10 signs risk management probably isn’t contributing to better performance
Updated: May 10
A lot of activities carried out under the name of ‘risk management’ are ineffective, unnecessary, and even dangerous. Here are some simple signs which could indicate that your organisation might be able to make significant improvements to how it deals with risk.
There is a team producing a monthly or quarterly ‘risk report’
Risks are assessed using a colourful matrix with scores such as ‘low’, ‘medium’, and ‘high’
Risk managers email copies of risk registers to departments and ask them for updates
The Risk Team don‘t/can’t carry out quantitative risk analyses
The organisation produces a list of its top risks, but without using any numbers
‘Cybersecurity’ is listed as a top risk
‘Failure to achieve planned outcomes’ is listed as a top risk
The three lines of defence is promoted as an effective model of risk management
Managers don’t request any input from the risk team
Internal audit fails to pick up on these issues
There are lots more, but this is a start. Let me know what you think. If you don’t understand why these are ‘bad things’ then get in touch and we’ll help explain why. And let you know what you could do to get risk management working effectively in your organisation.