Tag Archives: risk management

2018-01-20 by: James Bone Categories: Risk Management Risk Trilogy: A Mechanic, an Artist, and a Scientist walk into a Pub

It is the dead of winter in a lovely little village along the coastline of southern Maine and a sudden Nor’easter pounds New England. To escape the cold and quench their thirst three solitary figures decide to seek refuge in the only Irish pub open that night. Each of these figures has arrived, serendipitously, within 15 minutes of one another and are beginning to warm themselves near the fireplace next to the bar.

As they settle in all three decide to share a pint or two and order food before they depart along their separate journeys. Not surprisingly, one pint leads to another and before long the conversation has traversed solving world events and inevitably leads to their work and avocation.

The first figure pipes up, ”I am a mechanic! I have seven professional certifications and have been taught by master mechanics from around the world.” The second figure interjects, that’s really interesting, “I am an artist! I interpret the complex and make it simple for my audience to understand.” Without hesitation the third figure interrupts and exclaims, “I am a scientist! I research and explore the unknown.”

After several more pints of beer the conversation has grown even more verbose and an argument ensues. The artist asks the mechanic what types of mechanical repairs does she solve and the mechanic responds, “I am a risk mechanic!” I have been certified in all varieties of risks, policies and procedures, and frameworks and speak regularly on the topic around the world, says the mechanic.

At this the scientist asks the artist, “what does it mean that you interpret the complex and make it simple for your audience?” The artist says, “I study how people make decisions and help them manage risks by redesigning their work to solve complex problems!” The mechanic then elbows the artist and asks the scientist, well, what do you study? The scientist proudly explains that she is a researcher of complex risk phenomenon. I have eight patents on this topic.

As the storm outside subsides, the bartender, having overheard the arguments, has decided his three patrons have had enough to drink for one night. The bartender proposes a bet and asks the three to solve a complex risk problem with the winner’s tab paid.

Solve this riddle asks the bartender, “What does a rich man crave but can never buy? We chase it but can never find it. What makes fools of us all?”


Do you know the answer?

2017-01-01 by: James Bone Categories: Risk Management Fear, Uncertainty, Confusion, Hope: Defining the “Risk” in Risk Management


“Never let the facts get in the way of a good argument”

Facts, or more precisely, our understanding of facts or the truth have become more transient in the information age or has it?  The Internet has radically changed how we access information in ways that few appear to challenge or even understand.  Today, anyone can Google a fact or story or news event about any topic imaginable to “learn” about a topic instantly with only a few keystrokes.  We are bombarded today with opinion pieces, rumors, false news stories and innuendoes without bothering to check the validity of the stories.  In fact, depending on the viewer of said data, the facts are easily dismissed when the “information” disagrees with one’s views or beliefs about the topic.  So the question here is “has the information age inhibited critical thinking?”  Risk managers are not immune to these same biases and the implications may help explain why risk management is at risk of failing.

It turns out that the definition of the “truth” does not answer the question of what a truth really is.  Here are a few examples: Merriam-Webster states that truth is “sincerity in action, character, and utterance”. Or “the state of being the case: a fact. Or “the body of real things, events, and facts”. Or a transcendent fundamental or spiritual reality” Or “a judgment, proposition, or idea that is true or accepted as true. Or my favorite, “the body of true statements and propositions.”  Dictionary.com has 10 different definitions each in contrast with Merriam-Webster.  In other words, truth is what we believe it is.  You know you are in trouble when truth and transcendental or spiritual reality are used in the same definition.  Apparently, we have no idea what a truth is or we are simply more confused than ever as we get bombarded with different truths.

But why is this important for risk professionals?  If the truth changes based on evolving norms, opinions, perception and biases how does a risk professional manage emerging risks in an environment where a variance from the old truths conflict with new truths?  Operating models change as new leadership dictates his or her view on old operating models requiring risk professionals to question how does one assess these new risks?  What was once indisputable no longer applies and old assumptions are considered impediments to progress.  Or does it?

In the age of Big Data corporations are in search of the truth in customer behavior, buying preferences, and managing the risk of strategic plans.  However, even with the assistance of advanced analytics we are more “archaeologists “ than true scientists.  Archaeologists apply a body of knowledge and a great deal of conjecture in constructing their view of the past.  Each new discovery has the potential to disrupt or partially validate assumptions in our belief about what ancient civilizations or animals were really like.  We don’t have enough information to confirm these conjectures but instead believe them in the absence of data that fails to contradict them.  This is the crude method in how humans learn — through trial and error.  If something is proven to work reasonably well over time it becomes the truth.  If it is fails, miserably, it is considered to not be the truth.  But we know from scientific experiments that truth can be derived from failures, even massive failures like the space shuttle catastrophe or major battles in war.  We “learn” from mistakes and vow to never repeat them again.

The truth is we seldom, if ever, have perfect information.  Imperfect information is uncertainty NOT a risk.  Risk is a known quantity.  It can be measured and we know to avoid it or accept it and that is why we call it a risk.  The failure in risk management is not knowing the difference.  Fear, confusion, and hope are signs of uncertainty and are emotional signals that we have crossed the Rubicon of not knowing whether the outcomes will result in losses or gains.  This is when risk managers become archaeologists.  Archaeological risk managers try to develop stories from past experience and imperfect information to describe the new truths using old methods.  This happens in every industry from insurance to financial services and beyond and partly explains why we miss really big emerging risks until a “learning” experience teaches us what a risk really looks like.

Fear, confusion and hope are natural responses in our primitive brain of “Fight vs Flight” mechanisms of survival.  These emotional responses are also signals that we must tread lightly, gather information gradually and take measured risks without betting the farm on a new shiny thing that may be a train coming through the tunnel of darkness.

How can risk professionals avoid the freight train? Don’t be afraid to say you don’t know.  When worry, fear, and confusion permeates communications that is a signal a freight train may be barreling down the tracks.  Instead you must use this time to understand what you know and separate what you don’t know.  Understanding the difference is critical because it provides risk managers with direction to gather information, perform advanced assessments and provides definable boundaries where risks may be lurking.  It is also important to understand that huge potential is the other side of uncertainty.  Big rewards can be found when uncertainty is at its highest level however risk professionals must have a measure approach to understanding the upside of uncertainty.

This is not the time to follow the crowd.

The upside of uncertainty requires risk managers to seek opportunity where others are fleeing or cannot see how the change in the new rules may benefit organizations poised to leverage change.  What risk professionals must avoid during uncertainty is becoming archaeologists.  Old methods may help to tell a compelling story but the real risks and upside to uncertainty will be lost as the new rules obscure what the truth really is.

2016-03-20 by: James Bone Categories: Risk Management “Outrageous Compliance” Series

This series of articles is an irreverent “tongue-in-cheek” look at the serious business of risk management and compliance and the lack of scientific rigor dressed up in charts and graphs that have an appearance of legitimacy but tell us little about risks.
First of all, let me say that risk management and compliance are important functions and deserve to be taken as seriously as any other discipline in business and government to ensure efficient operational outcomes. My point in these articles is to point out where many firms diverge from serious risk management into the realm of mystery cloaked as rigor.

My first victim – Risk & Compliance Self-Assessments!


Risk & Compliance Self-Assessments (RCSA) have become a handy tool to communicate to management, regulators and others that an organization has conducted an analysis of their risks to understand both the severity and likelihood of event occurrence. Each risk category is highlighted with its own color coordinated assessment based on a “Table Top” exercise where subject matter experts participate in a facilitated session to list these risks and assign Severity and Probability based on nothing more than memory!
I can’t remember what I ate for dinner three weeks ago should I trust my memory to document the threat level of risks to an organization based on recall? Yes, experience matters and yes experts in their field do have important contributions to make regarding the risks they experience doing their jobs. However, what does this chart really tell us about risk? The answer is very little!

Of course, we all understand that RCSAs are subjective but the “risk” in risk self-assessments is the false sense of security we place in believing these exercises are really a representation of risk exposures in an organization. They are not and here is why!

Statistically speaking risks tend to have a shape. In some cases the shape of risk is a normal curve, in other cases the shape may be skewed to the right or left, but in a RCSA the shape of risk is uniform. Each risk, with slight variation, looks exactly like this chart above. Intuitively, we understand that risks are not uniform but we never question charts and graphs that look like some effort went into producing the results.

Secondly, these charts lack the benefit of the law of large numbers. You might be surprised to learn that risk management is based on scientific laws of statistical analysis. The RCSA is flawed because it’s based on a small sampling of data (your memory) that is inherently biased by recent events that are easy to recall not representative of frequencies found in a large stochastic database of risk events. What does stochastic mean? Stochastic is a process involving a randomly determined sequence of observations each of which is considered as a sample of one element from a probability distribution. In other words, if you are not using a stochastic process for measuring risk you are guessing!

While sitting is a conference with professional risk managers from a range of industries, I asked my fellow participant how he managed risk and if he used a system to facilitate the process. His answer did not surprise me. He jokingly said yes I use a system, it’s called Excel. Each year he conducts a table top exercise with senior management where they list their Top 20 risks and fill in their assessment of each risk. He laughed and said he is the Wizard behind the curtain who controls the process. Once the exercise is completed an entire year goes by before the Wizard unlocks his Excel file for another year’s list to be documented.

If you risk management program looks like this you are practicing Outrageous Compliance! Unfortunately, many risk professionals are taught to perform this exercise because it is easy to do and senior management feels a false sense of security in the process. By the way, show this exercise to your board of directors, internal or external auditors as well as regulators and no one will challenge you or the process to understand what it says about your risk profile. The process appears to be rigorous much like the Wizard of Oz who fears that Toto may someday pull back the curtain to unveil the truth.

RCSAs have some value as a tool for understanding the risks subject matter experts deal with on a daily basis. These tools are a great starting point, not the conclusion, from which you should begin to develop a stochastic database of risk events. Which brings us to the last point about Outrageous Compliance, the risk repository.

A Risk Repository represents a third flaw in thinking about risks. Capturing risks in a risk repository is called a Deterministic model. A Deterministic model is one in which every set of variable states is uniquely determined by parameters in the model and by sets of previous states of these variables; therefore, a deterministic model always performs the same way for a given set of initial conditions. Conversely, in a stochastic model—usually called a “statistical model”—randomness is present, and variable states are not described by unique values, but rather by probability distributions.

Why is this wrong? When developing deterministic models (risk repository) you predetermine the outcome. Lots of organizations make this mistake including insurance actuary models, financial analysts on Wall Street, medical researchers and risk professionals in many organizations. The reality is that all models are wrong but some models are useful! Understanding how to develop useful risk assessment models takes time and patience but knowing the difference

2015-10-29 by: James Bone Categories: Risk Management Risk in review: Decoding uncertainty; delivering value – PwC

pwc-risk-in-review-2015-09-en genius pictureYou must be logged in to view this document. Click here to login

Our senses are an early-warning system that keeps us alive in a world of constant risk.  Those who attune their senses to  their environment are armed to succeed. Those who don’t might not survive. It’s the same in business: Companies that treat risk management strategically are arming themselves with the knowledge to make efficient and well-informed business decisions—anticipating and mitigating risk, seizing opportunities, and enabling better overall business
This year’s PwC Risk in Review survey gained insights from 1,229 senior executives and board members from around the world, including 82 from Canada. Of these global respondents, 73% agreed that risks to their companies are increasing, compared to 63% of Canadian respondents
2015-09-22 by: James Bone Categories: Risk Management Volkswagen – The Cost of Deception

17-sweden-cars“We screwed up”. Michael Horn, head of VW’s US operations, offered a stark apology and admission of cheating on diesel emissions. “Our company was dishonest with the EPA, and the California Air Resources Board and with all of you” was the confession offered by Mr. Horn during a press conference to discuss the now explosive findings of devices added to their cars to fake the appearance of passing emissions tests. The scandal, like most acts of deception, will widened into a predictable pattern of lost public trust, stock price declines, calls for the resignation of senior management as well as regulatory fines and legal action that may exceed 20% of the value of the firm, in some estimates.

Is deception worth the risk? The answer may surprise you! While it may be easy to condemn Volkswagen, as many will in judging the firm’s actions, but should we rush to judgment so quickly? Jonah Lehrer, author of “How We Decide”, discusses the “Uses of Reason” and how rational people placed in specific circumstances can lose perspective and make irrational decisions. The shortened version of the story: In 1949 in the grassy highlands of Montana, firefighters had been called in to fight what was described as a minor brush fire. The geology of Mann Gulch was wedged between the pine trees of the Rocky Mountains and the grasslands of the Great Plain.

The fire, which began in the Rockies, had grown out of control by the time the firefighters reached the gulch. The small crew of smokejumpers were inexperienced and had no map of the terrain but had moved down toward the Missouri River in case things got out of hand. Suddenly, the winds changed course and began pushing the fire toward the men. As the men rapidly retreated down the gulch it became obvious the fire was moving faster than the men could run. However, a remarkable thing happened, the leader of the firefighters ordered the men to stop running from the fire and set fires where they stood. Unfortunately, the other firefighters either didn’t hear the command or decided the thought of facing sure immolation was too much and kept running. The captain of the firefighters survived while his men died in the rushing firestorm.

Caught up in the sheer panic of moment the firefighters experienced what is known as “perceptual narrowing”. The problem with panic is that it narrows one’s thoughts. Panic reduces awareness to the most essential facts, the most basic instincts, with survival being the strongest of these instincts.

What does fighting fires have to do with Volkswagen?

Decision making under pressure in the face of uncertainty is one of the biggest risks faced by all organizations. Decision failures such as the one experienced by Volkswagen is the most costly of all the risks organizations experience. If you add up all of the internal control failures, audit failures and operational risk failures none exceed the loss of credibility, stock value or public trust as does the act of deception. The very survival of Volkswagen is now begin questioned by some in the media. What could have led to Volkswagen’s perceptual narrowing event?

Volkswagen had built an assembly plant in Chattanooga, Tennessee and had plans to invest $7 billion to revamp its family of Passat diesel model cars. Volkswagen’s Passat was losing market share to Toyota and couldn’t keep up with model revamps of its competitors. Volkswagen has set a goal of overtaking Toyota by 2018 but instead lost 10% share in 2014 and was down 16% year to date in August of this year. In other words, panic had set in.

There is no justifiable excuse for deception but the rush to judgment should be muted with a sense of humility. Small deceptions happen at many firms with the same level of acceptance that appears to have been pervasive at Volkswagen. Price deception, new product launches with known defects and financial products with hidden fees are just a few examples of deceptive practice that are passed as justifiable business decisions to achieve higher sales goals or justify stock options and bonuses. “Others are doing it why can’t we?”

Much will be made of Volkswagen’s deceit and many were complicit with devising, installing, inspecting, auditing and accounting for the deceptive devices and executing such a massive fraud. However, instead of pointing fingers, Volkswagen should be used as an opportunity for discussion in board rooms, executive suites, risk management, auditing departments, and on the shop floor. Deception, no matter its size, sends a signal to the entire organization what you really value.

2015-08-31 by: James Bone Categories: Risk Management The Myths of Risk Management – “Risk Man, Super Hero”

supermanchrisreeves“Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events[1] or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.[2]”

If you enter risk management into your favorite search engine of choice you will receive literally hundreds of variations on the definition of risk management. The definition above goes on to explain that risk management consists of, “Strategies to manage threats (uncertainties with negative consequences) typically include transferring the threat to another party, avoiding the threat, reducing the negative effect or probability of the threat, or even accepting some or all of the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).”

If you take this and the hundreds (and growing) of definitions of risk management literally you would think that we are describing the actions of a mythical super hero with the powers to conquer our biggest villain, The Unknown! Imagine the costume of the super hero, Risk Man! Risk Man (or Risk Woman) does not wear tights or a cape, no Risk Man wears business attire and business casual on Fridays during the summer.

What are the super powers of Risk Man? Risk Man can see the villain, The Unknown, before it happens and can deflect negative consequences off Risk Man’s three piece suit while saving your firm from …. from …. some really bad things happening to your business goals?

Risk Man has one weakness, Hubris! Risk Man is not the only super hero who suffered from hubris. In the 19th century, Economists suffered the same weakness in the development of the theory “homo economicus”. Never heard of homo economicus? It is the concept in many economic theories (see they suffered from multiple definitions as well) portraying humans as consistently rational and narrowly self-interested agents who usually pursue their subjectively-defined ends optimally.

The definition has a familiar ring to it doesn’t it. Homo Economicus was the Super Hero of its day until reality caught up with the myth of the all-knowing human who takes the most optimal path to economic outcomes. Unfortunately, Homo Economicus was defeated by man’s weakness, Hubris. We have learned that businesses fail, sub-optimal activities persist, and we need technology to help us make decisions. Yet, the myth of Homo Economicus continues today because we do not learn the lessons of the past very well. We believe that we have developed new super heroes to protect us from Hubris.

Hubris may be the most cunning of the weaknesses suffered by our super heroes! Whenever we develop new technologies, like social media, data analytics, and risk management we believe that we are covering new ground. As these new technologies become norms in society we depend on the individuals who practice these dark arts because they are new or cool to talk about. Very smart people fail to question the efficacy of the promises offered of easy solutions or lofty expectations for better outcomes. No proof is requested and no proofs are presented.

Hubris allows us to believe the stories we create for our super hero status until reality reveals the truth. This is what happened to early economic theory but it took almost 100 years to disprove! A well-earned belief is not deterred by the cold hard facts of evidence.

To be fair, almost every scientific and human advancement had to experience some form of hubris to push mankind forward. Fortunately, a relative small number of individuals are actually responsible for recognizing our flaws in thinking to overcome hubris. Albert Einstein had to overcome some of the early work in Newton’s Theories before the Theory of Relativity was proved. So how do we combat Hubris? With Humility! The Anti-Villain weapon of choice!

We must admit that risk management cannot possibly achieve all that is promised in the varied definitions that exist. If that were true there would be no recessions, no failed businesses, no stock market collapse and no excitement in the world as we know it today. Risk Man would rule the world, own all wealth and decide the fate of mankind?

Risk Management is a serious function that should be given respect in every organization. However, to earn that respect risk management must become more humble in its abilities to defeat the forces of the real villain, The Unknown!

2013-06-12 by: James Bone Categories: Risk Management Decision Risk

stock-photo-11012758-computer-network“Some changes are foreseen and some are not, the laws of some are tolerably accurately known, of others hardly at all; and the variation in foreknowledge makes it clearly indispensable to separate its effects from those of change as such if any real understanding of the elements of the situation is to be attained.”

Quote from, Professor J.B. Clark’s Dynamic Theory of distribution by Frank H. Knight,” Risk, Uncertainty, and Profit”

Human activity whether in business or life involves decision making in order to accomplish the personal or business outcomes we seek.  However, we may underestimate the process of decision making in how we think about risk management. 

Recently McKinsey & Co. published an article on Human Risk based on research they conducted by partners, Alexis Krivkovich and Cindy Levy.  The McKinsey study looked at how companies have responded to the financial crisis and the changes made to strengthen corporate culture.   The McKinsey data identified characteristics of a strong risk culture.

Key characteristics for a strong risk culture:

  • Responsive and pro-active risk management function
  • Acknowledge risk and plan accordingly
  • Encourage transparent communications about risk
  • Encourage a healthy respect for risk and internal controls
  • Be patient as the culture changes
  • Build consensus on culture
  • Create a sustainable process

It would be hard to argue with any of these findings and most would argue that the characteristics are self-evident by risk professionals.   The study while instructive leaves several questions unanswered.  What does this have to do with Human Risk?  How does the firm begin to make the desired change to adopt these characteristics?  The study also doesn’t tell us if the firms with these characteristics are the exception or what percentage of adoption each of the firms made in implementing each characteristic successfully? 

In the 19th century, when the early thinking of risk and uncertainty was being formalized risk-taking was separated from entrepreneurial endeavors.  Only capitalist were considered to take risks while business owners made profits.  Today’s definition of risk is broader and in many respects more complex and confused.  It is the nature of risk taking or how we become risk takers or risk averse that allows us to deal with Human Risk.  

Modern business leaders must make a variety of trade-offs regarding the risks they will assume or tolerate in achieving today’s fast paced and conflicting goals.  In today’s economic environment where resources are limited and failure is not tolerated human risk becomes very personal. 

As a result of ground breaking work done by behavioral psychologists and economists we understand that how we choose between risky ventures is a result of professional expertise as well as biases and heuristics that can lead us astray.  Decision making under uncertain conditions is the key human risk that must be better understood and incorporated into risk practice. 

New technology has begun to address the issue of uncertainty using data analytics the harder challenge for risk professionals is to consider how to include decision risk into their practice. 

As Professor Clark predicted at the turn of the 20th century, “Some changes are foreseen and some are not, the laws of some are tolerably accurately known, of others hardly at all; and the variation in foreknowledge makes it clearly indispensable to separate its effects from those of change as such if any real understanding of the elements of the situation is to be attained.”

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-05-29 by: James Bone Categories: Risk Management Cat Bonds: Managing event risk


The 100-year natural disaster that no one expects to happen appears to have become a more frequent event, at least, in the most recent time frame.  From Hurricane Katrina, earthquakes in Japan and Haiti, to the most recent F5 tornadoes in Oklahoma Mother Earth appears to be under attack by Mother Nature. 

Oklahoma’s damage has been conservatively estimated at $2 billion dollars and that doesn’t seem to come close to the disruption in business and life that result from such a massively destructive storm.  Most of us cannot even imagine living through and recovering from the floods, wind and storm damage left by nature’s forces but increasingly business must consider the possibility.  This is where cat bonds come into play.

Catastrophe bonds are an example of insurance securitization to create risk-linked securities which transfer a specific set of risks (generally catastrophe and natural disaster risks) from an issuer or sponsor to investors.  Like other derivatives, the terms used to create cat bonds must be negotiated to reflect the triggers which would cause an event to activate based on specified losses.

Cat bonds have been around since the 1990’s but has not taken off broadly as a risk transfer tool.  As property and casualty insurance rate accelerate due to increased risk exposure the lower cost of cat bonds may rekindle interest in these products to mitigate event risk.

Robert Shiller, of Case-Shiller Index and Professor of Economics at Yale University, has long been an advocate for creating new risk tools to manage a variety of risks that impact our homes, livelihood, and even the income of countries.  None of these ideas have resulted in markets for pools of risk outside of insurance, options exchanges, or credit markets…so far! 

As the cost of tail events increases the frequency of these events may prompt new and more creative solutions to recover from catastrophe.  Imagine a diversified pool of risk traded on an exchange, used as a hedge, or even originated by corporations or industries to manage a variety of business risks.

Turning risk into opportunity an exciting new approach to managing risk and adding value!

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-05-28 by: James Bone Categories: Risk Management Aligning strategic value with risk management


The vision of risk management contributing as strategic partner in the executive suite has long been a dream of most serious risk professionals and now that vision may be coming into focus.  Senior managers now view risk managers as strategic partners in the execution of corporate objectives by assessing and identifying key risks resulting from strategic plans.  That’s the good news!

However, according to a study by Marsh and RIMS “only 15% of the risk professionals and 20% of the C-Suite respondents said the risk manager is a full member of the strategic planning and/or execution teams, suggesting that risk management has yet to be fully integrated strategically.”

The study does not attempt to explain why risk managers have not made the leap to equal partners in guiding the organization to successful outcomes but one key factor may be the relevance of risk information brought to the table.  This begs the question of what defines strategic value in risk terms?  Increasingly the answer is data and the analysis of risks impacting an organization.

It is hard to argue with the collective wisdom that is forming around the quest for a better understanding of data and developing better techniques for the analysis of data.  Senior management has begun to define the value proposition in the form of data analytics therefore risk management must be responsive to these expectations. 

The problem or challenge with these surveys is the generic use of the terms data analytics and the lack of specificity regarding what firms expect. 

Blindly conducting fishing expeditions for the sake of “doing” risk management may backfire and not produce the results firms are seeking.  Many obvious risks are lying around in plain view needing attention but are ignored because there is no systemic approach to investing in risk mitigation.  Other risks are the unknown risks that are inherent in the uncertainty of launching a new and unproven initiative or line of business. 

What appears to be missing is a clear and balanced approach to risk management with a focus on setting the context for discussing risks and the tools that should be employed to understand and address risks.  Risk management is not a science project where data analysis alone will uncover some universal truth.  Good risk management is the implementation of a clear baseline from which to judge changes in the environment that may create risks and opportunities alike. 

Risks, in all its forms, evolve as the business environment evolves requiring senior management and the risk manager to think about risk as a natural byproduct of business objectives.  Risk practice, no matter how quantitatively proficient will not eliminate risk.  Therefore, risk management should be perceived as a learning process informed by data and adjusted in response to new information as it becomes available.

When everyone understands that risk management is a process like all good business processes risk managers will have earned their place in the executive suite with other senior managers.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.

2013-05-25 by: James Bone Categories: Risk Management Standard and Poors grade Corporate Governance: Only 6% get an A


As of May 2013, Standard & Poors has completed its evaluation of non-financial firm management and governance factors for 2,190 publicly and privately rated North American companies and the results are dismal.  S&P has also scored a global score to 3,868 firms with only 8% receiving its highest rating.

 “Standard & Poors uses the management and governance scores to modify its evaluation of an enterprise business risk profile, a key component of its credit rating.”  S&P’s methodology uses 15 criteria for evaluating corporate governance across five categories. 

The categories include:

  • Management, which includes;

  • Strategic positioning,

  • Risk management/financial management, and;

  • Organizational effectiveness; and

  • Governance

“The Management and Governance criteria for nonfinancial companies consist of eight management subfactors and seven governance subfactors. Depending on how an entity scores along these subfactor dimensions, S&P issues one of four scores: strong, satisfactory, fair, and weak.”

6% of firms scored “Strong”

26% of firms scored “Satisfactory”

65% of firms scored “Fair”

3% of firms scored “Weak”

In its May 13, 2013 press release, S&P disclosed the names of those companies that received a “Strong” or “Weak” designation. See the list in the May 13, 2013 press release.

TheGRCBlueBook mission is to become a global risk and compliance community site and resource portal for sharing best practice across all highly regulated industries.  A one stop source for all things risk and compliance related.