If you haven’t seen this, download a copy of Protiviti’s “Ten Common Risk Management Failures and How to Avoid Them”.
They discuss, with clarity, ten mistakes:
- Poor governance and tone at the top
- Reckless risk-taking
- Inability to implement enterprise risk management
- Non-existent, ineffective, or inefficient risk management
- Falling prey to a “herd” mentality
- Misunderstanding the “if you can’t measure it, you can’t manage it!” mindset
- Accepting a lack of transparency in high-risk areas
- Not integrating risk management with strategy-setting and performance management
- Ignoring the dysfunctionalities and “blind spots” of the organization’s culture
- Not involving the board in a timely manner
Most of these are pretty straightforward. Turning to #3, “Inability to implement enterprise risk management”, I would have made it clearer that while some organizations have a risk management program, their program does not include all risks to the organization, including strategic risks and risks external to the enterprise. Too many have risk management programs that appear well-resourced and mature, but don’t go beyond looking at risks (in the case of financial services companies) in their portfolio or positions. Others continue to think of risk management from the perspective of insurance and safety, and are then taken by surprise by an adverse event related to reputation or credit risk.
I very much like the discussion in #4, where they bring up the term (a favorite of Jim DeLoach) “enterprise list management”. One of the failures I see time and again is relying on a ‘risk register’, and only monitoring and assessing risks in that list. Organizations put themselves in a box and are blind to risks that they have not previously included in the risk register.
Point #8 is, for me, critical if you are going to manage the risks that matter – the risks that may affect your ability to achieve your objectives.
I would add two more to the list. The first is Complacency: thinking that you have an effective risk management program that does not need improvement. The financial crisis saw several with touted risk management programs suffer the indignity of being proven wrong. The second is a lack of interpersonal skills. Strange as it may seem, if the Chief Risk Officer does not have the ability to influence and persuade management and inform the board, the whole program may be for naught.