First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Those lists of greatest risks all miss the BIG one


When something goes wrong, 99.999999% of the time it’s because somebody made a poor decision (at least in hindsight).

You ask the individual responsible, “What were you thinking?”

That is quickly followed by, “You weren’t thinking, were you!”

The BIG one, the root cause of failure and the greatest source of harm to any organization and its success, is the likelihood of a wrong decision that has major ramifications.

I discussed this in World Class Risk Management and extended the discussion in Making Business Sense of Technology Risk, where I made a distinction between strategic decisions (which include setting objectives and strategies) and tactical decisions.

We should be concerned if the likelihood of poor decisions, especially but not limited to important ones, is higher than we can tolerate.

What are the root causes of poor decisions?

There are many, including:

  • Poor framing of the decision
  • The wrong people making the decision
  • Relying on information that is not complete, accurate, or up-to-date
  • Not seeking all relevant information
  • Cognitive and other bias
  • Not including others that either have relevant information or who might be affected by the decision
  • Not considering all relevant options
  • Poor identification and assessment of what might happen, both good and bad, for each option
  • Failing to understand the ramifications of the decision when it comes to the achievement of enterprise objectives
  • Putting personal or team benefits ahead of those of the organization
  • Haste
  • Delay
  • Poor communications
  • Inadequate change management
  • Politics
  • Pressure
  • Incompetence
  • ….and so many more

As you look at your own decisions, those of your team, your peers, your partners, and elsewhere across the extended enterprise, do you have reliable assurance that informed and intelligent decisions will be made?

What can and should you and others do about it?

I think there are roles for both risk and audit practitioners.

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , ,

Comments are currently closed.