Conversations with Mark Siwik

Mark Siwik, CEO of SandRun Risk is hosting a series of three conversations with Grant Purdy on the company’s Blog.

First instalment, September 2020

You can read the first instalment here.

Part 1 of the monthly conversation concerns Grant’s background and experience from working more than 40 years on practical applications of risk management and how he has focussed on helping people make even better decisions.

Second instalment, October 2020

The second instalment is here. This focuses on the book Deciding.

Third instalment, November 2020

The third instalment is here. The deals with how to make even better decisions.

Useless Risk Management Edifices that Organisations Build

Norman Marks in his blog post called "Time to wake up to risk reality" said that "This is a post about news we should have known for a long time.
It’s time to recognize the truth about risk management." 

Hans Læssøe commented that: "I guess too many companies have a risk management function only for the sake of being able to say, that they have it – and to produce reports that shows “we are doing well”. Executives had (and have) no intention of letting risk people involve themselves or tamper with decisions they are making or how they execute/operate."

Roger responded as below.


Your first paragraph (3 April) makes an astute observation. The essentially useless ‘risk management’ edifices that organisations build, play no meaningful role in assisting the daily task of making sound decisions – from top to bottom. (I put ‘risk management’ in inverted commas, incidentally, because although the expression is common, there is little that is common across all its users as to what it means or consists of!)

These edifices are established at great cost and inconvenience either because of regulatory pressures as illustrated by John Fraser’s later anecdote (such regulations are often a forlorn hope by governments that this will somehow avoid society being disadvantaged in some way or other) or because of supply chain obligations which, as with Covid-19, spread up and down the chain with ease, or because of virtue signalling by the new breed of woke directors who are not focused on their real job of adding shareholder value.

The fact is, as you say, these ‘risk management’ edifices exist as an externality to the real management activity (including strategy setting) that is providing the engine room for the organisation.

This is why ‘risk management’ has little influence or, worse still, why it has an adverse effect which is the more common consequence as a consequence of its distractive effect and resource wastage. At very least, it’s not seen as helpful to the daily challenge of making sound decisions because as the world has shown, repeatedly, that with or without ‘risk management’ it is perfectly possible to make both good decisions and bad decisions.

One doesn’t have to invert normality in order to make good decisions – just become a little more skilled in the steps that are already followed. There is no need for a ‘system’ or ‘framework’ (for which, read ‘edifice’) just decision-making skill.

The ‘Mess’ Risk Management Has Become

Norman Marks in his blog post called "Time to wake up to risk reality" said that "This is a post about news we should have known for a long time.
It’s time to recognize the truth about risk management." I responded as below.

How did we get in this mess?

42 years ago when I first started looking at what could go wrong, what it would lead to and how likely the effects were, it was quite clear that my role was exclusively to help those charged with making decisions. I did not seek to impose my arcane language and concepts on the decision makers. Indeed, a big part of my job was understanding their needs and the context and then after I had carried out my analysis, framing the information I gave them using terms and concepts that were meaningful to them. I did not insist they contort their language and ways of thinking to suit mine. I did not insist they either replace their business processes with mine or to run my processes in parallel.

I only worked for the decision makers, and if they could not understand and appreciate what I was telling them, that was my fault, not theirs.

Since then, and despite the Frankenstein monster ‘risk management’ having no solid foundation or universal meaning, the advocates of its many guises (normally with three letter acronyms) have created a perception in those responsible for the governance of organisations that ‘risk management’ was ‘good’ and should therefore be adopted.

This ‘Risk management’ belief system has been promoted as something that is both valid and indispensable: in effect something to be believed in as essential to good governance. But it is only a belief, there is little tangible evidence that ‘risk management’, whatever that term means, actually helps organisations make better decisions and thereby enhances their performance.

Organisations have been encouraged by ‘risk management’ advocates to give effect to this belief by superimposing a ‘risk management framework’ across the organisation comprising various edifices. Common examples included ‘risk committees’ of the Board, ‘Chief Risk Officer’ positions and various ‘risk management’ structures, policies, reporting requirements and so on. The purpose for establishing this paraphernalia, has been seldom transparent, explicit or understood. Consequently, to the extent that it actually existed, this ‘framework’ is seldom integrated with day to day decision-making – because, in fact, it can’t be. If it exists at all, this is only in a parallel universe to the real world where businesses are run and decisions are made.

This belief system has been bolstered by the many national stock exchanges that now included practice of ‘risk management’ as a necessary condition for a stock being listed on their exchange. The (entirely untested) belief is that practising ‘risk management’ (in whichever guise) is prima facie evidence of, and a prerequisite for, sound management. The myth they have perpetuated that investors could and should have greater confidence in such companies.

However, this has been proved repeatedly to be a fallacy, best illustrated by the extraordinary failure of the Enron Corporation and by many recent and spectacular examples of corporate failure such as that involving Boeing’s new 737MAX aircraft that took 346 lives in 2019.

It seems clear to me that if, after all the time and effort that has been invested in ‘risk management’ over the last 30 years, it still isn’t helping decision makers to consistently and competently make better decisions, we simply need to dump it. 

We should simply go back to where I was, 40 years ago – understanding how people make decisions and how we can help them understand their assumptions, the context and how they can become sufficiently certain of their desired outcomes.

The ‘risk management’ emperor has no clothes!

Go Hard and Go Early

This was posted recently on LinkedIn and attracted many comments, most supportive.

Some of you will know that I’m critical of the monstrous belief system that risk management has become; with its own language, codes, symbols, rituals and high priests. Few would now dare to say they don’t believe in ‘risk management’ – even those most (if not all) don’t know what that phrase means. It’s certainty transmogrified (like Frankenstein’s monster) from a simple activity involved with the testing of assumptions as an input to decision making to the vast, self-serving edifices we see today.

I’ve previously said that you won’t find many leaders in the world who are making difficult decisions during the current global crisis reaching for their risk registers or risk appetite statements. One thing we know about good leaders is that they are great at decision making: they are decisive and don’t procrastinate. They gather the views of others about context, look at a range of options and make sure they are clear on the assumptions and the level of certainty each option will lead to their desired outcomes. Then they decide and act swiftly.

All this is true of great surgeons, corporate raiders and generals. They all act hard and act early. (And most would not know a risk register if they tripped over it!)

An excellent analysis has been produced by the (Australian) ABC and shows clearly the difference in the rate of Coronavirus infections and the spread of the disease in countries whose leaders acted hard and early, and those that were or are still dithering. You can access it here.

I’ll let you form your own opinion of your country’s leaders and their decision-making based on this transparent analysis. One thing is clear though, if leaders’ procrastinate – because, variously it will damage their election chances, their population has a good diet, or their people don’t get sick – then it will cost many lives.

Coronavirus and the effect on ‘risk management’

Norman Marks, in his blog post called "How will risk management change as we emerge from this crisis?" pointed of that "Even before the crisis, few on boards or in executive management believed their risk management programs were helping them run the organization for success. At best, it helped anticipate and avoid failure – which is hardly the same as achieving success. At worst, it was a cost center that helped comply with regulations."  Here is my response. 


Crises like that from the Coronavirus that we all face now, just expose the total folly of the ‘risk management’ edifices organisation’s have built. Leaders are making decisions that in some cases, and often quickly in retrospect, either prove inspired or, mostly, highly defective. But the overall impression is that, despite the claims of the risk management fraternity (or whatever three letter acronym you like to label yourself particular brand of belief system with), its all very ‘hit or miss’! 

Form what I can see, no one is reaching for their ‘risk register’ or ‘risk appetite statement’ or ‘risk matrix’ (etc. etc.) to help them make a decision. Some decision-makers are clearly listening to others, thinking out assumptions and choosing between options so that they end up with a decision which they are sufficiently certain will lead to the outcomes they desire. However many, including some of the most important ‘leaders’ in the world, are making decisions based simply on gut feel, ignoring the advice of others or the experiences elsewhere. They seem to lurch from crisis to crisis, with precious little monitoring taking place to see if decisions lead to the outcomes desired or whether the original basis for a particular decision still remains valid.

Some misguided politicians are still bandying around nonsense words like ‘risk’ and ‘risk management’ as though just uttering those phrases as part of their ‘spin’ will solve problems and pacify people. Fat chance!

In my real world, practical experience over the last few weeks I’ve seen clear evidence that the distraction of ‘risk management’ has in some case led to poor decisions or, mostly, just impeded the process of making a decision with sufficient certainty of outcomes. Similarly, most organisation’s Business Continuity Plans (another three letter acronym) have proved useless because they focused on specific events and not generally the organisation’s vulnerability and how that can be reduced, and how decision making can be enhanced when a disruption occurs. Mostly, they’ve been cast aside by decision makers as totally irrelevant!

At this time, mankind needs leaders (not politicians worried about getting elected) who are capable of making the best possible decisions – for the sake of us all. Even if people say this is ‘risk management’ they are simply deluding themselves. 

If anything, this awful crisis just proves we have wasted years and $billions building ‘risk management’ edifices that have ended up like the Maginot Line in WW2: they have created a false sense of security, and exposed us all to the perils of inflexible strategies, poorly defined assumptions, insularity and blindness to wider context and ineffective monitoring.

Now we are facing our biggest challenge in a generation, our various ‘risk management ‘frameworks’, ‘systems’ and ‘programs’ and all the paraphernalia that comes with them, manifestly are not only failing to respond but are actually impeding good decision making. 

When we get through this, we must remember all this and never fall for a similar ‘con job’ again.