Risk Management Failures

What if I say – “Effective risk management doesn’t provide guarantee against failure”? Doesn’t it raise questions on the premise and use of risk management function? The question is from a research paper by Cornerstone Research titled “Risk Management Failures – What are they and when do they happen?”

The risk management premise is that it mitigates risks thereby reduces losses. Hence, the opinion is that good risk management will ensure success. The fallacy lies in this thinking itself.

For example, everyone questioned the risk management function of banks during the financial crises. The concerns were – Has risk management functions of the financial institutions failed? Is enterprise risk management a useful tool? To look from an Indian perspective, why are risk managers somewhat ineffective in influencing senior management? The questions are worth exploring and here are some insights on reasons of risk management failures.

1.    Impact of Risk Attitude on Risk Management

Risk attitude at the top management determines the success and failure of risk management. The paper – The Full Spectrum of Risk Attitude – By Alice Wonderwood and David Ingram –defines four risk attitudes – maximizer, conservator, pragmatist and manager. Briefly the people perspectives towards risks are:   

a)    Maximizers: They do not consider risk important and are willing to take large risks to increase profits.

b)   Conservators: They consider risks extremely important and focus on avoiding all risks. Profitability opportunities are sacrified if risks are high.

c)    Pragmatist: They do not think that future is predictable; hence assume that risks cannot be forecasted with accuracy. They prefer to keep options open and deal with risks as they occur.

d)   Managers: They balance risks and rewards. Respect expert advice on risk to maintain safety will exploiting upside risks to improve profitability.

The risk management strategy adopted by the four risk attitudes are – risk trading, loss controlling, diversification and risk steering respectively. Hence, in a way risk management will be effective when top management has “Managers” risk attitude.

Table from the paper - The Full Spectrum of Risk Attitude

For example, if economic environment is uncertain and the organization has maximizer attitude towards risks,  probability increases of incurring large losses. The risk management decision rests with top management. Senior management with high risk taking attitude is likely to ignore risk managers advise. Therefore, even the best risk management functions can fail if the right attitude doesn’t exist at senior level.

2.   Inaccurate Risk Assessment and Measurement

In normal course, qualitative risk assessments are assumed to suffice. For example, risk managers identify high risks by likelihood of occurrence and value of loss. They generally group loss under five categories –

  • 0 – $10,000,
  • $10,000- $50,000,
  • $50,000-$100,000,
  • $100000-$500,000  
  • Greater than $500,000.

However, in such cases the selection of estimated loss is not based on either past data or any detailed statistical analysis. The risk assessor’s subjective judgment comes into play. This results in incorrect measurement of known risks.

The Cornerstone Research paper mentions an interesting viewpoint. Normally risk predictions are done at certain confidence level. For example, risk managers take 99%, 95% or 90% confidence level for estimating losses. The value at risk is determined based on confidence level. Thus, if value at risk exceeds the risk appetite of the organization by a small amount, it may not be significant. However, if it exceeds risk appetite by a large amount, then it may destabilize or endanger the organization.

The problem is magnified, as the impact of a risk occurring outside of the confidence level is not calculated. For example, if assessments were done at 95% confidence level, the loss amount for the balance 5% is not known or predicted.

Another often ignored aspect is correlation between risks and the impact of one if another occurs. For example, if a competitor files a patent case, it influences brand reputation. The impact may also be on sales. However, reputation, legal and operation risks are calculated independently, without analyzing their inter-relationships. This results in underestimation of risk loss. A combination of negative events occurring simultaneously may cause a larger loss, though the separate risk calculations indicate smaller losses.

Insufficient statistical analysis, unreliable past data and too much reliance on subjective information may result in inaccurate risk analysis. In such a situation, the risk attitude may be right, however risk management may not be.

3.   Lack of Risk Information and Knowledge

Risk assessments are done based on the knowledge of the assessor. Risk managers use historical precedents to guide them. The probability of a risk event occurring is decided based on past data.

In case of emerging and new risks, there is no information available. The lack of risk information may be due to the following reasons:

a)  Change in market conditions – For example, when internet became a business tool, no information was available on the risks. Most had not predicted the dotcom bubble burst.

b)   Doing business in emerging markets – One cannot predict emerging market countries risks with accuracy, though economists and sociologists attempt to draw a relative picture from experience in other countries. For example, India and China are both emerging markets, but political, social and market dynamics are unique. Future trends cannot be predicted with high confidence levels.

 c)   Internal silos and communication problems – Although it is assumed that with enterprise risk management systems all risks are captured, it is far from the truth. Department heads may not update risk registers properly. Secondly, even identified risks may not be communicated to senior management . In cases where the organization does not have a proper risk culture, failures can occur.

Collecting risk information and taking appropriate action is key to effectiveness in risk management. Without the supporting and governing structure, the best of the functions can fail.

Closing thoughts

Sometimes management has the mindset that setting up the risk management function sufficiently absolves them of responsibility. The thought process is all risks are taken care of and addressed. However, setting up the risk organization structure is the first step. To make it effective there are several other components that need to work together smoothly. A periodic review of the same is useful. The Chinese proverb succinctly portrays the state:

“To be uncertain is to be uncomfortable, but to be certain is to be ridiculous.”


  1. Risk Management Failures – What are they and when do they happen? By Cornerstone Research
  2. The Full Spectrum of Risk Attitude – By Alice Wonderwood and David Ingram

3 comments on “Risk Management Failures

  1. This is a very useful analysis.

    I think the heart of the problem is that those engaged in risk management are frequently viewed as negative. Good risk management is not about avoiding loss, but rather about enabling opportunity. It is about protecting optimal outcomes. But the common perception of the risk function is that it mostly identifies problems and then expects others to overcome them.

  2. Hi Sonia, I’d like to add a couple of points.

    Risk Management could use a good portion of expectation management. If someone seriously believes that nothing could ever go wrong since we have established an ERM function, they’d need a reality check. Not all existing risks will be discovered. Not all discovered risks will be mitigated. Not all mitigated risks will be eliminated.

    Also, I’d want to add that Risk Assessment should be done from a broad perspective and not be an individual exercise for an assessor. For example, when assessing cyber risk you’d want to have different expertise around the table: architecture, administrative, operations, security…

Comments are closed.