Excellence in Risk Management Is More Dream Than Reality

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.


Marsh is one of the leading insurance brokers and risk management consulting organizations. In partnership with the Risk Management Society (RIMS), they have published a Special Report: Excellence in Risk Management XI – Risk Management and Organizational Alignment: A Strategic Focus (registration required).

Their summary of the report says:

“While risk management is playing a more strategic role within organizations than ever before, many are not using the full potential of the function, according to the 11th annual Excellence in Risk Management survey, published by Marsh and RIMS.

“Ninety-three percent of C-suite respondents to the survey indicated that risk management carries either some or significant impact on setting their organization’s business strategy with 76% confirming that their organizations treat risk management as a key strategic function. However, when asked whether their organization uses the risk management function to its fullest abilities, only 20% of C-suite respondents answered affirmatively.

“Among the findings from the report:

  • More than 90% of C-suite respondents said risk management impacts business strategy.
  • Only 25% of risk professionals feel their companies use risk management to its fullest ability.
  • There is a gap between risk professionals’ and the C-suite’s prioritization of cyber risk.
  • The C-suite views risk mitigation and risk identification as key areas in which the use of data and analytics can be improved.”

Marsh seems somewhat optimistic about the progress that has been made. Clearly, some demonstrable improvement has been achieved, with boards and the C-suite executives making the risk function a more important part of their organization.

In particular, I am encouraged that some organizations are moving rising stars into the risk function as part of their path to the top.

However, there continue to be signals that boards and executive management don’t understand risk. There continues to be an emphasis on insurance, reflected in the desire to hire individuals into risk management who have experience as brokers.

Three aspects of the report disappointed me.

First, the authors seem to believe that recognition that risk management and strategy is the responsibility of the risk officer is a good thing. I beg to disagree. While the report bemoans the fact that many look to the CFO to own risk management strategy and execution, there is no mention that risk management strategy and execution should be the collective responsibility of management — executive, senior, and operating management. Recently, I read a consultant say that risk belongs to the person who owns the loss. That is such a pessimistic view! I would have much preferred him to say that risk belongs to the person who owns performance — the goal!

The continuing focus on the negative, instead of recognizing that effective risk management enables better decisions and drives performance, is a drag on achieving excellence in risk management.

Another disappointment is the failure to say that effective risk management means that risk is considered as an integral part of day-to-day management of the organization. Instead of being (as the report says) an “omniscient” source of knowledge about risk, risk officers should teach managers across the organization to fish (instead of giving them fish). Risk officers should be mentors and guides, together with reporters of cross-functional issues, rather than owners of risk management, strategy, and execution.

Excellence in risk management is achieved when every decision-maker is a risk practitioner.

Finally, I am disappointed with the reported preference of risk practitioners to improve their technical capabilities for such issues as modeling (including the use of Big Data Analytics) and risk quantification. While there is some emphasis on understanding the business, there is insufficient recognition of the need to improve practitioners’ communication skills. How are they to teach managers to fish when they have communication issues — and many do, using technobabble instead of the language of the business?

Risk practitioners should become more like business managers than technicians. They need to understand how they can help the organization succeed, rather than trying to put a statistically accurate value on a particular risk.

IBM has separately published Next Generation Risk Management (downloadable, with registration, here). While it announces that it describes “a framework for successfully managing business and supplier risk in the new global operating environment,” it is focused in a siloed fashion on supplier risk. I say “siloed fashion” because there is no reference to managing risks to enterprise objectives.

How can you manage supplier risk without understand the effect on enterprise goals and strategies.

While there are useful pieces of information in these reports from Marsh and IBM, they fall short of my standard for excellence in risk guidance.

I welcome your comments.

Posted on May 11, 2014 by Norman Marks

Share This Article:    

  1.  Excellent analysis as always, Norman.  You've hit the nail on the head.  And to think that this is the state of affairs at organizations which are quite some way up the 'risk management ladder' so to say!  I despair to think about the dismal condition at the other end - organizations without any real appreciation of risk management itself, yet.  And guidance gaffes like this have the potential to drive risk management in the 'wrong' direction for such organizations - into the hands of 'professional risk managers' rather than be owned by business managers who own business performance.  

    I  just hope serious practitioners of risk management discipline let go of a fixation with technicalities (which may be of no further use than making a specific risk management resource 'look good') and focus on  aspects or real, everyday importance to business, including communication as you rightly point out.


  1.  Norman, I think your comments hit the mark and risk management professionals should take away a couple of key thoughts: (1) the ability to see the big picture, understand the business, and communicate how risk management supports business growth is far more important than improving technical skills. If you need risk modeling skills for project, hire a modeling expert for the project. (2) Risk officers should indeed be mentors and have the ability to collaborate with their business colleagues to support strategies and business plans to grow the business.


  1.  Norman,

    You make some excellent points here.

    We have seen so many of these reports by firms and associations in the insurance industry that quite simply miss the point.  But then, what is their motivation to actualy tell the truth?

    It seems biazrre to me that those who specialise in what is one of the least efficient forms of risk treatment, should be in a position to pontificate on what good risk management should look like.  The uncomfortable truth is that people principally concerned with the purchasing of insurance in organisations are often too junior and do not possess the full range of abilitites they need to motivate and mentor and organisation in the way it manages risk.  Using your excellent allegory, how can they teach others to fish if they are neither good fishermen nor good teachers.

    There is one, single charatertisc that distinguishes organisations that are effective and getting more effective at managing risk: the person leading risk management has the skills and seniority to motivate people, from the C suite downwards, to think and behave differently.

    When it come to strategy, even the expression that "risk management impacts strategy" indicates how little the authors of this report understand about risk and how it should be managed.  Risk management does not "impact" strategy, risk is the effect of uncertainty on the organisation's objectives and strategic management is risk mangement is strategic management ...  

    This means that when an organisation's objectives are set or reset, this already only about managing risk.  The method of setting strategy can only be improved by improving the way the risk management process happens as an integral part of that.  For example, this must mean that draft objectives are stress-tested by the activiity we call risk assessment and that the business plans are, in effect, risk treatment plans.

Leave a Reply