Are Your Risk Assessments Reliable?
Every so often, we hear about a military mission where something went wrong. For example, the intelligence might have said that a targeted individual was thought to be in a certain location — but when the military attacked that location it did not find the sought-after person.
In the same way, business leaders make decisions based (at least in part) on information about risks and opportunities.
The Effects of Unreliable Risk Assessments
If a risk assessment is unreliable, wrong decisions may be made with serious effects.
For example, if the risk is seen as high that a competitor will shortly release an advanced version of a competitive product, the management team may decide to accelerate the launch of its own product, even though its development team say they are not quite ready.
On the other hand, if the competitive product release risk is assessed as low, management may wait and spend more time on product quality.
If the risk assessment is faulty and leads management to make the wrong decision, there may be severe damage.
Going to market too early with a less than perfect product can lead to customer dissatisfaction and longer-term revenue losses.
Going to market too late allows competitors to steal market share and cause people to question if the company can be a market-leader.
Are risk officers (CROs and their teams) confident in the risk assessments they make or facilitate?
If a risk (of any type) is assessed as, let’s say, ‘high’ (whatever that means), how confident is the CRO and/or the management team in that assessment? Are they 100% confident? I doubt it. How about 90% or 80%?
I doubt that many CROs think about the likelihood that any of the risk assessments they make or facilitate are reliable.
Learning Opportunities
Related Article: Cybersecurity Isn't an IT Risk, It's a Business Risk
Understand the Reliability of Your Risk Assessments
CROs need to understand the likelihood that each risk assessment is or is not reliable.
Related risk factors may include:
- Cognitive bias. See previous posts: "Understand Your Own Bias as a Practitioner" and "Are Your Business Decisions Failing Because They Are Biased?"
- Incomplete information, including not involving all the people who have relevant information and insights.
- Information that is out of date.
- Inaccurate information, for example portraying risk as a point instead of a range.
- Hidden or difficult to find and use information. For example, some organizations have a risk matrix with more than 50 columns, let alone the number of rows. How can decision-makers be expected to find the nuggets of actionable information they need in such a mess of data?
Of course, many factors may lead to risk assessments that need to be taken with a grain, a pinch or a bucket of salt.
The issue is whether the CRO understands the level of salt required. Should management make business decisions based on the available risk assessments?
If the likelihood of error in a risk assessment is unacceptable, should the decision be delayed until improvements are made — if that is even possible?
What do you think?
Learn how you can join our contributor community.
About the Author
Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog.
Connect with Norman Marks:
Featured Research
Buyer's Guide
Read Now
Research Report
Read Now
eBook
Read Now
Research Report
Read Now
White Paper
Read Now
Research Report
Read Now
Guide
Read Now
Guide
Read Now
Related Stories
Reworked CONNECT 2024 - Pre-Registration is Now Open!
