How Can So Many Get Risk Management Wrong? 3 Ways to Fix Your Approach

How Can So Many Get Risk Management Wrong? 3 Ways to Fix Your Approach

I am not a fan of Risk Management (RM) where:

  • The Enterprise Risk Management (ERM) function is focused on informing the Board.
  • A RM function is set up to collect data and prepare reports.
  • Risk managers believe risk is best understood by considering only two factors.
  • Risk managers implement complex analysis to find the one “answer” to a risk.
  • RM is integrated into decision making.

I know – these are incendiary words for many internal auditors and risk managers. While I have been engaged both as a member of the oversight group for the 2017 COSO ERM project and the working group that wrote ISO 31000:2019, as well as being the chief internal auditor (CAE) for a large global company and consulting with other companies, I am not THE expert in risk management. However, I believe there are some obvious problems with how RM is commonly approached, and will suggest below three ways to improve RM’s impact on decision making.

Basic Understanding of Risk Management

Let’s reexamine some of the most fundamental aspects of risk management to level-set our approach.

Risk Management Is Not vs Risk Management Is

When I was part of a management team acquiring and divesting businesses, evaluating capital projects, setting pricing strategy, and exploring investments in new technology, risks were an integral part of each decision. I may have addressed the risks poorly or well, but I was still doing “risk management” as an integral part of making the decision. RM may be best thought of as a mindset and discipline – supported by tools, expertise, and process.

3 Tips to Improve Risk Management’s Impact on Decision Making. 

The question is not whether to manage risk, but how to manage risk. Will it be through ad hoc, inconsistent, or poorly-executed actions? Or, through disciplined thinking and structure to make sure it is managed correctly? 

Many examples exist to show the need for improvement in RM ranging from large catastrophic failures (e.g., Lehman Brothers) to small, but impactful, decisions made in companies every day. While central ERM functions, consultants, and technology can be great tools to improve RM, it seems all too many resort to using disconnected ERM functions, RM consultants who leave, and mindless implementation of sophisticated technology. Each of these can be valuable steps to mature RM efforts, but they are too often seen as standalone answers to improving RM. Instead, I would suggest a holistic approach that encompasses the following:

1. Focus centralized RM functions on providing expertise and tools to those making decisions.

This means implementing RM improvements at the place and time that decisions are being made. When I was the finance director for a global billion-dollar business, we had plants across the world. We used a centralized expertise center to continuously improve how the plants ran. Local management still ran the plants, but leaned on the central group for help. The same approach could be used for RM, where RM experts do not take ownership over the “risk aspect” of decisions, but come alongside decision makers and help them use RM expertise to make better decisions.

2. Spend resources only when and where it is justified.

Some risks require a lot of attention, some require little. For example, I was approached by a business leader to help on a licensing agreement he was negotiating. The two parties had a significant difference of opinion on the variability of the future effectiveness of the technology to improve our business’s products. We could have spent hours drawing up diagrams, collecting data for Monte Carlo simulations, rating risks, etc — but that was unnecessary. Instead, we developed a stage gate process whereby payments for the technology were paid only upon proven performance. We effectively shifted the risk to the other party with very little effort. By thinking through the nature of the risk and potential responses, we got to the right answer without much effort. We deployed RM in the form needed to improve the decision.

3.Use technology, but do it mindfully.

Early in my internal audit career I set out to improve a very antiquated risk identification and assessment process for the CAE. I incorporated some sophisticated modeling tools and was able to generate numbers representing quantifiable risks. However, no one in my group believed them. I had generated numbers, but they failed to incorporate the critical quantitative and qualitative factors needed for risk assessment. I later came to learn that many CAEs “tweak” the output of their model-based quantitative risk assessment in finalizing audit plans. This was a case of blindly relying on the output of an automated system when certain aspects of risk are not fully understood or able to be incorporated into the model. Use the tools properly, but inject the necessary qualitative assessment in analyzing risk.

There are many specific ways to improve RM, but all start with a proper understanding. I challenge you to rethink how you view RM – a centralized, formal process that has no substantive impact on your organization or a functional discipline that improves decision making. Don’t immediately start with lists of risks, mathematical models, charts, and endless meetings. Instead start with understanding your business, the decisions to be made, and how the risks that are an integral part of your decisions will impact your business’ success.


Doug Anderson, CIA, CRMA, CMA, CPA, has focused on many aspects of assurance, risk management, finance, and accounting in his career. He has served as CAE Solutions Managing Director at The Institute of Internal Auditors, Inc; was an Assistant Professor of Accounting and Finance at Saginaw Valley State University; spent 22 years at The Dow Chemical Company primarily in internal audit including 9 years as CAE; and spent 10 years with PwC early in his career. Doug has held many volunteer positions at The IIA and has participated in COSO projects, ISO committees, and the PCAOB Standing Advisory Group.