We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Why Your Boss Doesn't Get Risk Management

Vote 0 Votes

ERM Report Bad ExampleThere are a couple of common refrains we hear at LogicManager on a consistent basis. One is of particular concern to risk managers seeking to establish legitimacy and trust within their organization.

"My boss just doesn't get it."

The signs you're on this boat are noteworthy. You're rarely questioned about the legitimacy of the data you've collected. Feedback is positive, but non-descript (e.g. "We appreciate your work."). Your findings don't result in a change in direction, or worse, no one even asks for them.

The good news is that the ship has not sailed. There's still time to structure your program and present the results in a way that both educates and engages your leadership on the value of Risk Management. Below are three reasons your boss doesn't get risk management, and the steps you can take to satisfy their concerns.

You're Not Speaking Their Language

The language of ERM - mitigationtolerancerisk appetite, etc. - isn't what's preventing your boss from understanding your data. The barrier is topical.

Your boss already has a host of concerns on their plate, and presenting a list of top 10 risks without context will result in nods of disengagement. Yes, your job is to identify new and emerging risks. But begin with today's concerns and demonstrate your value in providing transparency, intimate understanding, and potential solutions.

Don't report on cyber risk when your boss is concerned with talent retention. Rather, use your risk assessments, documented controls, and understanding of the enterprise to further your leaderships understanding of the problem. Who on the front line is effected by these issues? Who is having success handling them? What activities are in place or in process that might provide increased assurance over their concerns?

Your Reports are not Actionable

An unfortunate stereotype has emerged of the risk manager as a purveyor of the obvious, and risk managers enforce this stereotype by presenting high level, "fluffy" reports to their leadership. A top 10 risk report and pie chart of high, medium, and low risks might work in meeting 1, but will leave you with blank expressions and a lack of direction by meeting 2.

This means that you must have the flexibility and agility to aggregate data based on the concerns of your key stakeholders, and drill down when necessary to precise measures of success. A common example might be a high level report of your company's exposure to risk related to data privacy, accompanied by a more detailed report of the various activities, activity owners, and cost of the mitigation in place. Reporting based on categories or high level concerns is only meaningful if you can then walk through the more granular picture of how you arrived at the aggregate level.

You're Taking too Long

Many risk managers, unsure of what's expected of them and what their deliverable are, seek guidance through the creation of an ERM policy, charter, project plan or other procedural documents that effectively sets expectations for their department. These kinds of documents provide a great deal of assurance for risk managers that they're meeting expectations, but add little value in addressing the concerns your boss has today.

Rather than put energy toward these governance activities, spend time creating value by engaging process owners in one of your company's strategic objectives. A common plan we recommend is to involve one "risk-friendly" business area in effectively mitigating the risks to a key strategic concern, and use that quick win to spur greater outreach. The results of your work not only provide immediate impact, but also clarifies exactly what it is that needs to be in your governing documents.

As risk managers, we've been given a job that few organizations fully understand and one that can be difficult to measure. LogicManager can help, request a no-obligation conversation with one of our ERM professionals.


| Leave a comment


Your boss doesn't get it because you're preaching fear, uncertainty, and doubt.

Perhaps a better strategy? Estimate annual losses to defined assets from likely (frequent) threats to determine risks. THEN determine what controls are necessary for mitigation. Never spend a dollar to protect a dime...THAT is "best practices" from a business perspective.

Risk=threat X vulnerability X cost

Thanks Alan, I think the concept of tying in costs to both mitigation and risks is exactly what we describe when appealing to risk managers for actionable reports. Your example is one of many ways to make that happen. I would however caution that very few individual inside a company can think with a hard dollar value amount, so it might benefit risk managers to use qualitative criteria where appropriate (for example, HR risk)


I am a Quality professional and after decades in the industry can confidently say that the negative image attached to the Quality or Risk professional leads to their being ignored. Or given a wide berth even by their own peers. There are enough risks, enough warnings one has given only to have the system coolly ignore it. And privately they will murmur that 'this guy is paranoid about risks'. Until it happens and they all gang up together; find some innocuous reason that doesn't result in their getting blamed and then fix it secretly.
Has happened so many times that it is very, very normal.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives