Risk management horror stories
There are plenty of horror stories from the world of risk management out there. I’m not talking about bad decisions, poor strategies, mistakes or accidents, but rather cases where people have not thought, not engaged, not understood, or just not cared about risks and the people trying to do something about them. Here are a few I’ve witnessed personally. Behind each of these is an opportunity for learning, for improvement, for change, and for transforming risk management into something which adds real value to your organisation.
If you want to know how to overcome examples like these please get in touch and we'll help you do things properly.
1. "I don’t know why you’re coming to see me, we don’t have any risks in this part of the project."
2. "There are too many red risks in this report. That doesn't make us look good. Can you bring a few of them down so they’re orange."
3. A risk team spending hours producing colourful heatmaps in Word because they didn't know how to use the risk software that was already in place within the organisation.
4. "I need you to change this risk maturity report because it doesn’t show us in a good light. Your conclusions are too negative, and as we've already spent the money on the work it needs to show something positive."
5. An auditor: I don’t like the ISO framework for risk management.
Me: Ok, why's that?
Them: I don't rate ISO.
Me: Oh, how come?
Them: I just don't.
6. A Chief Risk Officer promoting the use a 5x5 matrix to assess risk, then taking a numerical average of peoples' scores for each risk, resulting in values to two decimal places. The top risk 'score' was 21.87 and the organisation thought this must have been a very precise assessment.
7. A software vendor dumbing down risk assessment to the point they could drag-and-drop icons into coloured boxes rather than any actual maths or evidence to score risks.
8. "You can't use Monte Carlo simulation here because we don't have enough data" - an auditor.
9. Numerous vendors who claim their software/methodology/process/policy is 'best practice' but are unable to offer any evidence to support their claim.
10. A consultant claiming that risk assessment could be improved by adding an arbitrary value between 1 and 5 for 'time' to the already-arbitrary likelihood x impact equation.
11. A Big 4 consultancy who claim to improve risk analysis by introducing two further arbitrary values to the already-arbitrary likelihood x impact equation.
12. A large public sector organisation who believes their risk appetite is the line between orange and red risks on the corporate risk matrix. The person promoting this doesn't seem to realise that it's totally subjective, mathematically nonsense, and only adds confusion.
13. Confusing a risk with an outcome and getting stuck in a loop. 'There's a risk that if we don't meet our objectives for next year we won't be able to meet our objectives for the following year.'
14. People calling themselves risk managers who are unable to perform quantitative risk analysis, bowtie analysis, Monte Carlo simulation, or decision trees. Risk managers who are only able to use 1 of the 31 recognised risk assessment techniques (a technique which has been conclusively proven to be flawed, and is described as 'very subjective' in the official guidance).
15. Paying firms of consultants over £1500 a day to deliver several of the things listed above.
I'm sure there are many more - feel free to add your own.