What is wrong with risk management today

Paladin Risk
30 May 202119:33

Summary

TLDRRod Farah, principal of Paladin Risk Management, critiques current risk management practices, emphasizing that while risk management frameworks and documentation are abundant, they fail to effectively manage risks. He identifies the core issue as a misunderstanding of risk definitions, particularly criticizing the ISO 31000 definition, which he believes is unclear and unhelpful. Farah proposes that risk should be seen as a possible event or incident that impacts organizational outcomes, not merely the uncertainty affecting objectives. His approach calls for a more hands-on, control-focused methodology for managing risks, challenging industry norms and advocating for greater professionalism in the field.

Takeaways

  • 😀 Risk management today is often more about creating documents and frameworks rather than actively managing risks in real-time.
  • 😀 Many organizations have thousands of risks in their registers but fail to assess or manage them regularly, leading to ineffective risk management.
  • 😀 The core issue with current risk management is that avoidable incidents continue to happen, indicating weaknesses in the control environment.
  • 😀 Hindsight analysis often reveals gaps in controls that could have been identified and addressed if risk management was more proactive.
  • 😀 Definitions of 'risk' vary greatly across different standards and organizations, creating confusion about what constitutes a risk.
  • 😀 ISO 31000 defines risk as 'the effect of uncertainty on objectives,' but this definition is criticized for not accurately representing what risk is.
  • 😀 Uncertainty should not be equated with risk; risk is an event or incident that can be controlled or avoided, not just an uncertain situation.
  • 😀 Effective risk management involves understanding and controlling the causes of risk, many of which are within the organization’s control, such as training and access control.
  • 😀 Many people in the risk management industry lack proper qualifications and experience, undermining the professionalism of the field.
  • 😀 A clearer and more practical definition of risk is needed—one that focuses on events or incidents that impact organizational outcomes, not just uncertainty.
  • 😀 Risk appetite and tolerance should be clearly defined within organizations to understand which risks are acceptable and which need to be mitigated.

Q & A

  • What is the fundamental problem with risk management today, according to Rod Farah?

    -Rod Farah argues that the fundamental problem with risk management today is that organizations are engaging in risk management activities, such as creating documentation and registers, but they are not effectively managing risks. The documentation may exist, but risks are often not actively mitigated, leaving organizations vulnerable to incidents.

  • What does Rod Farah mean by 'we're doing risk management but we're not managing risk'?

    -Farah highlights that while organizations often engage in risk management practices, such as maintaining risk registers and frameworks, they don't actually manage risks in a proactive, ongoing manner. The focus is on documentation rather than real-time risk mitigation or assessment.

  • Why does Rod Farah believe the current practice of risk management is ineffective?

    -Farah believes that risk management is ineffective because organizations often only assess risks periodically, such as every three, six, or twelve months. This reactive approach fails to prevent incidents, especially those that are avoidable if proper controls were in place and monitored continuously.

  • What role do definitions of risk play in the effectiveness of risk management, according to Farah?

    -Farah argues that the lack of clear, actionable definitions of risk contributes to ineffective risk management. He criticizes the existing definitions, particularly the ISO 31000 definition, which he believes is too vague and leads to confusion about what risk actually is.

  • What is the ISO 31000 definition of risk, and why does Rod Farah find it problematic?

    -The ISO 31000 definition of risk is 'the effect of uncertainty on objectives.' Farah finds this problematic because it equates risk with uncertainty, which is too broad and implies that organizations have little control over risks. In reality, most risks are within an organization's control, and uncertainty should not be used as a synonym for risk.

  • How does Farah suggest the definition of risk should be framed?

    -Farah suggests that risk should be defined as 'a possible event or incident that, if it occurs, will have an impact on organizational outcomes.' This definition emphasizes the potential impact of an event and focuses on risks that are within the organization's control.

  • Why does Farah argue that uncertainty should not be considered synonymous with risk?

    -Farah argues that uncertainty refers to external factors over which organizations have little or no control, such as global events or political instability. Risk, on the other hand, refers to incidents or events that an organization can control or mitigate, making the term 'uncertainty' inappropriate in risk management definitions.

  • Can uncertainty be a cause of risk, according to Farah?

    -Yes, Farah acknowledges that uncertainty, such as evolving cyber threats or natural disasters, can be a cause of risk. However, he emphasizes that many risks are due to internal factors within an organization, such as failure of controls, rather than external uncertainties.

  • What is the key difference between uncertainty and risk, based on Farah’s explanation?

    -The key difference is that uncertainty is an external factor beyond an organization's control, whereas risk refers to events or incidents that the organization can potentially manage or mitigate. Farah stresses that organizations should focus on managing controllable risks rather than being overly concerned with uncertainties.

  • How does Farah propose organizations should approach managing risks?

    -Farah proposes that organizations should focus on managing risks that are within their control by ensuring effective internal controls. Instead of focusing on uncertainties, they should address preventable incidents through proactive risk management practices and continuous monitoring of controls.

Outlines

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Mindmap

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Keywords

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Highlights

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Transcripts

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now
Rate This
★
★
★
★
★

5.0 / 5 (0 votes)

Related Tags
Risk ManagementISO 31000Control EffectivenessDefinitionsRisk AssessmentBusiness RiskOrganizational OutcomesProfessionalismGovernanceRisk RegisterRisk Professionals