warning sign: thin ice

Are Your Risk Assessments Reliable?

September 19, 2022 Information Management
Norman Marks
By Norman Marks

Every so often, we hear about a military mission where something went wrong. For example, the intelligence might have said that a targeted individual was thought to be in a certain location — but when the military attacked that location it did not find the sought-after person.

In the same way, business leaders make decisions based (at least in part) on information about risks and opportunities.

The Effects of Unreliable Risk Assessments 

If a risk assessment is unreliable, wrong decisions may be made with serious effects.

For example, if the risk is seen as high that a competitor will shortly release an advanced version of a competitive product, the management team may decide to accelerate the launch of its own product, even though its development team say they are not quite ready.

On the other hand, if the competitive product release risk is assessed as low, management may wait and spend more time on product quality.

If the risk assessment is faulty and leads management to make the wrong decision, there may be severe damage.

Going to market too early with a less than perfect product can lead to customer dissatisfaction and longer-term revenue losses.

Going to market too late allows competitors to steal market share and cause people to question if the company can be a market-leader.

Are risk officers (CROs and their teams) confident in the risk assessments they make or facilitate?

If a risk (of any type) is assessed as, let’s say, ‘high’ (whatever that means), how confident is the CRO and/or the management team in that assessment? Are they 100% confident? I doubt it. How about 90% or 80%?

I doubt that many CROs think about the likelihood that any of the risk assessments they make or facilitate are reliable.

Related Article: Cybersecurity Isn't an IT Risk, It's a Business Risk

Understand the Reliability of Your Risk Assessments

CROs need to understand the likelihood that each risk assessment is or is not reliable.

Related risk factors may include:

  • Cognitive bias. See previous posts: "Understand Your Own Bias as a Practitioner" and "Are Your Business Decisions Failing Because They Are Biased?"
  • Incomplete information, including not involving all the people who have relevant information and insights.
  • Information that is out of date.
  • Inaccurate information, for example portraying risk as a point instead of a range.
  • Hidden or difficult to find and use information. For example, some organizations have a risk matrix with more than 50 columns, let alone the number of rows. How can decision-makers be expected to find the nuggets of actionable information they need in such a mess of data?

Of course, many factors may lead to risk assessments that need to be taken with a grain, a pinch or a bucket of salt.

The issue is whether the CRO understands the level of salt required. Should management make business decisions based on the available risk assessments?

If the likelihood of error in a risk assessment is unacceptable, should the decision be delayed until improvements are made — if that is even possible?

What do you think?

About the Author

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.


Featured Research

Related Stories

Top of building sticking out of the clouds into clear blue sky

Information Management

How Hybrid Cloud Is Enabling the Digital Workplace

graffiti on the wall reading: "trust your struggle"

Information Management

Why Organizations Still Struggle With Deploying AI

line up of available machines in a public laundromat

Information Management

Records Management Needs a Refresh

Digital Workplace Experience Q4: October 12-13, 2022

DWX22 - Q4