Home > Risk > Why business leaders fail to invest in risk management

Why business leaders fail to invest in risk management

March 4, 2024 Leave a comment Go to comments

Professor Mark Beasley has been a professor for 30 years and is a leader of the North Carolina State University’s Enterprise Risk Management Initiative. He was a board member of COSO for 7 years, has been a member of the member of the United Nation’s Internal Control Advisory Group for the last 7 years, and describes himself as a risk management thought leader.

He should understand risk management as he studies and teaches it, and seeks to provide thought leadership.

I have referenced his annual surveys of risk management maturity in many of my posts over the years.

This week, he shared his views on Why risk management failures are not limited to banking. He says:

Overconfidence, a resistance to talking about risk, and a dislike of the word “no” are some reasons that businesses fail to invest in risk management leadership.

In a 2023 study, as he reports in this article, he found that:

 …only 31% of the respondents assess the overall maturity of their organisation’s risk management as “mature” or “robust”, with no region of the world rating risk management maturity higher than 38%.

His article seeks to explain why.

His next section is entitled “Excuses often heard for not investing in risk management” but then states:

There are reasons that organisations fail to invest in risk management leadership.

There’s a massive difference between excuses and reasons and sorry, Mark, but you have not identified the primary reason.

First, let’s review the reasons he has listed:

Overconfidence. The CEO and board think they don’t need to invest more in risk management given that “we talk about risk all the time”, even though those discussions are often ad hoc, side conversations.

In fact, our research found that less than 40% of executives responding to the 2023 survey said that key risks are communicated to senior executives as part of ad hoc discussions at management meetings, and only 26% doing so as part of a scheduled agenda discussion about risks (with the highest level reported at 30% for organisations in Europe and the UK).

This unstructured approach is not robust enough to identify all the complex, interconnected risks in today’s rapidly changing environment.

Resistance to conversations about risks…. Unfortunately, some C-suite executives resist engaging in discussions explicitly focused on risks because they see those as focusing on negatives, not positives.

Competing vs. complementary view of risk management… The most frequently cited barrier is a view that risk management is a distraction from competing priorities that add value to the organisation (38% of the global sample cited this reason for lack of risk management investment)….

Risk and strategy are two sides of the same coin. On one side is what the organisation is trying to do strategically, while the other side reflects risks that might impact (positively and negatively) the success of that strategy.

Distaste for the word “no”. 

This section is telling.

  1. Executives should be “talk[ing] about risk all the time”. It’s how they make decisions! Thinking about what might happen (risk and opportunity) is best when it’s within the context of what you are trying to achieve.
  2. Successful management is not about managing or mitigating risks viewed in isolation. A “structured” discussion that only focuses on avoiding failures by mitigating downside risk is rightfully seen by executives as less than a good use of their limited time. It’s less because management don’t want to focus on negatives. It’s because they know full well that they have to take risks to succeed, so they need to focus on how to succeed rather than how to not fail.
  3. Risk management is NOT about telling management “no”. It is about helping management know what is likely to happen so they can make an informed and intelligent decision. In fact (as Martin Davis has told me in the past), a great risk manager helps management figure out how to achieve objectives, given all the things that might happen (i.e., risks and opportunities).
  4. Executives are not investing because they do not see risk management as practiced by the majority (and apparently taught at NC State) does not add value. This is the main reason!!
  5. Risk and strategy are NOT two sides of the same coin! They are on the same side of every coin!!! Understanding what might happen enables you to (a) set the right objectives, goals, and strategies, and (b) achieve them.

The Professor suggests ten questions. They are all useful in sparking a discussion about what might happen (risks and opportunities) as people make decisions and endeavor to lead their organization to success.

Here are ten better ones (IMHO):

  1. What has to happen for you to achieve your objectives? What are you assuming will happen? How likely is it that it will happen?
  2. What are you focusing on because it might not happen?
  3. What might happen that would adversely affect your ability to achieve your objectives?
  4. Do you know enough about what might happen? Is your risk team helping you understand and assess it all?
  5. What is the likelihood of your achieving each of your objectives, given the current status and what might happen (both positive and negative)?
  6. Do you have good decision-making processes across the organization?
  7. Are your reports about the current state of affairs and progress towards objectives sufficient and reliable? Do you know where you are and the quality of your systems, people, and processes to move forward with confidence?
  8. Are you getting the quality information you need, in the form you need it, when you need it?
  9. Where are you spending your time?
  10. Do you see your risk team as helping you make the right decisions for success?

Over the years, I have invited Mark to debate risk management with me, but he has yet to respond. I repeat that invitation today.

His annual surveys have continued to demonstrate that risk management practices like risk registers, heat maps, risk profiles, and meetings to discuss risks are failing to add the value organizations need.

Executives will only invest in risk management if they not only believe but experience value far beyond its cost.

We need to stop telling people in surveys, Mark, that risk management is failing and finding excuses (rather than reasons).

We need to start showing them how to make risk management effective in enabling organizational success.

I welcome your thoughts.

  1. David Griffiths
    March 4, 2024 at 9:58 AM
    Reply

    It’s interesting that the professor’s questions do not mention the word ‘objective’.
    My questions would be:
    1. Have you identified the objectives of the organisation?
    2. If so, is your bonus dependent on the achievement of these objectives?
    3. If so, do you appreciate that the achievement of these objectives, and therefore your bonus, is helped by opportunities and hindered by risks?
    4. What actions have you taken to ensure these opportunities and risks have been identified and are being managed to maximise your bonus?
    5. How do you ensure that the right information is available at the right time to identify emerging opportunities and risks?
    6. Do all your employees understand the decisions they are required to make and what factors to take into account when making them?
    7. Are your risk management and internal audit teams working with you solely to achieve the organisation’s objectives?

    OK, they could do with a little more refinement…

  2. Anonymous
    March 5, 2024 at 1:32 AM
    Reply

    Thank’s for this article. In France, where I work, we have the same issue.
    Usually, the main argue of the CEO is “why should I invest in Risk management process whereas I know very well the risks of my business ?” Sometimes, It seems to be an insult to ask them if they have a risk management process ! And for other CEO, risk management process is perceived as a legal obligation, a constraint. They have difficulties to perceive the add value of the reasoning. A legal obligation among many others !
    I think that the best practice when you work with this kind of CEO is to start talking about their strategic vision. Sometimes, I try not to use the word Risk in my interview, and I prefer to talk about ” how to secure the strategic objectives”. It’s another way to serve the Risk Management process !

    • Norman Marks
      March 5, 2024 at 6:32 AM
      Reply

      Yes, we need to prove ourselves, showing them the value.

      We need to move risk management from something they feel they have to do (because of regulations, etc.) to something they want to do.

  3. Anonymous
    March 6, 2024 at 6:45 AM
    Reply

    “Always on point. You stand out in explaining in simple and plain English what risk management really is. I appreciate your perspective on risk management, which has shaped my understanding too. I am better at explaining risk management from the viewpoint of any aspect of my core expertise, be it financial reporting, financial planning, taxation, or internal audit.”

    • Norman Marks
      March 6, 2024 at 7:42 AM
      Reply

      Thank you so much

  1. No trackbacks yet.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.