7 Risk Management mistakes you are making right now

“The key difference between grandmasters and amateurs in chess is that grandmasters focus on avoiding mistakes and amateurs try to win quickly”

Organisations can spend huge amounts of money on obtaining risk management software that implements complicated frameworks and models. They can also spend huge amount of resources on hiring consultants to help them implement and understand such frameworks. However, time and time again we see organisations fail at managing risks, and often these examples are publicly visible such as the global economic crisis, British petroleum oil spill and VW recalls just to name a few.

The reason given for such failures is that the world has changed and conventional risk-management techniques are not sufficient to cope with the changing environment. These reasons are often cited by consultants or software vendors who in all likeliness are trying to promote their own risk software or service as a substitute. In our opinion the real reason why organisations frequently fail at managing risks properly is because of the following 7 mistakes.

7 Risk Management Mistakes

1. Using historical data as an indicator for future events

Managers often use hindsight as foresight when determining the probability of risks, however, research has shown that future events often have very little relation to past events. In fact, it is often said that it is better to use a coin toss while determining the probability of an event than using historical data because at least with a coin toss the success rate is 50%.
You will also find that the term “unprecedented event” is often used as an excuse when an unexpected event occurs that an organisation is unprepared for. This is mostly a side effect of having a fixation with historical data and relying on it to predict the probability and severity of future events. The truth is that today’s world is changing at a fantastic pace and filled with complex interdependencies and socioeconomic randomness, consequently the effects of events either do not eventuate as expected or cause a huge reaction (Black Swan event) which is nearly impossible to mitigate.
Instead of relying on historical data, the organisation must rely on the knowledge and experience of its employees who understand the business and the environment it operates in to determine the insights required to predict future events and their probability.


2. Not searching for hidden risks

It is commonplace to see organisations conduct risk workshops to determine business risks. Although this technique is a good initiative to get the ball rolling to unearth obvious risks but it is not effective in determining important risks that are hidden away intentionally or unintentionally by employees of the organisation.
There are several factors why employees may not report potential risks. They may not be aware that a risky situation exists, they may assume that the organisation is already aware of the risk, or worse, and this is the most serious factor, they may hold back the information on purpose. The later may be the case if the organisation imposes harsh penalties on those who are responsible for the risk eventuating and in such a situation those responsible choose not to report such risks.
The organisation must educate and make it easy and transparent for its employees to report risks, it must also provide incentives (preferably as a KPI) that promotes the reporting of risks within the organisation.


3. Spending too much time predicting extreme events

Spending a lot of time in determining extreme events (Black Swan events) can be a huge waste of time and resources. The reason for that is firstly, organisations have a very poor track record in predicting such events, secondly, by focusing too much time on these events the organisation may lose sight of other more probably risks which would cause more damage than extreme events ever would.
Hence, rather than spending time in predicting the probability of such extreme but rare events it is more effective to focus on the consequences of the more probable events. This allows the organisation to measure how it would be able to cope when there are moderate changes in its environment. In simple terms, if the organisation is unable to withstand a minor storm then it is unnecessary to determine how it would cope in the face of a hurricane.


4. Ignoring the psychological aspects of risk framing

The way a risk is framed may cause two managers to come to completely different conclusions about the consequences of that risk. For example in a research participants were much more likely to invest in a stock where the chances that they would lose all their money was once every 30 years as opposed to investing in a stock where there was a 3.3% chance that would lose a certain amount each year. The chance of losing some money each year sounded more risky to the participants even though statistically they meant the same thing.
Care must be taken when framing risks so that the person making the judgement is not swayed into going towards a particular conclusion.


5. Carrying out Risk Management independent of business objectives

Many organisations go on a risk discovery crusade in which they try to uncover every single risk under the sun, however they do this without first defining or understanding the business objectives. Organisational objective or goals act as a compass for all organisational efforts and risk management is not any different. Risk management must be used to uncover any threats or opportunities that help the organisation prepare and achieve its objectives.

For example an organisation’s objective maybe to reduce costs by outsourcing production of certain products to an external supplier. In such a situation, management should direct its efforts in identifying and managing all risks related to outsourcing production to an external supplier. Now consider that the organisation drops the objective and decides to bring the production in house again. All risks associated with outsourcing shall be dropped as well because they were directly related to a business objective. Similarly all risks in the organisation must be related to some concrete business objective, otherwise the risk may not merit assessment and should be removed from the risk register.


6. Believing that all risks are created equal

Quantitative analysis conducted using 3X3 matrices can look very scientific and provide quick and easy results for complex risk questions. However, this leads to oversimplification and as a result the organisation fails to distinguish clearly between greater and lesser risks because all risks end up in either the “High” bucket or the “Medium” bucket.

An organisation can overcome such a situation by providing clear and measurable instructions to managers when conducting such assessments. For example some organisations quantify risk tolerance by providing a dollar value associated with each financial impact, or number of hours of work lost in case of a safety impact. Some organisations specify that high risks may only be classified if it requires senior management involvement or the risk causes disruption to the overall business objectives.


7. Failure to communicate effectively

A manager may be able to navigate through all the pitfalls stated previously but if the manager fails to communicate effectively to the board or the CEO then none of the above gains matter. This is because the people who eventually make the decision about the risk need to clearly understand the severity of the risk and the actions required to control such a risk. The risk system must be able to clearly and effectively summarise and communicate the information so that information is understood by experts and non experts alike and key decisions can be made in a timely fashion.


In the end we should keep in mind that the biggest risk to risk management is us. Human beings consistently overestimate their abilities and underestimate what can go wrong. Hence, we should overcome the urge to make decisions based on our intuition but rather rely on our knowledge and objective criteria available to us and make the best decision possible.


  • 7 Risk Management Mistakes – George V. Hulme (2012), CSOOnline
  • Six Ways Companies Mismanage Risk – René M. Stulz (2009), HBR
  • Ten Common Misconceptions About Enterprise Risk Management – John R. S. Fraser, Hydro One, and Betty J. Simkins (2007), Journal of Applied Corporate Finance
  • The Six Mistakes Executives Make in Risk Management – Nassim N. Taleb, Daniel G. Goldstein, and Mark W. Spitznagel, HBR
  • Top Ten Mistakes In Risk Management (2005), FEI.org
  • How to Live with Risks – (2015), HBR
  • Innovation Risk: How to Make Smarter Decisions – (2013), HBR
  • Pay People to Avoid Risky Behavior – Mary Driscoll (2012), HBR
  • The wrong road on Risk –  Paul Schaus (2012), Bank Technology News

Similar Posts