Risk management isn’t risky … but implementation projects can be.
Risk management concepts can be transformative to an organization. Any organization – whether for-profit or not, whether large or small – can be transformed. When done correctly, risk management concepts can assure that management’s attention is always on the right things, and never on the wrong things. When done correctly, they help assure that everyone has a consistent view of what makes the organization successful and, conversely, where disasters could be lurking. When done correctly, better decisions are made at every level in the organization.
So why hasn’t every organization formally implemented risk management? Here are a few thoughts.
It may not be clear what a risk management project can actually deliver
Projects should not have fuzzy goals. Unfortunately, that’s often exactly the situation for poorly-planned risk management projects. One of the underlying reasons is that risk management, itself, can mean different things to different people. Also, risk management can seem dramatically different from one case study to the next. It is no surprise that most organizations have not invested in risk management considering the difficulty of defining exactly what it can provide.
It may not be clear exactly how to translate risk management theory into practice.
The next stumbling point is implementation. Most people would agree that risk management is, at its core, an essentially intuitive concept. The problem isn’t with the ‘idea’ of risk management. Instead it stems from the supplemental concepts, such as “risk appetite”, that attempt to make risk management more practical. These supplemental concepts might make perfect sense when they are discussed, philosophically, in a meeting room but they often fall apart when they move into the untidy real world. As a result, when organizations take their first stab at risk management, they may get discouraged when the real world creates ambiguities, circular logic, and a notable lack of relevant concrete examples.
It may not be initially clear how risk management can provide long term value.
Thinking forward, how will this initial effort benefit the organization long-term? In some cases executive leadership may initially imagine risk management as a stand-alone activity that’s dusted off and updated every year or two. Understandably, it’s hard to see ongoing value in such an approach. The practical benefit of how it can help the organization achieve its goals better and faster may not be obvious or intuitive. One thing is clear – as long as it’s separate from the normal day-to-day management activity it cannot become transformative.
As you’re considering a risk management implementation project, you must address and resolve these issues to achieve the benefits that risk management can deliver.
There are ways to remove these obstacles. Stay tuned.
Charles D. Schrock 
The COSO and ISO standards do a decent job of laying out risk management concepts but don’t provide guidance on practical implementation of a risk management framework. Thanks for taking this discussion forward to help CFOs implement!