Can Risk Management be a “Risky” Task?

By Ayse B. Nordal


  1. Background

Private and public companies, financial institutions, individuals and even states are living in a risky world. This makes risk management an important and responsible function in every organization. Is risk management also a “risky” task? Which factors and shortcomings may affect our work and our ability to provide a reasonable assurance to our Boards, stakeholders, owners and management? Can we mislead our organizations, ignore or underestimate our risks?

  1. What is expected from us?

FERMAs (Federation of European Associations) last benchmarking survey from 2012 shows that risk management objectives for companies’ top management are unchanged compared to 2010.[1] Traditional objectives remain on the top of the list: provide a reasonable assurance that major risks are identified, prioritized, managed and monitored (76%) and minimize operational surprises and losses (63%). Many factors affect our efforts to meet these expectations. It is important that we also identify the risks involved in our risk management efforts.

  1. Some factors which may affect our work


  1. The “risk appetite and balance of powers” trap

Depending on an organization’s size, culture and priorities, the risk management function can consist of a single champion, a part-time manager or a full-scale department. Risk management, internal audit and quality assurance/continuous improvement functions may be well-integrated and complementary, as well as competitive.

The FERMA survey shows[2] that there is correlation between the maturity of the risk management function and the risk manager’s close and regular relationship with the Board. Only 7% of companies with an “emerging” risk management function can refer to such relationship. Whereas in 42 % of companies with an “advanced” risk management function the risk management topic is completely embedded in reporting to the Board.

Risks manager’s ability to influence the company’s risk appetite may be limited by the risk management function’s maturity, standing, organizational place as well as the degree of powers guaranteed to the risk manager by the legislation of the country in question.

According to Chizubel Egwudo, risk appetite is derived from the combination of risk exposure and risk capacity. The risk team in collaboration with management team and the Board can arrive at an appetite level that is realistic[3]. However, the degree of said collaboration will be decisive for the success.


  1. b) “Endogenity vs. exogenity” trap

Risk assessment processes are pragmatic and result-oriented. The aim is to identify the risks and define actions, which give the organization reasonable assurance for a satisfactory monitoring. While identifying these risks, the company gives highest priority to the endogenous factors, which may be influenced by the company. This is a correct strategy. However, the risk manager should also give “exogenous factors” some attention and try to find out how the legal environment, competitors, political actors and other environmental factors can influence the company. This effort will reduce operational surprises and losses and will contribute to the identification of “gray” swans, which might be ex-post wrongly classified as “black swans”.[4]

  1. c) “Easy way out tool” trap

Even in Europe today, the risk management tools employed by the managers are not sophisticated. FERMA’s benchmarking analysis show that[5] risk assessment workshops are now used by 60% of European companies. This trend is now followed by all industries except automotive sector which considers databases as primary tools to manage risks. (71%). Results reveal that only a few countries (e.g. Italy, Russia, and Spain) are building their risk approach based on databases. Benchmarking is moderately used, especially in Italy (36%), Germany (33%) and UK (33%). Advanced quantification is still poorly used among European countries. Stochastic aggregation models of business unit- level risk mappings are used by only 11% of the companies. Value at risk simulation models are used by less than 25% of the companies.

To my experience the most common approach to risk management is using a 2 – Dimensional matrix with impact and likelihood in a risk assessment work-shop, where the participants rank and quantify the probability and consequence by votes.

2 – Dimensional matrices are good starting points for discussions. However this analysis alone does not give the risk manager information about the following:

  • risk categories
  • interdependencies and correlations between risks
  • risk ownership
  • risk dynamics

The types of monitoring measures a company will choose, the expertise it will need and actions it will initiate, will depend on the risk categories it is confronted with. A risk manager should have a clear overview about these.

Interdependencies between risks are not visible on a 2 – Dimensional risk matrix. It is important that the risk manager knows the correlations, when assigning priorities to monitoring actions. Some actions will have multiple win-win effects depending on correlations.

Identifying and quantifying risks alone will not create results if each risk cannot be assigned an owner.

Defining and quantifying the risks at a point of time does not tell much about their development over time. When actions are subject to lead and lag effects, it is crucial to know the development over time.

One should also remember that votes in risk assessment work-shops are highly affected by the perception of the participants.  On the other hand, being risk averse or fond of risk depend highly on the company culture.

  1. d) “Focus on the negative” trap

ISO 31000 represents a change in how risk is conceptualized. The standard defines the “risk” no longer as the “chance or probability of loss”, but “the effect of uncertainty on objectives”, thus causing the word “risk” to refer to positive possibilities as well as negative ones.

Every organization has to take some risks. To identify “upsides” will necessitate an analysis.


Risk managers all over the world try to do their best to understand, assess and quantify the risks, to be able provide the Board, shareholders and management a tool for strategically choices and decisions.

It is important that from time to time we stop and evaluate the risks involved in our own work.



[1] FERMA European Risk Management Benchmarking Survey, Keys to Understanding the Diversity of Risk Management in a Riskier World, p.18

[2] Loc. cit. p.28

[3] Chizubel Egwudo, “Defining Risk Appetite and Risk Threshold”,

[4] For general reference: Geary W. Sikich, “When a black swan not a black swan”

[5] Loc.cit p.33