5 Common Risk Management Failures | Corporate Compliance Insights (2022)

It is always interesting to put on our “all-seeing glasses” and look at situations when risk management failed. By doing this, we have the opportunity to identify warning signs of common failures.

The following are five common risk management failures and some warning signs of each, organized into organizational, process and behavioral indicators.

#1:Poor Governance and “Tone of the Organization”

Governance is the act or process of providing oversight, authoritative direction or control. The term itself is often used to describe what the Board of Directors and executive management do to oversee the enterprise’s planning and operations and ensure the effectiveness of strategy-setting and the organization’s other management processes.[1]

Executive management’s “tone at the top” provides a vital foundation for the transparency, openness and commitment to continuous improvement that are so necessary for effective risk management. However, the tone at the top must be complemented with an effective “tone in the middle.” No matter what leaders communicate to their organizations, what really drives behavior and resonates with employees is what they see and hear every day from the managers to whom they report. If the behavior of middle managers contradicts the messaging and values conveyed from the top, it won’t take long for lower-level employees to notice. Because the top-down emphasis on effective risk management is only as strong as its weakest link, it is vital that this emphasis be translated into an effective tone in the middle before it can be expected to reach across the organization. Therefore, a strong “tone of the organization” is needed.

(Video) Lexplosion Event | 5th Pharma Risk & Compliance Virtual Summit 2021

Here are a few indicators of dysfunction in governance and tone of the organization:

Organizational indicators:

  • Poor risk governance, leadership and discipline, resulting in enterprise value creation activities of the lines of business overriding the risk concerns and early warnings raised by the independent risk management function.
  • Lack of Board focus on risk oversight, resulting in directors failing to ask the tough questions.

Process indicators:

  • Risk is not considered explicitly by management when evaluating strategic alternatives and whether to enter new markets, introduce new products or consummate a complex investment or acquisition.
  • There is ineffective or nonexistent sharing and communication of risk information up, down and across the organization.

Behavioral indicators:

  • A myopic focus on the short term – the next month or quarter – is causing the organization to mortgage the future for the present when taking risk.
  • A dominant CEO ignores the warning signs posted by the risk management function, resists bad news or contrarian information that the organization’s strategy is not working and/or does not involve the Board with strategic issues and policy matters on a timely basis.
  • There is evidence of undeliverable strategies, extreme performance pressures, unrealistic expansion plans, inadequate executive experience and/or a “warrior culture” and unhealthy internal competition creating incentives for excessive risk-taking.

#2: Reckless Risk-Taking

Reckless risk taking is an enterprise value killer. It represents undertaking risks that the Board of Directors and/or executive management neither understand nor approve. A lesson we keep learning, time and again, is the need for more disciplined risk-taking during periods of rapid growth and favorable markets. For example, every MBA program features case studies of companies re-learning a time-honored lesson:

Although competent people are an important aspect of managing risk, management’s reliance on them without limits, checks and balances and without independent monitoring and reporting is as ill-advised as not understanding the risks inherent in their activities.

It is interesting that companies, even entire industries, keep learning this fundamental lesson. In the financial crisis, there is evidence that some institutions fared better than others and we can learn from what they did.

Key indicators of this problem include:

(Video) Governance (GRC) and Compliance (Level 1 - video 11)

Organizational indicators:

  • The Board is not providing sufficient risk oversight.
  • The operating unit leaders and process owners are not accountable for managing the risks their activities create, thus the primary risk owners are not monitoring and managing risk at its source.
  • There is no independent risk management function in place providing risk oversight.
  • Internal audit is not focused on the effectiveness of the first two lines of defense – the primary risk owners and the independent risk functions.

Process indicators:

  • There is either no risk appetite statement or a lack of accountability to ensure prudent risk-taking within the boundaries set by the organization’s risk appetite.
  • There are no efforts to apply contrarian analysis to the critical assumptions underlying the strategy so that trending and other risk indicators can be monitored to ascertain whether one or more critical assumptions are either becoming invalid or have become invalid.
  • Trust positions (e.g., the people whose actions or inaction can subject the enterprise to significant risk events) are not identified and managed; therefore, their activities may not be subject to oversight by a knowledgeable executive.

Behavioral indicators:

  • The organization’s incentive compensation structure and culture drives inappropriate risk-taking behavior, e.g., a “heads I win, tails you lose” compensation plan may be driving unintended consequences that management and the Board would want to avoid if given a choice.
  • Responsibility for risk management is not linked to the reward system, or worse, the incentive compensation program encourages unbridled risk taking.
  • There are “star performers” who make a lot money, but no one understands how or why they succeed.
  • The “smartest people in the room” dominate discussion and drive groupthink.
  • There are significant conflicts of interest in complex, volatile and/or difficult-to-measure areas.

#3: Inability to Implement Effective Enterprise Risk Management (ERM)

Most efforts to implement ERM are unfocused, severely resource-constrained and pushed down so far into the organization that it is difficult to establish their relevance. The near-term result is “starts and stops” and ceaseless discussions focused on understanding what the objective is. The longer-term result is that risk management is rarely, if ever, elevated to a strategic level and continues to be driven by functional silos within the organization.

Common indicators of this potential failure include:

Organizational indicators:

  • Lack of support from executive management and other key stakeholders and/or lack of traction due to delegation of the initiative to lower levels in the organization.
  • The ERM initiative is neither enterprisewide in scope, nor strategic in focus.
  • An “additive” point of view that the various risk management silos combined together constitute an ERM response because they collectively cover the enterprise’s risks.

Process indicators:

  • There is either no risk management policy, or a policy exists but it does not emphasize ERM principles.
  • The ERM process does not focus on the vital few risks that really matter and/or does not position the organization as an early mover to capitalize on market opportunities and emerging risks.

Behavioral indicators:

(Video) Healthcare Internal Audit Compliance | Compliance Risk Panel

  • Lack of clarity as to the business motivation and economic justification for ERM, e.g., understanding “the problem we’re trying to solve with ERM,” leading to endless dialogue about the “what” and “why.”
  • Inability to respond in a manner acceptable to the Board of Directors to such questions as: What are our most critical risks? How well are we managing them and how do we know?
  • Paralysis (i.e., unwillingness to start somewhere to ensure an effective enterprisewide approach to managing risk).

#4: Nonexistent, Ineffective or Inefficient Risk Assessment

This failure arises when risk assessment activities are not identifying the critical enterprise risks effectively, efficiently and promptly. Or, worse, nothing happens when a risk assessment is completed beyond sharing the most current list of risks with company executives.

Some key indicators of this failure include:

Organizational indicators:

  • An abundance of risk management silos and lack of a process view allow significant risks to go unnoticed.
  • Multiple risk assessment requests besiege the entity’s process and functional owners due to the silo mentality of multiple requesting risk evaluators.

Process indicators:

  • The risk assessment process does not involve key stakeholders and the results are not reported to the Board of Directors to obtain their input and perspective.
  • Risk assessments rarely surface an “a-ha” moment that alters senior management’s view of the world, leave decision makers with little insight as to what to do next to manage risk and rarely impact business plans and decisions.
  • The process offers little insight as to what to do about exposures to extreme events, with little or no impact on improving response readiness.
  • The process does not devote enough attention to helping managers think about what they don’t know.
  • The use of a common analytical framework does not take into account multiple views of the future and doesn’t address the unique characteristics and time horizon considerations of the risks the company faces.
  • General counsel constrains the risk assessment process with concerns over risk documentation.

Behavioral indicators:

  • The organization practices ELM, or “enterprise list management,” which ranks risks periodically, but contributes little insight as to how they are managed.
  • Subjective assessments are often influenced by past experience, foster groupthink and preempt out-of-box thinking.

#5: Not Integrating Risk Management with Strategy-Setting and Performance Management

This failure occurs when risk is treated as an afterthought to strategy-setting, resulting in strategic objectives that may be unrealistic and risk management becoming an appendage to performance management. The consequences of this failure include a strategy the organization is unable to deliver, a deteriorating competitive position, an inability to adapt to a changing business environment and a significant loss of enterprise value.

Key potential indicators of this failure include:

Organizational indicators:

(Video) Why ESG Spells Good News for Compliance Risk Management

  • Management has not implemented an effective approach to integrate the implications of risk with strategic planning and performance management.

Process indicators:

  • The risks inherent in the organization’s strategy are not identified, sourced and mitigated.
  • Consideration is not given to the risk of disruptive change affecting the business model.
  • Key risks embedded within the enterprise’s operations, including how they are managed, are not transparent to key stakeholders.
  • There is a lack of connectivity of risk management to core management processes.
  • There is poor alignment of risk responses with strategy and enterprise performance management.
  • No process is in place for anticipating extreme risk scenarios that could derail execution of the strategy, e.g., the velocity, persistence and response readiness associated with high-impact, low-likelihood risks are not assessed to ascertain whether new risk response plans are required.
  • The strategy and the related risk responses are not communicated in a consistent manner across the enterprise.

Behavioral indicators:

  • Risk management is mired in minutiae rather than focused on what is really important: the vital strategic risks.
  • There is evidence of unacceptable risk-taking or unnecessary risk-adverse activity.

Summary

We have discussed five common risk management failures:

  • Poor governance and “tone at the organization”
  • Reckless risk-taking
  • Inability to implement effective ERM
  • Nonexistent, ineffective or inefficient risk assessment
  • Not integrating risk management with strategy-setting and performance management

The warning signs provided for each of the above failures provide a high-level diagnostic for the Board and management to check the health and vitality of their organization’s risk management.

[1]“Improving Organizational Performance and Governance: How the COSO Frameworks Can Help,” James DeLoach and Jeff Thomson, thought paper sponsored by the Committee of Sponsoring Organizations (COSO), 2014.

Tags: Board Risk Oversight

FAQs

What are the 5 identified risks? ›

There are five core steps within the risk identification and management process. These steps include risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring.

What are the possible reasons for the failure of risk assessment? ›

5 Most Common Reasons Why Risk Assessments Fail
  • Reason #1 – No Formalized Process.
  • Reason #2 – No or Poorly Defined Acceptable Risk Levels.
  • Reason #3 – Poor Timing of the Risk Assessment.
  • Reason #4 – Wrong Team Members.
  • Reason #5 – No Authority.
26 Sept 2014

What is a risk failure? ›

n. 1 the possibility of incurring misfortune or loss; hazard. 2 (Insurance) a chance of a loss or other event on which a claim may be filed. b the type of such an event, such as fire or theft.

What are the major contributors to operational risk management failures? ›

Human: Humans are the key contributors to operational risk. People often cause system failure and make up costs when equipment fails, and production is reduced, for example, in terms of labor costs.

What are the 5 main risk types that face businesses? ›

Here are five types of business risk that every company should address as part of their strategy and planning process.
  • Security and fraud risk. ...
  • Compliance risk. ...
  • Operational risk. ...
  • Financial or economic risk. ...
  • Reputational risk.
16 Jun 2021

Where can you find the 5 step risk management process? ›

There are five basic steps that are taken to manage risk; these steps are referred to as the risk management process. It begins with identifying risks, goes on to analyze risks, then the risk is prioritized, a solution is implemented, and finally, the risk is monitored.

What are 5 elements of the risk assessment? ›

The five steps to risk assessment
  • Step 1: identify the hazards. ...
  • Step 2: decide who may be harmed and how. ...
  • Step 3: evaluate the risks and decide on control measures. ...
  • Step 4: record your findings. ...
  • Step 5: review the risk assessment.
12 Sept 2019

What are the 4 types of risk? ›

The main four types of risk are:
  • strategic risk - eg a competitor coming on to the market.
  • compliance and regulatory risk - eg introduction of new rules or legislation.
  • financial risk - eg interest rate rise on your business loan or a non-paying customer.
  • operational risk - eg the breakdown or theft of key equipment.

What are the 4 risk management? ›

The 4 essential steps of the Risk Management Process are:

Identify the risk. Assess the risk. Treat the risk. Monitor and Report on the risk.

What are the 4 principles of risk management? ›

Four Principles of ORM

Accept risks when benefits outweigh costs. Accept no unnecessary risk. Anticipate and manage risk by planning. Make risk decisions at the right level.

Why do risk management plans fail? ›

Risk management failures can be caused by the use of improper risk metrics, which induces inaccurate measurements. A practical example is weather forecasting. The most common risk metrics in modern risk management is “Value at Risk” (VaR).

What are management failures? ›

Management failure is a shortfall of duty or performance in directing and controlling an organization, function or team.

What factors affect risk management? ›

These factors are (1). Commitment and support from top management, (2) Communication, (3) Culture, (4) Information technology (IT), (5) Organization structure, (6) Training and (7) Trust. Because risk management is an important part of the financial industry, effectiveness is vital to increase project success.

How does success come from failure? ›

Failure often allows you to examine what worked or what didn't even more so than success. It can foster your critical and analytical thinking skills, allowing you to innovate, redirect and try another way to execute something the next time.

Why is risk management important? ›

Risk management is an important process because it empowers a business with the necessary tools so that it can adequately identify and deal with potential risks. Once a risk has been identified, it is then easy to mitigate it.

What is meant by compliance risk? ›

Specifically, compliance risk is the threat posed to a company's financial, organizational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice.

Why a failure in technology is a risk for a bank? ›

The risk can occur due to the choice of faulty or unsuitable technology and adoption of untried or obsolete technology. Major risk arises from breaches of security for access to the computer system, tampering with the system, and unauthorized use of it.

What are the 7 types of business risk? ›

Here are several types of business risks to look for as you evaluate a company's standing:
  • Compliance risk. ...
  • Legal risk. ...
  • Strategic risk. ...
  • Reputational risk. ...
  • Operational risk. ...
  • Human risk. ...
  • Security risk. ...
  • Financial risk.

What are 4 types of operational risk? ›

There are five categories of operational risk: people risk, process risk, systems risk, external events risk, and legal and compliance risk.

What is the biggest risk to the company? ›

Failure To Innovate

He said, “The biggest risk companies face in 2022 is failure to keep innovating. Even the most successful company that owns the market share in its industry will run into problems if it coasts on its achievements.

How can the risk management process be improved? ›

  1. 10 top tips on how to improve risk management.
  2. Be clear about your remit. Any gaps in responsibilities across your business present an increased opportunity for risk. ...
  3. Identify risks early on. ...
  4. Be positive. ...
  5. Describe risk appropriately. ...
  6. Estimate and prioritise risk. ...
  7. Take responsibility and ownership. ...
  8. Learn from past mistakes.
17 Aug 2022

What are the three major risk management procedures? ›

The risk management process consists of three parts: risk assessment and analysis, risk evaluation and risk treatment.

How do you manage risk management? ›

Consider these steps to help identify, analyse and evaluate risks in your business.
  1. Decide what matters most. ...
  2. Consult with stakeholders. ...
  3. Identify the risks. ...
  4. Analyse the risks. ...
  5. Evaluate the risk. ...
  6. Treat risks to your business. ...
  7. Commit to reducing risk.
10 Aug 2021

What are key elements of risk management? ›

A Risk Management Program has four key elements that are tied together in a Risk Management Plan.
  • Risk Identification.
  • Risk Assessment.
  • Risk Action Management.
  • Risk Reporting and Monitoring.

What is the 6 step process for monitoring and reviewing risk? ›

  • Step 1: Hazard identification. This is the process of examining each work area and work task for the purpose of identifying all the hazards which are “inherent in the job”. ...
  • Step 2: Risk identification.
  • Step 3: Risk assessment.
  • Step 4: Risk control. ...
  • Step 5: Documenting the process. ...
  • Step 6: Monitoring and reviewing.

What is strategic risk in risk management? ›

Strategic risk refers to the internal and external events that may make it difficult, or even impossible, for an organisation to achieve their objectives and strategic goals. These risks can have severe consequences that impact organisations in the long term.

What are the six broad categories of risk? ›

Riskology
  • Health and safety risk. General health and safety risks can be presented in a variety of forms, regardless of whether the workplace is an office or construction site. ...
  • Reputational risk. ...
  • Operational risk. ...
  • Strategic risk. ...
  • Compliance risk. ...
  • Financial risk.
8 Sept 2021

What are the main types of risk? ›

Risk Types: The different types of risks are categorized in several different ways. Risks are classified into some categories, including market risk, credit risk, operational risk, strategic risk, liquidity risk, and event risk.

What are the 3 types of audit risk? ›

There are three primary types of audit risks, namely inherent risks, detection risks, and control risks.

Which is the most common risk management tactic? ›

Here are the 4 most common risk mitigation strategies:
  • Risk avoidance.
  • Risk sharing.
  • Risk reduction.
  • Risk transfer.
25 Sept 2019

What is the most important step in the risk management process? ›

Risk Analysis: The Most Important Risk Management Stage.

What are the 4 steps of risk assessment process? ›

The 4 steps are:
  1. Risk Identification.
  2. Risk Analysis.
  3. Risk Response Plan.
  4. Risk Monitoring and Control.

What are the 10 P's of risk management? ›

Introduction; Implications of the 10Ps for business; 10Ps - Planning; Product; Process; Premises; Purchasing/Procurement; People; Procedures; Prevention and Protection; Policy; Performance; Interaction between all the elements; Conclusion.

What are the 4 elements of a risk assessment? ›

The risk assessment process consists of four parts: hazard identification, hazard characterization, exposure assessment, and risk characterization.

What is the 5 step risk management process USMC? ›

Assess Hazards. Make Risk Decisions. Implement Controls. Supervise (and Evaluate)

Why do risk management plans fail? ›

Risk management failures can be caused by the use of improper risk metrics, which induces inaccurate measurements. A practical example is weather forecasting. The most common risk metrics in modern risk management is “Value at Risk” (VaR).

What factors affect risk management? ›

These factors are (1). Commitment and support from top management, (2) Communication, (3) Culture, (4) Information technology (IT), (5) Organization structure, (6) Training and (7) Trust. Because risk management is an important part of the financial industry, effectiveness is vital to increase project success.

For what primary reason could enterprise risk management system fail? ›

For what primary reason could enterprise risk management (ERM) systems foll? Answer: A ERM decisions are always arred across a business when a top-down approach is Dage 7 bed B. Financial constraints could compromise the implementation of ERM systems.

Why risk management is important Which answer is incorrect? ›

Why Risk Management is Important? Which answer is incorrect? Failing to manage risk will result in more problems, higher benefits and a higher chance of project success. Minimizes threats, maximizes opportunities and optimizes the achievement of project objectives.

What is a common risk? ›

A risk is the chance of something happening that will have a negative effect. The level of risk reflects: the likelihood of the unwanted event. the potential consequences of the unwanted event.

What are the trends in risk management to look out? ›

Emerging Trends in Risk Management-What Risk Management consultants need to anticipate
  • #1: Technology, a source of risk and an enabler for effective risk management. ...
  • #2: Convergence of risk oversight with strategic planning. ...
  • #3: Treasury as a strategic business partner. ...
  • #4: Risk Analytics: data-driven risk management.

How can risk management be improved? ›

  1. 10 top tips on how to improve risk management.
  2. Be clear about your remit. Any gaps in responsibilities across your business present an increased opportunity for risk. ...
  3. Identify risks early on. ...
  4. Be positive. ...
  5. Describe risk appropriately. ...
  6. Estimate and prioritise risk. ...
  7. Take responsibility and ownership. ...
  8. Learn from past mistakes.
17 Aug 2022

What are management failures? ›

Management failure is a shortfall of duty or performance in directing and controlling an organization, function or team.

How could risk management give a company a false sense of stability? ›

Risk models can give organizations the false belief that they can quantify and regulate every potential risk. This may cause an organization to neglect the possibility of novel or unexpected risks. Furthermore, there is no historical data for new products, so there is no experience to base models on.

Why is risk management important? ›

Risk management is an important process because it empowers a business with the necessary tools so that it can adequately identify and deal with potential risks. Once a risk has been identified, it is then easy to mitigate it.

What are the 4 types of risk? ›

The main four types of risk are:
  • strategic risk - eg a competitor coming on to the market.
  • compliance and regulatory risk - eg introduction of new rules or legislation.
  • financial risk - eg interest rate rise on your business loan or a non-paying customer.
  • operational risk - eg the breakdown or theft of key equipment.

What are the 3 types of risk management? ›

There are three different types of risk:
  • Systematic Risk.
  • Unsystematic Risk.
  • Regulatory Risk.

Videos

1. How to Conduct a Compliance Risk Assessment?
(Compliance Key)
2. Risk Revealed #5 Latam: The Board of Director’s role in compliance and ESG
(LSEG)
3. Taking Healthcare ERM to the Next Level -- Strategic Decisions and Risk Management Program
(Stanford Online)
4. Be a risk management hero with intelligent data protection and compliance solutions | DB159
(Microsoft Ignite)
5. RISK ASSESSMENTS IN AML/CFT COMPLIANCE!
(The Si of Regulation)
6. ESG Risk & Compliance – The Emerging Regulatory Challenge for Third Party Risk Management
(DVV Solutions Third Party Risk Management)

Top Articles

Latest Posts

Article information

Author: Rev. Leonie Wyman

Last Updated: 09/20/2022

Views: 5863

Rating: 4.9 / 5 (79 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Rev. Leonie Wyman

Birthday: 1993-07-01

Address: Suite 763 6272 Lang Bypass, New Xochitlport, VT 72704-3308

Phone: +22014484519944

Job: Banking Officer

Hobby: Sailing, Gaming, Basketball, Calligraphy, Mycology, Astronomy, Juggling

Introduction: My name is Rev. Leonie Wyman, I am a colorful, tasty, splendid, fair, witty, gorgeous, splendid person who loves writing and wants to share my knowledge and understanding with you.