• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

The stuff of nightmares: risk management is shut down, and nobody notices

May 24, 2024

Imagine a company where risk management activities are suddenly abandoned, and decision-makers don’t notice.

Nothing changes except that management has more time because the yearly discussion of the risk report is left out. A nightmare or bitter reality in some companies?

Remember, risk management's single purpose is increasing decision quality. Everything else is a means to this end and does not create value. Yet, companies overwhelmingly spend money and time implementing risk norms and frameworks such as ISO 31000 and COSO ERM. Their focus is often on risk identification, analysis, and risk reporting. These risk process activities do not create value for decision-makers as nothing has been managed yet, and no decision has been made better.

Decision-makers apply practices to identify, assess, and mitigate uncertainty when decisions are made (not before, not after), even if they do not call it ‘risk management’. However, planning, deciding, evaluating options, performing performance reviews, or monitoring strategic initiatives is risk management. It might sound paradoxical that executives are unaware of ‘doing’ risk management, and risk managers are paid for creating many artifacts decision-makers don’t care about. This is not an optimal situation.

For example, strategic alternatives present uncertainties that must be evaluated and measured against each other to prioritise and rank them. Thus, sound risk management is the degree to which decision-makers understand the risks attached to possible outcomes of the company’s strategy before(!) they make decisions. There is an intertwined relationship between risk management and decision-making. However, by sticking to risk management frameworks and norms, companies create expensive ERM-artefacts that most decision-makers wouldn’t miss if dropped.

Even though this risk management in decision-making sounds compelling, it might conflict with the company’s mindset because it is viewed as a constraint on profit and success. This is not surprising, as traditional risk management is still about ‘what can go wrong’ instead of embracing uncertainty as the key ingredient of success.

Here is my advice for your next risk workshop (there will be one; I am confident). Kick it off by asking executives: “What makes a good decision?” You will be surprised by the silence spreading across the room. Then, you may start talking about the criteria of decision quality. Link it to risk management (honestly, almost all requirements of decision quality can and must be linked to risk management). Et voilà: The start of a fruitful journey to more relevant risk management is (probably) done.

Too simple to be good?  

Stefan Hunziker is Professor of Risk Management at Institut für Finanzdienstleistungen Zug IFZ, Lucerne University of Applied Sciences and Arts and an advisory board member at SWISS GRC

Tags: Stefan Hunziker
Prev / Next

Blog

Featured
Apr 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
Apr 15, 2025
Vera Cherepanova
Apr 15, 2025
Vera Cherepanova
Mar 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
Mar 6, 2025
Mo Warsame, Gavin Hayes
Mar 6, 2025
Mo Warsame, Gavin Hayes
Sep 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
Sep 4, 2024
Polly Williams, Mia Harris
Sep 4, 2024
Polly Williams, Mia Harris
Aug 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
Aug 25, 2024
Felix Ritchie
Aug 25, 2024
Felix Ritchie
Jul 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
Jul 16, 2024
Jane Hunter, Mia Harris
Jul 16, 2024
Jane Hunter, Mia Harris
Jun 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
Jun 2, 2024
Afshan Moeed
Jun 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
Mar 20, 2024
Neil Tinegate
What should boards know about digital technology?
Mar 20, 2024
Neil Tinegate
Mar 20, 2024
Neil Tinegate
Mar 15, 2024
Francis Kean
The insolvency risk for company directors - are you swimming naked?
Mar 15, 2024
Francis Kean
Mar 15, 2024
Francis Kean
Feb 29, 2024
Andy Watkins-Child
Are you sitting comfortably?  Cyber risk, board attestations and the implications for NEDs
Feb 29, 2024
Andy Watkins-Child
Feb 29, 2024
Andy Watkins-Child
Oct 24, 2023
Mamun Madaser
Risk management and internal audit should collaborate to navigate the poly-crisis of risk
Oct 24, 2023
Mamun Madaser
Oct 24, 2023
Mamun Madaser
Oct 18, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 2
Oct 18, 2023
Jim Watson
Oct 18, 2023
Jim Watson
Oct 13, 2023
Nisha Sanghani
Risk management and internal controls: much (needed) work to do as a result of the proposed changes to the UK Corporate Governance Code
Oct 13, 2023
Nisha Sanghani
Oct 13, 2023
Nisha Sanghani
Oct 9, 2023
Jim Watson
How to mitigate the risk of cyber security breaches – part 1
Oct 9, 2023
Jim Watson
Oct 9, 2023
Jim Watson