Useless Risk Management Edifices that Organisations Build

Norman Marks in his blog post called "Time to wake up to risk reality" said that "This is a post about news we should have known for a long time.
It’s time to recognize the truth about risk management." 

Hans Læssøe commented that: "I guess too many companies have a risk management function only for the sake of being able to say, that they have it – and to produce reports that shows “we are doing well”. Executives had (and have) no intention of letting risk people involve themselves or tamper with decisions they are making or how they execute/operate."

Roger responded as below.

Hans,

Your first paragraph (3 April) makes an astute observation. The essentially useless ‘risk management’ edifices that organisations build, play no meaningful role in assisting the daily task of making sound decisions – from top to bottom. (I put ‘risk management’ in inverted commas, incidentally, because although the expression is common, there is little that is common across all its users as to what it means or consists of!)

These edifices are established at great cost and inconvenience either because of regulatory pressures as illustrated by John Fraser’s later anecdote (such regulations are often a forlorn hope by governments that this will somehow avoid society being disadvantaged in some way or other) or because of supply chain obligations which, as with Covid-19, spread up and down the chain with ease, or because of virtue signalling by the new breed of woke directors who are not focused on their real job of adding shareholder value.

The fact is, as you say, these ‘risk management’ edifices exist as an externality to the real management activity (including strategy setting) that is providing the engine room for the organisation.

This is why ‘risk management’ has little influence or, worse still, why it has an adverse effect which is the more common consequence as a consequence of its distractive effect and resource wastage. At very least, it’s not seen as helpful to the daily challenge of making sound decisions because as the world has shown, repeatedly, that with or without ‘risk management’ it is perfectly possible to make both good decisions and bad decisions.

One doesn’t have to invert normality in order to make good decisions – just become a little more skilled in the steps that are already followed. There is no need for a ‘system’ or ‘framework’ (for which, read ‘edifice’) just decision-making skill.

The ‘Mess’ Risk Management Has Become

Norman Marks in his blog post called "Time to wake up to risk reality" said that "This is a post about news we should have known for a long time.
It’s time to recognize the truth about risk management." I responded as below.

How did we get in this mess?

42 years ago when I first started looking at what could go wrong, what it would lead to and how likely the effects were, it was quite clear that my role was exclusively to help those charged with making decisions. I did not seek to impose my arcane language and concepts on the decision makers. Indeed, a big part of my job was understanding their needs and the context and then after I had carried out my analysis, framing the information I gave them using terms and concepts that were meaningful to them. I did not insist they contort their language and ways of thinking to suit mine. I did not insist they either replace their business processes with mine or to run my processes in parallel.

I only worked for the decision makers, and if they could not understand and appreciate what I was telling them, that was my fault, not theirs.

Since then, and despite the Frankenstein monster ‘risk management’ having no solid foundation or universal meaning, the advocates of its many guises (normally with three letter acronyms) have created a perception in those responsible for the governance of organisations that ‘risk management’ was ‘good’ and should therefore be adopted.

This ‘Risk management’ belief system has been promoted as something that is both valid and indispensable: in effect something to be believed in as essential to good governance. But it is only a belief, there is little tangible evidence that ‘risk management’, whatever that term means, actually helps organisations make better decisions and thereby enhances their performance.

Organisations have been encouraged by ‘risk management’ advocates to give effect to this belief by superimposing a ‘risk management framework’ across the organisation comprising various edifices. Common examples included ‘risk committees’ of the Board, ‘Chief Risk Officer’ positions and various ‘risk management’ structures, policies, reporting requirements and so on. The purpose for establishing this paraphernalia, has been seldom transparent, explicit or understood. Consequently, to the extent that it actually existed, this ‘framework’ is seldom integrated with day to day decision-making – because, in fact, it can’t be. If it exists at all, this is only in a parallel universe to the real world where businesses are run and decisions are made.

This belief system has been bolstered by the many national stock exchanges that now included practice of ‘risk management’ as a necessary condition for a stock being listed on their exchange. The (entirely untested) belief is that practising ‘risk management’ (in whichever guise) is prima facie evidence of, and a prerequisite for, sound management. The myth they have perpetuated that investors could and should have greater confidence in such companies.

However, this has been proved repeatedly to be a fallacy, best illustrated by the extraordinary failure of the Enron Corporation and by many recent and spectacular examples of corporate failure such as that involving Boeing’s new 737MAX aircraft that took 346 lives in 2019.

It seems clear to me that if, after all the time and effort that has been invested in ‘risk management’ over the last 30 years, it still isn’t helping decision makers to consistently and competently make better decisions, we simply need to dump it. 

We should simply go back to where I was, 40 years ago – understanding how people make decisions and how we can help them understand their assumptions, the context and how they can become sufficiently certain of their desired outcomes.

The ‘risk management’ emperor has no clothes!