Search
  • Duncan

10 signs risk management probably isn’t contributing to better performance

Updated: May 10, 2020

A lot of activities carried out under the name of ‘risk management’ are ineffective, unnecessary, and even dangerous. Here are some simple signs which could indicate that your organisation might be able to make significant improvements to how it deals with risk.


  1. There is a team producing a monthly or quarterly ‘risk report’

  2. Risks are assessed using a colourful matrix with scores such as ‘low’, ‘medium’, and ‘high’

  3. Risk managers email copies of risk registers to departments and ask them for updates

  4. The Risk Team don‘t/can’t carry out quantitative risk analyses

  5. The organisation produces a list of its top risks, but without using any numbers

  6. ‘Cybersecurity’ is listed as a top risk

  7. ‘Failure to achieve planned outcomes’ is listed as a top risk

  8. The three lines of defence is promoted as an effective model of risk management

  9. Managers don’t request any input from the risk team

  10. Internal audit fails to pick up on these issues

There are lots more, but this is a start. Let me know what you think. If you don’t understand why these are ‘bad things’ then get in touch and we’ll help explain why. And let you know what you could do to get risk management working effectively in your organisation.

19 views0 comments

Recent Posts

See All