Upgrade to receive CPD certificate + full access

Learn More
UPGRADE
RISK AWARENESS WEEK 2024 RISK AWARENESS WEEK 2024

Why Are Risk Managers So Bad at Root Cause Analysis?


It’s puzzling, isn’t it? Risk management, a field that has been formalized and standardized in non-financial companies since the 1990s and accepted widely by 2009 with the publication of ISO 31000 somehow doesn’t seem to make the seismic shifts we anticipated. As I leaf through articles in Forbes, I find more “risk management has failed again” than “success” stories.

Risk managers worldwide have been scratching their heads over the issue. Every risk management conference, every risk survey, many academic studies, and working groups have tried to identify the barriers to risk management effectiveness. But the irony is stark; the conclusions drawn often seem to be skimming the surface, leaving the root causes untouched. So, what’s going wrong?

The Problem of Poor Root Cause Analysis

In my eyes, the answer is clear, albeit a bit harsh: risk managers must be really bad at the basic skill of root cause analysis. Now, before you argue, let’s dig a little deeper.

Year after year, common culprits are identified for the pitiful performance of risk management: lack of integration, poor application, need for staff education – the list goes on. However, these reasons seem more like red herrings, distractions from the real issues at hand.

Instead, I argue that the root cause is the fundamental flaws in the design of risk management itself. Let’s take the most popular example – the concept of Enterprise Risk Management (ERM). It’s not that our staff need better education or that somehow we are implementing it wrong. ERM is flawed by design.

It is nonsense to even attempt to implement ERM across the organization. Here is a challenge: write any ERM principle in the comments below, and I will explain how it is flawed and what a better alternative is. There are many practical and useful risk management ideas under the umbrella of ERM, but the way these ideas are brought together and packaged as ERM is just bad business.

The Flaws in Traditional Risk Management Practices

What about the next favorite, qualitative risk assessments – a cornerstone of current risk management practices. They’re often disregarded, not because employees lack the knowledge to comprehend them, but because they’re inherently misleading.

Decision-makers ignore risk managers with their risk workshops not because they are evil; they see right through the flaws in the methodology to realize what a waste of time they are.

Risk workshops meant to uncover hidden threats often turn into echo chambers, where loud voices dominate and real risks are overlooked.

Lack of Practical Integration

One of the most cited reasons for risk management failures is the lack of integration with business processes. But what does integration really mean? It’s not just about having risk management be a checkbox in your operational procedures. True integration should be seamless, where risk management practices are part of the natural workflow rather than an additional burden.

Poor Application of Risk Management Tools

The application of risk management tools often remains superficial. For instance, many risk managers deploy a vast array of tools without tailoring them to the specific context or needs of an organization. This 'one size fits all' approach leads to inefficiencies and, more critically, renders the tools ineffective.

Need for Staff Education

Training and education are indeed important, but they often occur in silos. Many risk managers assume that just because staff have attended a workshop or a seminar, they are equipped to handle complex risk management tasks. This naive assumption leads to a false sense of security and poorly managed risks.

Rethinking Risk Management: A Call for Change

The current landscape of risk management demands more than just tweaks and incremental changes. It calls for a revolution in thought and practice. Here are some suggestions:

Embrace Quantitative Methods

Quantitative risk assessments, when done correctly, provide clear, numerical data that can significantly enhance decision-making. Instead of relying on subjective judgments, organizations should invest in robust statistical tools and training.

Foster Open Dialogues and Genuine Collaboration

Workshops shouldn’t just be about checking the box. Risk managers need to foster environments where every participant feels comfortable voicing their concerns. Techniques like structured brainstorming and scenario analysis can help in ensuring that diverse perspectives are considered.

Address Systemic Issues in ERM

While ERM holds promise, its current implementation is flawed. Organizations should focus on breaking down ERM components to see which parts genuinely add value and which are mere corporate jargon.

The Path Forward

Risk management isn't just about identifying and mitigating risks; it's about creating a resilient organization that can adapt and thrive in uncertain conditions. To achieve this, we must go back to basics: understanding the root causes, challenging conventional wisdom, and being unafraid to innovate.

The road to effective risk management is long and fraught with challenges, but by addressing the fundamental issues and embracing a more rigorous approach to root cause analysis, we can turn the tide and start seeing more "success" stories in the headlines.

Want to elevate your risk management skills? Join professionals from around the globe at Risk Awareness Week (RAW2024) to dive deep into effective risk management methods and root cause analysis. Don't miss out on expert insights and practical tools to revolutionize your approach. Register now and transform your organization's risk strategy!

Talk to our AI risk management advisor 👋 🕵🏽‍