The Important Risks That Are Overlooked but Should Come First

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Survey after survey talk about the top 10 risks or such. For example, look at the 2013 Global Risk Management Survey by Aon. It raises some good points, including a refreshing observation that companies are paying more attention to risk management these days.

But I think this focus on a top 10, or even a top 50, misses some massive risks that are faced (IMHO) by a majority of organizations and, even if they are recognized, are often accepted instead of corrected. They need to be corrected if the organization is to survive let alone thrive.

Here are my top risks, based on my personal experience with large global organizations. You can think of them as defects in the operation of the organization vehicle that have to be fixed before you worry about risks in the path ahead (the sort of risks that are included in the studies’ top ten lists).

For example, check the brakes, oil levels, and tire pressure before you set out. When you know your vehicle is OK, then you can start worrying about traffic, bad weather, and so on. When you know the organization is able to see where it is and a little way ahead (information), has the necessary people and other resources, can assess its condition (risk and performance management), and react to changing conditions (agility), then you can start worrying about economic slowdowns, legislative changes, and competition (the top three in the Aon study).

  • The board and top management setting organizational objectives and monitoring performance without sufficient information. Studies have shown that >70% of directors are dissatisfied with the quality and sufficiency of the information they receive. At a minimum, organizations should identify the level of risk in their assumptions (including the assumption that the information they have is correct) and take actions to minimize them.
  • A failure to consider risks when establishing strategies and objectives. Risks are only identified after strategies have been established – creating a risk that the wrong strategies and/or objectives are established.
  • Executives making business decisions without adequate, current, timely, and reliable information. They may be used to making decisions based on their intuition, experience, and judgment. But, these days quality information is much more likely to be available than in the past. Managers should seek all available information and if it is not available take steps to make sure it is available in the future.
  • A failure to consider risk when making day-to-day business decisions. Many if not most companies only consider and assess risk occasionally – some only annually – instead of integrating the consideration of risk into the fabric of management. Some have appointed risk officers to ‘own’ risk (in a silo) rather than making it clear that operating managers own risk and the risk officers are there to help.
  • An inability to monitor risk as it changes, which is very often at least daily. There is little excuse for this when today’s technology enables continuous risk monitoring. If there is a reason, it is that management doesn’t recognize the value and need for risk information so that they can make better business decisions – every day. This is compounded when insufficient resources are committed to the monitoring, assessment, and acting upon changes in risk levels.
  • A failure to communicate and explain the personal relevancy of organizational strategies to every manager and decision-maker. As a result, decisions are made that are not consistent with the overall strategy, resources are misallocated, and steps necessary for the achievement of objectives are not taken. It is not sufficient to require every manager to link their personal goals and objectives to one or more corporate strategies: each corporate strategy should be analyzed in detail and every manager told what is required of them. If they are working on other tasks, they need to be justified. In other words, drive goals and objectives down rather than having managers reach up to try to attach what they want to do to what is necessary to do.
  • Putting cost considerations ahead of the quality of the management team and the workforce in general. When mistakes are made (including control failures) it always comes down to people: the wrong people, people without sufficient training or experience, overworked people, and/or insufficient people to do the work. People risk should be continually assessed and understood, and cost should not be cut blindly.
  • Processes and systems that cannot move and adapt – a lack of agility. The organization needs to understand how tightly its feet are bound and at least take steps to relieve the pressure so that it can move when necessary to seize a new opportunity or avoid becoming obsolete when its business model is disrupted.
  • A board that is unable to provide effective oversight. Reasons might include a lack of business insight and knowledge; an inability to challenge management by asking the right questions, perhaps because they have grown too close and formed a personal bond with management; a lack of understanding of strategy, risk management, and/or technology; or simply a failure to allocate sufficient time and attention to their responsibilities.
  • A conflict between the personal interests of the executive team (short-term results, bonuses, stock appreciation) and the long-term interests of the organization as a whole. With CEOs staying less time at the helm than ever before, and with the massive sums with which they are rewarded for immediate results, this is understandable – but an avoidable major risk to the organization. Add to this the risk that politics within management ranks prevents them from sharing information and resources, leads them to destructive competition, and generally deters success. It is a rare organization that does not suffer from this disease – and its impacts on both short and longer-term success are significant, even if generally ignored.

I have come up with 10. How would you change or add to the list? Do you agree that these come first before worrying about the Aon top 10?

Posted on Apr 23, 2013 by Norman Marks

Share This Article:    

  1. Hi Norman. I cannot dispute the list of items above which you have been able to compile based on your  considerable experience. They would seem to reduce to the folllowing:

       poor skills of board  members /poor knowlrdge of their roles (failure to use info, no consideration of        risk, ineffectiveness, )

       poor skills of executives (no use of info, no consideration of risk, no communication of strategy, no risk    monitoring)

       culture of short term focus (costs rule. conflicts of interest)

       deficcient systems and processes.

    I would prefer not to class these as risks, however, but as drivers of risk. Risks result from these such as the risks of  fines and damages or loss of reputation or claims for aggressive selling practices or defective products, pursuing inappropriate market segments, relying on obsolete delivery structures etc..

    In a word, they are not events of loss or the quantums of such losses but they are very definitely the sources of loss events. In fact, drivers of risk are far more important to understan than the loss events themselves because it is by manipulating the drivers that risks are controlled. Only if one is unable to influence the drivers or react to them does one resort to treating the ailma\ent (ie acquire insurance or provide a capital reserve). 






  1.  Hi Norman

    The thing I like about your list is it transcends time and trend. Glad to see #2 in there, it's a biggie, particularly for anyone doing work as a CRMA.

    My analysis of Australian companies experiencing double digit percentage share price decline, is most arose from strategic risk (#2).  How I interpret this is that organisations are better at managing operational risk than they are at managing or adapting to strategic risk.

    I've attached a link to a 2010 article I wrote for IA Magazine which looked at a number of top 10 lists.  Just click on my name at the top of this post.


  1. Dear Norman, i find your list of the highest quality & relevance, and congratulate you on its analytical rigor & practical language. best regards, frank
  1. It surely is a great list, and I cant argue with it. I love lists. So what it needs now is the preventative action points or 'golden rules' - I might suggest 5 for each point, so that then becomes 50 top tips!!! Who is going to write it first?

  1. I do not agree with Greg, I think losses, fines, damages,.... all these are the impacts of risks, not risks by themselves.

Leave a Reply