What is Greatest Risk in Risk Management

In many organizations, risk management is still running in silos, so what is the greatest risk in risk management?
The risk that the risk management program is insufficient to identify, evaluate and assess, and respond to all the
potential effects of uncertainty as business strive to achieve its goals and objectives.

1. What are the Great Risks in Risk Management?

The major risk overlooked by Risk Practitioners arises from a fundamental mis-understanding of the human
behavior and human nature (the Social Element).. Though people believe that by default most humans are
rational, but many studies, the recent financial crisis and major failures show that humans are "Predictably
Irrational"..

What are the root causes? What are the risk management blind spots? Is it because your ERM
program immature and shortsighted? The more interesting question is: What to do with this risk even
when an ERM program is neither immature nor shortsighted. (Since obvious signs of shortcomings in an
ERM program can be fixed if wanted to). But why do you think that most risk management have not
been doing effectively and why do you think that most internal auditors have not been providing the
necessary reviews of the risk management system. What do you think needs to change so that the
kinds of things suggested can actually occur? Isn't it important to understand why something so basic
has not been done or if it has been done, has been done so poorly? The greatest risk will be a real
business / reputation issue that is not being properly identified / managed.

This is actually a very thorny issue where judgment still trumps any prescriptive RM standard:
Identifying all possible risks is casting such a wide net that it is essentially an elusive goal. Any attempts
to refine the scope to make it more manageable end up introducing the potential for the risk you have
raised (even if an ERM program is NOT immature nor shortsighted). Self-checks for any biases can only
go so far, since we are still all subject to human limitations to see all. Having a committee process
improves the odds further, but then again introduces 'group think' issues. The Paradox is: Trying to
identify (assessment comes later) all possible risks...... One may end up in a huge list that may not be

practical to assess. What is done is then low risks (judgment of group/ committee....) are ignored by
accepting them.

The major source of limitation in any risk management is because of the (knowledge) risk of
unknown.. Assuming that in any risk management program, all the known and potential risks would
have been covered and managed, and over a period of time the ERM program would be making
continuous improvement based on the feedback from the risk management process and what would be
left is what is unknown.

The reputational damage that is self-inflicted as a result the consistent failure to (1) recognize the
shortcomings of competing sets of guidelines (2) measure, manage or model risk (3) embrace tools to
prepare (clients) for uncertainty. Reputational risk is that of the blindness of conventional risk
management practitioners to the shortcomings of the incomplete and overpriced solutions. Reputation
is a key consideration. When there is a legal or compliance battle, the reputational damage often means
that even if the business doesn't get hit with a judgment or other sanction they still lose.

2. The Human Factors in Effective Risk Management

People are still the weakest link in Risk Management, people _are_ the greatest source of risk (both classical
downside risk and "upside" risk). However, you can't remove them from the equation without making the equation
a nullity.

There are "human factors" such as irrational, cognitive or behavioral aspects. We can't and won't be
able to manage or predict BUT by mapping and measuring complex interactions in real time can gain
early warning (anticipatory awareness) of possible/plausible negative impact...NOT reflexive or post
loss.

Individual Trust and Collective Trust and thus collective human risk (in Enterprises) can be very
different. If looking at Risk from a different dimension of "Trust" .. Trust has an element of uncertainty
involving the RISK of failure or harm to the trustor. If the trustee will not behave as desired.. So when
look at Enterprise Risk Management, look at Trust in Humans, Trust in Processes, Trust in Technology,
and when we think of Trust in Humans.. we kind of assume that we are all predictably rational.

Many of the difficulties come from subtle psychological factors ~ The difficulty with assessing the
effectiveness of the risk management system by the risk management team themselves is the problem
that it is ~ effectively ~ self-assessment, discounting risks that are seen as day to day irritants ("we've
never had a problem with that in 5 years") as well as the much more talked about black swans..

High Risk Appetite at Top: In addition, a really high quality risk appetite discussion between executive
members and the board is often a common failing ~ even if the risk management system picks up a risk,
a major issue can be a poor judgment about the risk appetite to take. That said, Risk Management is
both for top line business growth and bottom line compliance, the greatest risk is weakest link of your
organization, usually people

3. Next Practice in Risk Management

Develop a set of next practices to better manage risks, these

respective disciplines will converge through best practices, etc. But that is not to say they will become universal,
what works well for one industry may not work for another as far as structure or reporting.
1) The first step that is often overlooked is the review. How effective are the mitigants, what has changed
both internally and externally, are you satisfied with what you have done and do you then re-prioritize project.
Risk Management can ensure that all such risks are revisited and reaccepted as to minimize the risk
raised. There has to be a reasonable level of proficiency presumed in risk identification by the RM program
2) Embed RM into Business Processes: Embed risk identification and assessment in operational processes
including project management. Just how integrated is the risk management system in the running of the
operation, so that if the risk management system doesn't spot it, the business wont either. Often a big risk is that
the risk management system is detached from the real management of the business..
3) GRC framework is essential to an effective RM program. Governance Risk and Compliance are coming
under one umbrella of GRC. The revenue leaders in cross-industrial sectors are best practitioner for risk
intelligence. Security, Risk, Compliance and Governance will be converged into more cohesive management
discipline, and well integrated into key component of business strategy.
4) Cultivate Risk Intelligence Enforcement Culture: from board level to front-line customer service, culture will
always trump strategy and even leadership in innovation practices, how to enhance risk intelligence culture will
enable business for both top-line and bottom line growth.
5) Reap what you sow: The next stage should surely be to define the organizations appetite for risk, then to
identify whether the risks identified are above or below risk appetite which gives a priority list. Once the risks
have been prioritized, you can then look to mitigate the most important risks to bring them within appetite. While
appetite for risk can reap rewards in enterprise, it can come with an unforeseen downside. Reap what you sow.
Too few business enterprises have appropriately aligned or devoted sufficient resources to their respective
risk/compliance/ethics/governance efforts, and they should be, or need to be appropriately integrated, with
decent reporting structuring and streamlined processes.
6). Business Resilience -The business capability to make organization more resilient: not just controlling risk,
but fail faster, fail cheaper and recover more promptly, even become stronger than before; thus, the 'greatest
challenge' is how to, objectively, quantify the entity (complex system) and how to make key processes more
resilient.
7) Business Agility& flexibility: Doing things better, faster and smarter, risk management is like brake pad, not
just for stopping the car, but for making car running faster with safety control. Digitalization provides business

multitude of choice to serve customers, engage employees, develop product/services, risk intelligence with
business flexibility will balance such paradox of choices via next practice.
Genuinely intelligence led operations (meaning all dimensions, from risk to marketing to logistics), has to be
embedded into both processes, and more importantly mindsets, too much time is spent on the theory rather than
the practice of risk management. The key is to use risk management to prioritize daily tasks regardless of
whether you call it ERM or GRC or which standard framework you prefer.