man jumping off  a boat

Should We Abandon Risk Assessment, Risk Management and Risk Appetite?

7 minute read
Norman Marks avatar
More people are recognizing that managing or mitigating a list of risks is not effective, nor of much value beyond compliance.

Many perform a periodic risk assessment and come up with what they consider to be the level of a risk.

The traditional approach is to share that in a list of riskswith management and perhaps the board to see whether it is acceptable (within some limit, threshold or so-called risk appetite) and determine what to do about the risk: accept, manage or mitigate.

Carol Williams describes this approach in an older article on her website, "4 Risk Response Strategies You Will Have to Consider After Assessing Risks." (I thank her for referencing one of my books in it.) I wonder if Williams continues to believe these four risk responses, which are traditional and recommended in most frameworks and guides, remain appropriate. I suspect she has moved on.

The four traditional responses are:

  1. Avoid
  2. Reduce
  3. Transfer
  4. Accept

Her article recognizes the need for continuing monitoring to ensure that responses change should the risks and business conditions change.

The Diminishing Returns of Risk Management

More and more people are recognizing that managing or mitigating a list of risks is not effective, nor of much value beyond compliance: doing what is required by the regulators rather than what is needed by the business.

What Would Risk Management Do?

Let’s imagine that I am the new Minister of Defense and Q, the risk manager in the weapons development function, rushes into my office. He tells me that we have a serious problem.

"We just updated our risk assessment and I found out that Troop A is going to deploy one of our latest night vision devices in the field for an operation 105 miles into hostile territory. We can’t afford the risk that our new technology falls into enemy hands! The risk appetite statement approved by the Defense Risk Committee prohibits it.”

Even though I am new in the position, I am aware that the device is leading edge and could be used against us by terrorists if it fell into their hands. I also know that the plan is to attach a gizmo so that the device can be destroyed remotely should it be lost or captured.

Q tells me that Troop A isn’t waiting for the gizmo, still in final trials, to be attached. They are recklessly taking it out without that precaution.

I give him a cough drop and get him to calm down, then call in the head of Operations, M.

Related Article: Risk, Consequences and the Domino Effect

Managing Risks Shouldn't Happen in a Vacuum

M tells me that she is very aware of Q’s concerns. They were considered as part of their robust decision-making process.

Her team used scenario planning (see this article for a discussion of its value) to think through all the things that might happen under every reasonable option.

My response to Q’s risk assessment is to:

  1. Understand the context. I am not interested in ‘managing risk’ for its own sake. I am interested in making the right decision for our national security, considering both short and longer-term interests and goals.
  2. Understand what M is trying to achieve. After all, it is ‘risks to objectives’ that should be taken or managed.

She tells me that there is an opportunity, if a quick strike is made, to capture the top leader of a terrorist organization that has been responsible for the deaths of many people. The terrorists are also making it very different for the local government, a strategic ally, to function.

The strike would in addition capture important information about the terrorists’ plans, network and capabilities.

This is in line with our overall strategic goals in fighting terrorism overseas and limiting their capability to attack us at home.

  1. Confirm that all the risks and opportunities were considered and assessed using a reliable process, enabling the decision-makers to see the big picture and weigh all the pros and cons.
  2. Have M explain what options were considered and why the team believed that the benefits of using the device outweigh the risks.
  3. Challenge her.
    • See if we should wait for the gizmo to be attached. What would we give up, in terms of value to our objectives, by waiting? How would the likelihood of capturing the terrorist be changed?
    • What would happen if we do not use the device? Would it increase other risks, such as the risk of loss of our personnel? Would it reduce the level of opportunity and the likelihood of mission success?
    • Ask whether the value could be further increased to justify, if it is a close decision, taking the risk of losing the device? How could the mission be changed to increase the likelihood of capturing the leader without killing him, so we can interrogate him?
    • See if using more devices (!) and deploying a larger team would improve the equation. Perhaps it would increase some risks, such as loss of the device and/or personnel, but reduce others and perhaps increase the likelihood of achieving the mission goals.
    • Confirm that the decision was made using reliable, current information.
    • Verify that the right people were involved and that they were neither overly risk averse nor embracing. (Was 007 involved?)
    • Question whether the decision was unanimous. If not, who objected and why?
  4. Given that the risk seems to be high, decide whether I need to personally get involved to confirm M’s decisions — or even escalate it to the President, herself.

Related Article: How Effective Process Management Can Reduce Business Risk

Don't Manage Risk, Manage for Success

The potential responses to this or any other risk assessment are not the four traditional ones. To start with, you usually cannot transfer a risk, you can only share it.

Learning Opportunities

Before deciding on risk treatment:

  1. Understand the context: the nature of the problem and what we are trying to achieve.
  2. Determine how long we have to make the decision — considering the prima facie level of the risk and/or opportunity.
  3. Involve others as needed, perhaps escalating to more senior management, to make the best decision.
  4. Obtain all necessary information (given time constraints).
  5. Determine whether, looking at the big picture, the situation and plans are acceptable.
  6. Understand the options, which may include modifying one or more risks, one or more opportunities.

Then, and only then, decide what to do. That may involve, for each individual or combination of risks and opportunities:

  1. Avoiding one or more risks — but with full knowledge of what you are giving up.
  2. Taking one or more risks — with full awareness of the risk.
  3. Reduce the range of impacts or one or more risks and/or their likelihoods.
  4. Increase the level of risk being taken!
  5. Increase the level of opportunity.
  6. Share one or more risks, such as with insurance.
  7. Change the objective(s)!!
  8. Change the strategy!
  9. Defer the decision and monitor for change.

Rather than ‘assessing’ and ‘managing’ one risk at a time, you are managing for success.

Both risks and opportunities need to be assessed in a way that lets the decision-maker see the big picture, weighing all the things that might happen.

Rather than making a decision based on the notion of a risk appetite, make it based on the likelihood of success. Is the likelihood of success acceptable, given both risks and opportunities?

Make Risk Management Work for Us

This is what I consider effective risk management.

I can understand why people like Grant Purdy believe we should stop talking about risk management because the focus should be on decision-making. I believe we should focus on success management — which is possible only if we can make informed and intelligent decisions.

But the regulators insist that we have risk management, so I am not discarding the term.

Instead, we should make risk management work for us — as discussed here and in "Risk Management for Success."

How would you tackle the situation with Q, M, and the rest?

How can and should we change risk management?

I welcome your thoughts.

PS: The way for internal audit to assess risk management is to determine whether it meets the current and future needs of the organization. Does it help leaders and those running the organization every day make the informed and intelligent decisions necessary for success? My book includes a maturity model that may help.

About the author

Norman Marks

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.

About CMSWire

For nearly two decades CMSWire, produced by Simpler Media Group, has been the world's leading community of customer experience professionals.


Today the CMSWire community consists of over 5 million influential customer experience, digital experience and customer service leaders, the majority of whom are based in North America and employed by medium to large organizations. Our sister community, Reworked gathers the world's leading employee experience and digital workplace professionals.

Join the Community

Get the CMSWire Mobile App

Download App Store
Download google play