Making decisions unburdened by ‘risk management’ myths

This year Grant Purdy is speaking again at RAW2020, giving a workshop prepared by himself and Roger Estall.

The workshop will run on 12 October and details are here.

During long careers Grant and Roger have often been engaged to investigate decisions that have gone spectacularly wrong or resulted in other than the intended outcomes. This has helped them develop an objective appreciation of what ‘good’ decision-making looks like and therefore, what characterises a ‘good’ decision.

This workshop will describe the universal method of decision-making – which is what all decision makers actually use – and explain how the combination of understanding and awareness of that method, and mastery of its elements, is what differentiates between successful and unsuccessful decision-makers.

There will be, therefore, focus on clarity of Purpose because it is in the pursuit of purpose that all decisions are made, and we will explain – with reference to assumptions and subsequent changes in the context in which decisions are made – how the outcomes of decisions can differ from those intended or desired.

While a fundamental part of making decisions requires understanding and dealing with uncertainty, as Grant and Roger explained in RAW last year, attempting to take account of and resolve uncertainty via the concept of ‘risk’ the and constructs of ‘risk management’ is neither an effective nor a logical path to adopt. 

Hence, they will explain again this year how, by drawing attention away from the universal method of decision-making, the distraction of ‘risk management’ often leads to poor decisions. On the other hand, they will show how awareness and skilful application of the universal method of decision-making enables Deciders to achieve sufficient certainty that their decision will contribute to purpose and deliver the intended (rather than unintended) outcomes.

Conversations with Mark Siwik

Mark Siwik, CEO of SandRun Risk is hosting a series of three conversations with Grant Purdy on the company’s Blog.

First instalment, September 2020

You can read the first instalment here.

Part 1 of the monthly conversation concerns Grant’s background and experience from working more than 40 years on practical applications of risk management and how he has focussed on helping people make even better decisions.

Second instalment, October 2020

The second instalment is here. This focuses on the book Deciding.

Third instalment, November 2020

The third instalment is here. The deals with how to make even better decisions.

The IIA’s Three Lines Model

The Institute of Internal Auditors has recently updated its Three Lines of Defense Model, which is now called the “Three Lines Model”.

Last year’s review and my comments

Last year, when the IIA initiated its review of the existing Three Lines of Defense Model I was asked by them to comment on the main weaknesses of the current model. I replied:

The main weaknesses in the Three Lines of Defence Model

The model is totally artificial. It does not represent how organisations and the people in them make decisions to help them achieve their organisation’s purpose. It wrongly promotes technical silos (the 2nd line) who take on responsibilities that rightly should be management’s. While this may inflate the egos and incomes of those heading up the silos, the net effect is detrimental for the organisation.

My greatest criticism is that it is not about the monitoring that should be taking place to ensure organisations pursue success through the normal process of decision making in order to achieve their purpose. Rather, the focus has become the organisational structure and the labels attached to support departments who in truth should always be under the direction of management and to provide support to decision makers.  This is particularly true of Internal Audit – which really does not need to exist as a separate, autonomous organisation: management may need some independent reviews of decisions it has made and of context and changes to that, but an internal regulator is not needed and is counter-productive.

The language of the model also supports the defunct concepts of risks and controls – ‘things’ that somehow ‘exist’ and have to be recorded and tabulated.  While, in reality, controls are just ordinary aspects of an organisation that exist because someone decided (often at some time in the distant past) that they were needed to ensure that the outcomes of a particular decision were as desired. In other words, they were secondary elements of some past decision.

However, these labelled ‘things’ gain a life of their own, disassociated from the original decision, listed and checked – even if their true rationale has been lost.  As a consequence, enormous resources are wasted and mis-directed monitoring these ‘things’ that often don’t really matter anymore, while others that do are ignored.

Similarly, with risk and risks: two terms that are used to strike up fear and concern when, in reality there is almost no agreement on what they are and what they mean, even among (so-called) risk management experts. The terms are so ambiguous and have become so discredited that its simply better to move on and leave them behind. Labelling a particular advisory department, the Risk (or Risk Management) Department only allows decision makers to abrogate their responsibility to ensure that with decisions they make there is sufficient certainty the desired outcomes will be achieved. 

Calling such advisors (if they are that) a line of defense both removes management accountability and also allows large amounts of resources to be mis-directed to the confections and processes those advisors and their silos think are important (to them). If you doubt this is true, ask anyone in the rest of an organisation how they think the ‘risk department’ creates value; even if they can answer this, few if any people will express belief in their own response if pressed.

What the model lacks is a fundamental recognition that it should just be about the strategies for monitoring (and not who does it).  Specifically, how those who make decisions check that:

  1. implementation of the primary element of a decision does not proceed as assumed or intended; or
  2. the secondary elements of a decision are either not properly implemented, malfunction or deteriorate over time;
  3. over the life of a decision (i.e. the duration in which its outcomes will continue to be experienced) changes in context occur that were not allowed for in the decision with the result that the actual outcomes change, and/or the decision no longer provides the best response to the opportunity that it was intended to exploit.

The primary elements of a decision are those features intended to exploit an opportunity in order to realise an organisation’s purpose. Secondary elements are those that make it more likely that the primary purpose will be realised.  Secondary elements include ensuring those implementing the decision correctly understand what is required of them and what the decision is intended to achieve; ongoing monitoring to detect change and contingent arrangements intended to be activated in foreseeable circumstances that otherwise could be disruptive or thwart achievement of the primary purpose.

What issues should have been addressed

When asked what “issues had to be addresses in the refresh”, I replied:

Drop all artificial language and concepts like controls and risks. Focus solely on the processes for monitoring and how these should be deployed in response to the needs of decision makers to ensure that decisions are sufficiently certain of achieving the desired outcomes – and that past decisions remain valid and continue to support the organisation achieving its purpose.

The new model

However, sadly, on reviewing the new model it is clear that the IIA has missed another opportunity to write something clear and simple. Instead, we have another word soup of jargon and confused ideas.

As soon as I read the introduction, I realised that instead of clear ideas, carefully expressed this document relies more on sophistry than common sense and practicality. How, for example can you say that organisations can bale the achievement of objectives “while” supporting strong Governance and “risk management”.  Surely, we have a Venn diagram here of three concentric circles. Surely “strong governance” must include good risk management” and governance can only be about the way the organisation makes decisions that allows it to achieve its purpose (“objectives”?).

Of course, ambiguity is ensured (and hence consultancy income) by the document not defining what it means by ‘governance’ and ‘risk management’, let alone ‘risk’. Also, the ‘r’ word is used variously as a noun a verb and an adjective.

We also have ‘managing risk’, ‘risk management’ (which seems to be an “action”) and also ‘risk-based decision making’ – which is a variant on the made-up term of ‘risk based thinking’ in ISO 9001.

The more I read this, the more confused I become. For example, I’m told that the “objectives” of ‘risk management’ are “compliance with laws, regulations, and acceptable ethical behaviour; internal control; information and technology security; sustainability; and quality assurance”. Is that it? No mention of making decent decisions here. And how can “objectives” be processes such as ‘quality assurance’ or vector qualities such as ‘sustainability’ – and what do all these terms mean, anyway?

When I get to the short section called “Applying the Model”, I realise the authors have both run out of intellectual steam and are beginning to cotton on that none of what they have written before makes much real sense in the real world. Despite the firmness of the previous advice, it seems you can choose how to adapt it how you like according to your “objectives” and “circumstances”.

So rather than being some fundamental truth of life, all this document really it is a web of interconnected and ambiguous words and half formed thoughts.

Consultants and internal auditors will love this – as it justifies their existence.

Should internal audit perform a risk assessment?

Assuming that there is a credible ERM function/process in place, IA needs to provide assurance that the ERM processes are effective, and they also need to validate that the key controls that management assumes to be working in their RA are in fact effective, but also IA should be able to some extent opine on whether the company-wide RA done by the ERM and management teams are reasonably stated and that they are not aware of any major discrepancies. To your point about continuous, every internal audit according to the COSO framework should be concluding about the adequacy of management’s RA process for the area/function reviewed.

Post by John Fraser on Norman Marks on Governance, Risk Management and Audit

John, stripped of all the jargon and acronyms, the ultimate purpose of whatever ‘ERM’ and ‘IA’ are meant to mean or be, can surely only legitimately be that the organisation makes the best decisions it can. That is because the only way that organisations can pursue their purpose is to make (and implement) decisions to take advantage of opportunities, and the only way it can achieve its purpose is by ensuring that the decisions are the best that can be made. This has always been so (long before anyone uttered the ‘a’ or ‘r’ word) and always will be so (long after the ‘a’ and ‘r’ words disappear from the business lexicon … hopefully, a milestone that is not too far away). And yet decision-making is not the focus of either ERM or IA and never has been.

As Grant Purdy and I say in our recent book ‘Deciding’ (which Norman kindly introduced here in his 25 April blog) organisations will have more success in pursuing their purpose if they consistently make ‘even better’ decisions.
In describing what we contend is a universal method of decision-making (i.e. the method used by all ‘Deciders’ whether they realise it or not) we have attempted to explain how to excel in applying each element of this method as it is this – decision-making skill – that is the only way organisations and their ‘Deciders’ can determine their success.

All those responsible for governance need have confidence about, is how well this method is being applied by the many Deciders across the organisation. In the same way that sales, RoI etc are visible to the governance team (because they bother to look) so too is the quality of decision-making easily discernible especially if those involved in governance and management themselves, excel. Trying to contract-in reassurance, rather than looking themselves, is an easy (but generally unsuccessful) cop out.

Ensuring consistently good decision-making is analogous to manufacturers or service providers achieving the intended levels of performance of their product (i.e. delivering ‘quality’). In the 80’s, those efforts switched from checking the final product and throwing out the duds, to focussing on design and execution of each of the steps of the process through which those products were made (in the understanding that dud products are the outcome of dud processes and good products are the outcome of good processes). So too must the focus of organisation performance monitoring, switch to the quality of decision-making.

So the message is, whether it is the board and management (or the cop-out of using a hired gun – however they may be described) just look at the people who are making the decisions and their decision-making skills. As we say in ‘Deciding’, it is a tricky business being a Decider so helping them individually and institutionally to make decisions is where the effort should go. Not in irrelevant ‘r’ and ‘a’ stuff with the associated focus on failure and checking for duds at the end of the decision production line.

COSO ERM in a COVID 19 World

Many wonder whether the current pandemic is another example of ERM failing. The same question was asked more than a decade ago during the financial crisis. While there will undoubtedly be risk management lessons learned from this crisis, it’s a reminder that ERM is more art than science. As long as people are involved, some risks will be missed and failed judgments will occur. But ERM and internal control frameworks can still provide valuable principles and insights as organizations start to emerge from this crisis. Over the next several days I’ll be posting thoughts on how COSO frameworks can help during the coming months.

Paul Sobel Chairman of COSO in LinkedIn

Why COSO ERM Will Not and Cannot Help People Make Better Decisions About COVID-19

Paul, ERM is not even an ‘art’. Its just a belief system with no settled, academically-supported or proven global body of knowledge.

Although aspects of ‘ERM’ activity might well draw on scientific and other validated areas of true knowledge – such as the mathematical calculation of probabilities – this does not validate the belief system envelope in which these skills are applied. ERM was a label invented by RIMS to distinguish a new business offering from its original insurance-based services. It’s just a three letter acronym invented for marketing purposes!

COSO just jumped on the concept when it wanted to make its ‘Internal Control Framework’ more relevant and its members wanted to counter the drop in revenue after the failure of Enron and subsequent restrictions on provided conflicting services.

All belief systems with three letter acronyms that attempt to resolve uncertainty in decision making via the constructs of ‘risk’ and ‘managing risk’ will not only fail but ultimately, can never succeed. This is also borne out by multiple surveys that show that ERM ‘maturity’ (whatever that means) is persistently low.

There are two obvious reasons for the failure of ERM and other forms ‘risk management’ to produce good decisions:

  1. the foundation word ‘risk’ has literally dozens of meanings and so has no utility or transactional value;
  2. it is fanciful to imagine that any approach based on a one-size-fits-all complicated systems of ‘risk management’ can or will be ‘integrated’ into the highly individual ways through which organisations function. 

Indeed, across my 40+ year career I’ve realised that I’ve yet to find an organisation asserting to practice ‘risk management’ that did not, in reality, have separate processes for ‘risk management’ and for actual decision-making.  Whatever ERM is thought or claimed to be, it neither does, nor can ensure effective decision-making. So why waste so much time and money on it? 

You’ve got to wonder, if COSO ERM was so good and useful, why every survey, every year seems to show such a low level of ‘maturity’ (whatever that word means) and why the constant response is that management and Boards don’t ‘get it’.

On the other hand, there is clear evidence that these people do ‘get it’, and realise it’s a con job that destroys rather than creates value – except for the consultants who are called in to help ‘implement’ it. Organisation’s only spend the minimum on the ERM artefacts, just to keep regulators happy and so that they can boast about it in annual reports.

The bottom line is that there is no evidence that ERM improves organisational performance. Although there are some faint correlations between organisations that are successful and those that adopt the risk management paraphernalia, correlation is not causation.

Any apparent correlations could be explained by already-successful organisations being able to afford to construct a ‘risk management’ edifice or being subjected to regulatory coercion.

None of the organisations I deal reached for their risk register when they had to decide how to respond to the disruption caused by COVID-19. Also, none of them consulted their risk appetite statement or ‘risk matrix either. Interestingly, none of them seemed to use their business continuity plans!

This is not surprising actually because what they all wanted to do is reduce their vulnerability to such disruptions and not, necessarily, return to their post-disruption state.

Many also saw and decided how to exploit the opportunities resulting from the disruption and, in some cases, the decided to exploit the vulnerability of others to gain an advantage. While clearly COVID-19 is having a devastating effect on organisations (and people) across the world, in the words of Winston Churchill: “never let a good crisis go to waste”!

Useless Risk Management Edifices that Organisations Build

Norman Marks in his blog post called "Time to wake up to risk reality" said that "This is a post about news we should have known for a long time.
It’s time to recognize the truth about risk management." 

Hans Læssøe commented that: "I guess too many companies have a risk management function only for the sake of being able to say, that they have it – and to produce reports that shows “we are doing well”. Executives had (and have) no intention of letting risk people involve themselves or tamper with decisions they are making or how they execute/operate."

Roger responded as below.


Your first paragraph (3 April) makes an astute observation. The essentially useless ‘risk management’ edifices that organisations build, play no meaningful role in assisting the daily task of making sound decisions – from top to bottom. (I put ‘risk management’ in inverted commas, incidentally, because although the expression is common, there is little that is common across all its users as to what it means or consists of!)

These edifices are established at great cost and inconvenience either because of regulatory pressures as illustrated by John Fraser’s later anecdote (such regulations are often a forlorn hope by governments that this will somehow avoid society being disadvantaged in some way or other) or because of supply chain obligations which, as with Covid-19, spread up and down the chain with ease, or because of virtue signalling by the new breed of woke directors who are not focused on their real job of adding shareholder value.

The fact is, as you say, these ‘risk management’ edifices exist as an externality to the real management activity (including strategy setting) that is providing the engine room for the organisation.

This is why ‘risk management’ has little influence or, worse still, why it has an adverse effect which is the more common consequence as a consequence of its distractive effect and resource wastage. At very least, it’s not seen as helpful to the daily challenge of making sound decisions because as the world has shown, repeatedly, that with or without ‘risk management’ it is perfectly possible to make both good decisions and bad decisions.

One doesn’t have to invert normality in order to make good decisions – just become a little more skilled in the steps that are already followed. There is no need for a ‘system’ or ‘framework’ (for which, read ‘edifice’) just decision-making skill.

The ‘Mess’ Risk Management Has Become

Norman Marks in his blog post called "Time to wake up to risk reality" said that "This is a post about news we should have known for a long time.
It’s time to recognize the truth about risk management." I responded as below.

How did we get in this mess?

42 years ago when I first started looking at what could go wrong, what it would lead to and how likely the effects were, it was quite clear that my role was exclusively to help those charged with making decisions. I did not seek to impose my arcane language and concepts on the decision makers. Indeed, a big part of my job was understanding their needs and the context and then after I had carried out my analysis, framing the information I gave them using terms and concepts that were meaningful to them. I did not insist they contort their language and ways of thinking to suit mine. I did not insist they either replace their business processes with mine or to run my processes in parallel.

I only worked for the decision makers, and if they could not understand and appreciate what I was telling them, that was my fault, not theirs.

Since then, and despite the Frankenstein monster ‘risk management’ having no solid foundation or universal meaning, the advocates of its many guises (normally with three letter acronyms) have created a perception in those responsible for the governance of organisations that ‘risk management’ was ‘good’ and should therefore be adopted.

This ‘Risk management’ belief system has been promoted as something that is both valid and indispensable: in effect something to be believed in as essential to good governance. But it is only a belief, there is little tangible evidence that ‘risk management’, whatever that term means, actually helps organisations make better decisions and thereby enhances their performance.

Organisations have been encouraged by ‘risk management’ advocates to give effect to this belief by superimposing a ‘risk management framework’ across the organisation comprising various edifices. Common examples included ‘risk committees’ of the Board, ‘Chief Risk Officer’ positions and various ‘risk management’ structures, policies, reporting requirements and so on. The purpose for establishing this paraphernalia, has been seldom transparent, explicit or understood. Consequently, to the extent that it actually existed, this ‘framework’ is seldom integrated with day to day decision-making – because, in fact, it can’t be. If it exists at all, this is only in a parallel universe to the real world where businesses are run and decisions are made.

This belief system has been bolstered by the many national stock exchanges that now included practice of ‘risk management’ as a necessary condition for a stock being listed on their exchange. The (entirely untested) belief is that practising ‘risk management’ (in whichever guise) is prima facie evidence of, and a prerequisite for, sound management. The myth they have perpetuated that investors could and should have greater confidence in such companies.

However, this has been proved repeatedly to be a fallacy, best illustrated by the extraordinary failure of the Enron Corporation and by many recent and spectacular examples of corporate failure such as that involving Boeing’s new 737MAX aircraft that took 346 lives in 2019.

It seems clear to me that if, after all the time and effort that has been invested in ‘risk management’ over the last 30 years, it still isn’t helping decision makers to consistently and competently make better decisions, we simply need to dump it. 

We should simply go back to where I was, 40 years ago – understanding how people make decisions and how we can help them understand their assumptions, the context and how they can become sufficiently certain of their desired outcomes.

The ‘risk management’ emperor has no clothes!

Coronavirus and the effect on ‘risk management’

Norman Marks, in his blog post called "How will risk management change as we emerge from this crisis?" pointed of that "Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure – which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations."  Here is my response. 


Crises like that from the Coronavirus that we all face now, just expose the total folly of the ‘risk management’ edifices organisation’s have built. Leaders are making decisions that in some cases, and often quickly in retrospect, either prove inspired or, mostly, highly defective. But the overall impression is that, despite the claims of the risk management fraternity (or whatever three letter acronym you like to label yourself particular brand of belief system with), its all very ‘hit or miss’! 

Form what I can see, no one is reaching for their ‘risk register’ or ‘risk appetite statement’ or ‘risk matrix’ (etc. etc.) to help them make a decision. Some decision-makers are clearly listening to others, thinking out assumptions and choosing between options so that they end up with a decision which they are sufficiently certain will lead to the outcomes they desire. However many, including some of the most important ‘leaders’ in the world, are making decisions based simply on gut feel, ignoring the advice of others or the experiences elsewhere. They seem to lurch from crisis to crisis, with precious little monitoring taking place to see if decisions lead to the outcomes desired or whether the original basis for a particular decision still remains valid.

Some misguided politicians are still bandying around nonsense words like ‘risk’ and ‘risk management’ as though just uttering those phrases as part of their ‘spin’ will solve problems and pacify people. Fat chance!

In my real world, practical experience over the last few weeks I’ve seen clear evidence that the distraction of ‘risk management’ has in some case led to poor decisions or, mostly, just impeded the process of making a decision with sufficient certainty of outcomes. Similarly, most organisation’s Business Continuity Plans (another three letter acronym) have proved useless because they focused on specific events and not generally the organisation’s vulnerability and how that can be reduced, and how decision making can be enhanced when a disruption occurs. Mostly, they’ve been cast aside by decision makers as totally irrelevant!

At this time, mankind needs leaders (not politicians worried about getting elected) who are capable of making the best possible decisions – for the sake of us all. Even if people say this is ‘risk management’ they are simply deluding themselves. 

If anything, this awful crisis just proves we have wasted years and $billions building ‘risk management’ edifices that have ended up like the Maginot Line in WW2: they have created a false sense of security, and exposed us all to the perils of inflexible strategies, poorly defined assumptions, insularity and blindness to wider context and ineffective monitoring.

Now we are facing our biggest challenge in a generation, our various ‘risk management ‘frameworks’, ‘systems’ and ‘programs’ and all the paraphernalia that comes with them, manifestly are not only failing to respond but are actually impeding good decision making. 

When we get through this, we must remember all this and never fall for a similar ‘con job’ again.