First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Risk management: What academics fail to understand

risk managementBob Kaplan deserves our respect. Famous for his contribution to management with the balanced scorecard, he is now Senior Fellow and Marvin Bower Professor of Leadership Development, Emeritus at the Harvard Business School. I have never had the privilege of meeting him. His colleague, Anette Mikes, was with Bob at Harvard and is now Professor of Accounting and Control at the University of Lausanne (HEC). I am in a network of risk practitioners and thought leaders that includes Anette. I have heard her speak, but have never met her one–on–one. Anette has made important contributions to the academic study of risk management that include a case study of John Fraser’s Hydro One[1] and a similar case study on LEGO[2].

On earlier occasions, I have shared my thoughts with Anette Mikes on the narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. Unfortunately, I have not been persuasive.

Kaplan and Mikes recently published a Harvard Business School Working Paper, Risk Management—the Revealing Hand[3].

While there is some value in the paper, such as its insistence that risk management must be continuous and its discussion of over–reliance on models, it demonstrates very clearly why so many board members and executives do not see how the management of risk enables their organization to set and deliver on objectives and strategies. For example, the ERM Initiative at North Carolina State University, in their 2016 survey of the state of risk management, found that only 4% of organizations feel their risk management is very mature (up from the 3.4% in 2010). In 2013, a Deloitte survey found only 13% of executives believing that risk management supports their ability to develop and execute on business strategy very well.

How can risk management practitioners demonstrate value and a significant contribution to the success of an organization when they:

  • Focus on a list of potential harms?
  • Don’t focus on enabling intelligent and informed decisions from strategy to tactics?
  • Talk in technobabble instead of the language of the business?

I see risk management as about:

  • Enabling informed and intelligent decisions that consider what might happen, both good and bad. Those decisions include setting the vision for the organization (including its strategy, plans, and objectives) as well as the decisions made every day across the extended enterprise as people at all levels direct and manage the organization towards its objectives
  • Thinking about what lies between where we are and where we go, how it might affect our ability to achieve or exceed our objectives, and what (if anything) we need to do about it
  • Taking the right level of the right risks. We cannot survive, let alone thrive, if we do not take risk. The concept that we must mitigate all risks is absurd. Risks need to be assessed in the context of achieving objectives, not in a silo
  • Knowing how to assess and evaluate the potential for any event or situation to have good, bad, or a combination of good and bad effects—and providing a structured process for making decisions about the path forward
  • Intelligent and effective management that enables the organization to succeed

Kaplan and Mikes say that there has been no credible academic study that demonstrates that risk management delivers tangible value. (Note, EY and Aon have released studies that say that organizations with better risk management obtain better long–term financial results.)

Is that because they don’t understand what risk management should be? That it is not about managing a list of potential harms—what Jim DeLoach calls Enterprise List Management? Focusing on what could go wrong will not help you do what is needed for everything to go right. If you were greeted at your front door by someone with a list of all the bad things that might happen, would you ever go out? Or, would you dismiss the pessimist with disdain?

A few quotes to support my view:

  • “Enterprise risk management helps an entity get to where it wants to go”—COSO
  • Risk management enables “A greater likelihood of achieving business objectives” and “More informed risk–taking and decision–making”—COSO
  • “The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise”—National Guidance on Implementing ISO 31000:2009 from NSAI in Ireland
  • “We believe a paradigm shift in risk management is beginning, which is tied to the increasingly complex world in which companies now operate; based on the awareness that uncertainty is embedded in (and impacts) everything we do; [and] focused on both capturing upside opportunities as well as protecting the business.”—EY
  • “You need [risk management] to become part of the rhythm of the business: meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.”—EY
  • “The job of risk [management] is to make … executives more confident to take strategic risks; to demand objectivity in decision-making; and to focus on value added, not just value preserved”—Deloitte

I can tell you that the risk management programs at Hydro One and LEGO do not limit their work to potential harms. They consider the potential for reward as well as harm. They work to help management succeed.

So how is it that Kaplan and Mikes have such a narrow view? Perhaps it’s because the great majority of practitioners limit risk to the negative and their practice to a periodic review of a list of top risks—what Jim DeLoach correctly calls ‘enterprise list management’.

That narrow view inevitably creates a disconnect with the desire of management to lead their organization to success.

How do you expect a CEO to believe risk management enables success when all the CRO gives him is a list of what could go wrong? He needs help to see what might happen, both good and bad, and what to do about it—in other words, risk management needs to be seen by the CEO as helping him or her get where he or she needs to go.

Do you share my view?

If so, how do we move both the practitioner and academic community? How can we move the practice forward so that it is recognized by leaders of every organization as contributing to their success?

I welcome your views.

Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

[1] Enterprise Risk Management at Hydro One (A)Anette Mikes

[2] The LEGO Group: Envisioning Risks in Asia (A)Anette Mikes and Dominique Hamel

[3] Risk Management—the Revealing HandRobert S. Kaplan and Anette Mikes

Occasional Contributors

In addition to our regular guest bloggers, Inside Internal Controls blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of risk management and best practices in finance and accounting, information technology, environmental issues, corporate governance, sales/marketing and operations, not-for-profits and business related issues in Canada. If you are a subject matter expert and would like to become an occasional blogger, please contact Yosie Saint-Cyr at If you liked this post and would like to subscribe to Inside Internal Controls blog click here.

, , , , , ,

Comments are currently closed.