outcomes of the program.

Vague definitions of risk outcomes are easily identified by statements such as “no surprises,” “proactive” and “look around corners.”  Even regulatory prescriptions such as “prevent, detect and correct” are less than informative.

Are these realistic outcomes or the wishes of management and regulators to not deal with uncertainty and the messiness of bad judgment?

Uncertainty — by definition — cannot be anticipated, including when it comes to the vagaries of human behavior and random events that can disrupt operations.  When unexpected events happen, is it a failure of the risk program or a chance event?  Risk happens, but all too often the inevitable second guessing of the risk program becomes a competitive sport inside and outside of organizations.

The imprecise use of the language of risk has led to unrealistic expectations of risky outcomes.  And yet codifying risk management may be easy in theory, but impractical in the real world.

There are benefits to standards and a common language in risk management.  The development of risk standards and frameworks has broadened risk awareness.   Less well understood is the difference between risks and uncertain events.

Humans, including risk managers, are still prone to judgment error and have not evolved the skills to “prevent and detect” uncertainty before it happens.   Judging a risk program when it fails to anticipate an uncertain event is like expecting risk management to accurately predict the weather 100 percent of the time.  We joke when the Weather Channel overstates adverse conditions, but careers are not ruined if the storm is more or less severe than expected.

Is the next milestone in risk management a fuller recognition of human behavior?  Standards and frameworks are less responsive to real-time risks.  The Bill Gross/Pimco dilemma is an interesting example of uncertainty.  And Gross is not the only example.   It is instructive that human behavior is hard to anticipate.   Maybe more instructive is the fact that most organizations don’t anticipate that uncertainty, not risk, is the big disruptor of organizational outcomes.

What is risk management?

Not surprisingly, if you research the definition of Enterprise Risk Management, you will get more than two dozen slightly different versions.  What other profession has 24 or more different definitions for one fundamental concept?

Risk, it’s complicated.

Let me give you one example of a definition for Enterprise Risk Management from a consultant in the health care industry.  A true quote:

“Health care risk management’s role was formally focused on claims and loss control. Over time, the risk manager graduated to an expanded focus on clinical risk in-hospital.  Unfortunately, the position remained reactive versus proactive, with a focus on [inspection check-off lists]… Today’s enterprise risk management approach must be system-wide, include a multidisciplinary approach and incorporate an integrated application designed to address risk across the continuum of care.  ERM’s goals must assist the organization in achieving its objectives, reduce uncertainty, minimize process variability, promote patient safety, maximize return on assets and enhance asset preservation while recognizing the diversity of risk possibilities.”

There are brilliant risk managers in every organization and a few may actually have many of the skills described above, but let’s assume that you are this person.   Would you be given the leverage and decision-making ability to accomplish all of the expectations described in this job description?  Risk management is seldom considered critical to strategic financial and business objective setting.

In reviewing each of the two dozen or more definitions of enterprise risk management, it is easy to understand why there would be some confusion given abstruse descriptions like the one above.

Risk management isn’t an effort conducted in the isolation of one department. Risk management is an outcome of grounded decision making across an organization.  Even great firms struggle with the challenge of coordinating the efforts of risk management and prioritizing the diversity of risks that are becoming more transparent.

Not all risks deserve the same attention

When things go badly in companies, “culture” is typically cited as the true cause.  Corporate culture may be overrated as a governance control, however.  Who is responsible for an organization’s culture?

In most organizations, senior management sets the tone for how aggressively or conservatively an organization pursues risky ventures.  Management incentives often determine which route is pursued, yet risk management is often judged by the outcome of the decisions that work out versus the ones that fail.

The uncertainty of choosing between the two is the real challenge!

Risk is in the eye of the beholder!

Research has shown that we each see risks differently.  Heads of state must deal with different risks than their counterparts in nonprofit organizations.  Is it realistic to expect a framework to account for the nuances inherent in all organizations?  Some managers are risk adverse while others are risk takers.  Aligning the organization with the risks taken is the art of risk management.

Removing the Tower of Babel

Let’s simplify the language of risk.  If risk is in the eye of the beholder, we must be able to discuss risk using terms that everyone understands.  The importance of developing a common understanding of risks should not be underestimated.  A lack of agreement on risks is one of the leading causes of a failure to execute.

But in order to simplify the language of risk, it is important to talk in terms of how we each experience risk.  Even very powerful people like Bill Gross have fears.  Would things have turned out differently if communication had not broken down?  We will never know the answer, but it is clear that risk management is as intimate as a broken relationship.

Sometimes, risk management is just about listening and being heard.


Previous Post

Supplier Risk Management – Interconnected Processes

Next Post

Understanding and Reducing Business Travel Risks for Employees

James Bone

James Bone

James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors.
James is a frequent speaker at industry conferences and contributing writer for Compliance Week and Corporate Compliance Insights and serves as faculty presenter and independent consultant for several global consulting firms specializing in governance, risk and compliance, IT compliance and the GRC vendor market. James created TheGRCBlueBook.com to provide risk and compliance professionals with transparency into the GRC vendor marketplace by creating a forum for writing reviews on GRC products and sharing success stories on the risk practices that are most effective. James is currently attending Harvard Extension School for a Master of Arts in Management with an emphasis in accounting and finance. James received an honorary PhD in Letters from Drury University in Springfield, Missouri and is a member of the Breech Business School Hall of Fame as well as the Missouri Sports Hall of Fame. Having graduated from the Boston University Graduate School of Education, James received his M.Ed. in Management and Organizational Design in 1997 and a Bachelor of Arts in Business Administration from Drury University in 1980.  

Related Posts

parliament

Tracing Key Legal Developments in the UK’s AML Regime

by Prateek Swaika and Sagar Gupta
May 24, 2023

Prateek Swaika and Sagar Gupta of Boies Schiller Flexner discuss the regulatory framework of UK’s anti-money laundering regime and explore...

moby dick illustration

Whaling: When Business Leaders Become Cyber Weapons

by Aileen Allkins
May 24, 2023

The threat of cyber crime is nothing new for the average business. But new tools like AI mean fraudsters have...

improving compliance management systems

Regulatory and Economic Times Are Changing. Have You Re-evaluated Your Compliance Management System?

by Pamela Buckley
May 24, 2023

Financial institutions have enjoyed a fairly easygoing regulatory environment in recent years. Combined with strong economic performance, that’s meant a...

whats app signal gmail phone icons

Companies Are Cracking Down on Chat Apps, But It’s Still Too Hard to Find What They’re Looking For

by Stacey English
May 24, 2023

A hybrid communication environment has become the norm for most companies, from the use of messaging apps to communication systems....

Next Post
Understanding and Reducing Business Travel Risks for Employees

Understanding and Reducing Business Travel Risks for Employees

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT