​​The Important Risks That Are Overlooked but Should Come First

Comments Views

​Survey after survey talk about the top 10 risks or such. For example, look at the 2013 Global Risk Management Survey by Aon. It raises some good points, including a refreshing observation that companies are paying more attention to risk management these days.

But I think this focus on a top 10, or even a top 50, misses some massive risks that are faced (IMHO) by a majority of organizations and, even if they are recognized, are often accepted instead of corrected. They need to be corrected if the organization is to survive let alone thrive.

Here are my top risks, based on my personal experience with large global organizations. You can think of them as defects in the operation of the organization vehicle that have to be fixed before you worry about risks in the path ahead (the sort of risks that are included in the studies’ top ten lists).

For example, check the brakes, oil levels, and tire pressure before you set out. When you know your vehicle is OK, then you can start worrying about traffic, bad weather, and so on. When you know the organization is able to see where it is and a little way ahead (information), has the necessary people and other resources, can assess its condition (risk and performance management), and react to changing conditions (agility), then you can start worrying about economic slowdowns, legislative changes, and competition (the top t​hree in the Aon study).

  • The board and top management setting organizational objectives and monitoring performance without sufficient information. Studies have shown that >70% of directors are dissatisfied with the quality and sufficiency of the information they receive. At a minimum, organizations should identify the level of risk in their assumptions (including the assumption that the information they have is correct) and take actions to minimize them.
  • A failure to consider risks when establishing strategies and objectives. Risks are only identified after strategies have been established — creating a risk that the wrong strategies and/or objectives are established.
  • Executives making business decisions without adequate, current, timely, and reliable information. They may be used to making decisions based on their intuition, experience, and judgment. But, these days quality information is much more likely to be available than in the past. Managers should seek all available information and if it is not available take steps to make sure it is available in the future.
  • A failure to consider risk when making day-to-day business decisions. Many if not most companies only consider and assess risk occasionally — some only annually — instead of integrating the consideration of risk into the fabric of management. Some have appointed risk officers to ‘own’ risk (in a silo) rather than making it clear that operating managers own risk and the risk officers are there to help.
  • An inability to monitor risk as it changes, which is very often at least daily. There is little excuse for this when today’s technology enables continuous risk monitoring. If there is a reason, it is that management doesn’t recognize the value and need for risk information so that they can make better business decisions — every day. This is compounded when insufficient resources are committed to the monitoring, assessment, and acting upon changes in risk levels.
  • A failure to communicate and explain the personal relevancy of organizational strategies to every manager and decision-maker. As a result, decisions are made that are not consistent with the overall strategy, resources are misallocated, and steps necessary for the achievement of objectives are not taken. It is not sufficient to require every manager to link their personal goals and objectives to one or more corporate strategies: each corporate strategy should be analyzed in detail and every manager told what is required of them. If they are working on other tasks, they need to be justified. In other words, drive goals and objectives down rather than having managers reach up to try to attach what they want to do to what is necessary to do.
  • Putting cost considerations ahead of the quality of the management team and the workforce in general. When mistakes are made (including control failures) it always comes down to people: the wrong people, people without sufficient training or experience, overworked people, and/or insufficient people to do the work. People risk should be continually assessed and understood, and cost should not be cut blindly.
  • Processes and systems that cannot move and adapt — a lack of agility. The organization needs to understand how tightly its feet are bound and at least take steps to relieve the pressure so that it can move when necessary to seize a new opportunity or avoid becoming obsolete when its business model is disrupted.
  • A board that is unable to provide effective oversight. Reasons might include a lack of business insight and knowledge; an inability to challenge management by asking the right questions, perhaps because they have grown too close and formed a personal bond with management; a lack of understanding of strategy, risk management, and/or technology; or simply a failure to allocate sufficient time and attention to their responsibilities.
  • A conflict between the personal interests of the executive team (short-term results, bonuses, stock appreciation) and the long-term interests of the organization as a whole. With CEOs staying less time at the helm than ever before, and with the massive sums with which they are rewarded for immediate results, this is understandable — but an avoidable major risk to the organization. Add to this the risk that politics within management ranks prevents them from sharing information and resources, leads them to destructive competition, and generally deters success. It is a rare organization that does not suffer from this disease — and its impacts on both short and longer-term success are significant, even if generally ignored.

I have come up with 10. How would you change or add to the list? Do you agree that these come first before worrying about the Aon top 10?

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • IIA AEC_August 2019_Blog 1_CX
  • IIA Quality_August 2019_Blog 2
  • IIA Group Training_August 2019_Blog 3