more-arw search

Implementing risk management - the challenges


Risk management isn’t risky … but implementation projects can be.

Risk management concepts can be transformative to an organization. Any organization - whether for-profit or not, whether large or small - can be transformed. When done correctly, risk management concepts can assure that management’s attention is always on the right things, and never on the wrong things. When done correctly, they help assure that everyone has a consistent view of what makes the organization successful and, conversely, where disasters could be lurking. When done correctly, better decisions are made at every level in the organization.

So why hasn’t every organization formally implemented risk management? Here are a few thoughts.

It may not be clear what a risk management project can actually deliver

Projects should not have fuzzy goals. Unfortunately, that’s often exactly the situation for poorly-planned risk management projects. One of the underlying reasons is that risk management, itself, can mean different things to different people. Also, risk management can seem dramatically different from one case study to the next. It is no surprise that most organizations have not invested in risk management considering the difficulty of defining exactly what it can provide.

It may not be clear exactly how to translate risk management theory into practice.

The next stumbling point is implementation. Most people would agree that risk management is, at its core, an essentially intuitive concept. The problem isn’t with the ‘idea’ of risk management. Instead it stems from the supplemental concepts, such as "risk appetite", that attempt to make risk management more practical. These supplemental concepts might make perfect sense when they are discussed, philosophically, in a meeting room but they often fall apart when they move into the untidy real world. As a result, when organizations take their first stab at risk management, they may get discouraged when the real world creates ambiguities, circular logic, and a notable lack of relevant concrete examples.

It may not be initially clear how risk management can provide long term value.

Thinking forward, how will this initial effort benefit the organization long-term? In some cases executive leadership may initially imagine risk management as a stand-alone activity that’s dusted off and updated every year or two. Understandably, it's hard to see ongoing value in such an approach. The practical benefit of how it can help the organization achieve its goals better and faster may not be obvious or intuitive. One thing is clear - as long as it’s separate from the normal day-to-day management activity it cannot become transformative.

As you're considering a risk management implementation project, you must address and resolve these issues to achieve the benefits that risk management can deliver.

There are ways to remove these obstacles. Stay tuned.


Dan Gaffney
Title: Owner
Company: VouchedIn, Inc.
(Owner, VouchedIn, Inc.) |

Thank you for the post on risk management. SOx 404 processes in many organizations are still a stand alone activity. While some companies have embedded the identification of key controls and testing into the organization, in too many cases, management is still dusting this off annually to get the controls in good order for the auditors.

I agree that there are practical ways to implement risk management into management activities and move away from a stand alone approach. I look forward to further discussion!

Charles Schrock
Title: SVP
Company: Inland Bank and Trust
(SVP, Inland Bank and Trust) |

You're right about many companies initiating SOX projects without sufficient consideration of the potential long term benefits. As a results, those potential benefits were largely unrealized. It would be a shame for organizations to "comply" with risk management and make the same mistakes.