Latest Blog

In the novel Time and Again by Jack Finney, he writes about Einstein’s theory of time travel this way: “we’re mistaken in our conception of what the past, present, and future really are. We think the past is gone, the future hasn’t happened, and that only the present exists. Because the present is all we can see. It’s only natural. (Einstein) said we’re like people in a boat without oars drifting along a winding river. Around us we see only the present. We can’t see the past, back in the bends and curves behind us. But, it’s there.”

Since risk management is about predicting the impact and likelihood of future events I will borrow Einstein’s river analogy to explain.

As the risk manager drifts forward along the river she knows that there is something around the bend. But what is it? If she is observant enough to see small rocks in the river right now, she can use that knowledge to predict that there may be larger ones around the bend. And if she watched too many cartoons as a kid there is a good chance that a giant waterfall may be around the bend and she will plunge to her death. Or there may be no peril at all. She won’t know until she knows.

Any auditor with a cheap pair of hiking books and some rope can tie up the boat and walk back to a bend in the river to see the past; but to be a great risk manager one needs to be able to imagine the endless possibilities of hazards around the forward bends and ensure one is prepared for all of them.

Pick your risk manager carefully and don’t presume just because someone with boots can walk to the past they are qualified to drift into the imaginable future.



In celebration of La Fête Nationale, Bastille Day, on July 14 here is an example of some poor risk management on the part of the British.

The late historian Robert Sobel once noted that the “British created a civil service job in 1803 calling for a man to stand on the Cliffs of Dover with a spyglass. He was supposed to ring a bell if he saw Napoleon coming. The job was abolished in 1945.”

Since the “short dead dude” died in 1821 I find it incredibly unlikely that this risk would manifest itself between 1822 and 1945. Napoleon was not coming.

Make sure to spend your time and money on the important risks. A guy on a cliff is just silly.

Image courtesy:

There’s an old joke about two campers that are awakened by a hungry bear. The first guy yells ‘run’ but the second guy stops to put on his running shoes on first. The first guy asks if his companion really thinks that the shoes will help him out run the bear. To which the second guy replies, ‘no, I just have to out run you”.

Sometimes risk management is the same way. You don’t have to have the best risk management system, just one better relative to the next guy.

One of the hardest parts in documenting your risks is figuring out the root cause of the risk being analyzed. If this is done poorly, we will spend time and money treating the wrong root causes and the risk may only get worse.

Take the Great Plague of 1665 that killed 1/6 of London’s population. It was believed that dogs and cats harboured the plague so the Mayor had hundreds of thousands of dogs and cats exterminated. As it turned out, rats and mice carried the fleas that carried the disease (that bit the humans). With their natural predators extinct, the rats and mice population grew and the disease multiplied exponentially. Huh.

So think about those root causes.

If there are two things you have noticed about this blog, I often write about zombies and the Moment of Risk Enlightenment. Today’s post combines both.

(Note: This post contains spoilers about season two of the Walking Dead.)

I was catching up on season two of the “post-apocalyptic” television show The Walking Dead this week. In episode seven the survivors learn that the Greene family barn is full of walkers (zombies). Up to this point the farm represented a safe haven; they had not seen any walkers on the farm since they arrived. Impact and likelihood were low. But was it?

As guests on the Greene farm for some time they were completely unaware that the walkers were locked in a barn 100 yards away, but once they experienced their Moment of Risk Enlightenment they felt: impact catastrophic and likelihood extremely likely.

Inherent risk didn’t actually change, only their perception changed once they became aware that the only thing between them and death were a few padlocks and a fence.

Always try to assess your risks accurately and objectively. Try to keep emotion out of it to ensure they are properly prioritized.

There’s a nail in the tire of my wife’s car. Rear driver side. Fat head pushed all the way in. It caught her eye on the weekend by accident while the car sat in the driveway. Tire pressure appears normal.

Is this a risk? Since getting a flat tire could cause her to fail to meet her objectives – driving to work – then yes it is a risk.

Did the risk just happen? Of course not. Everyone of us is at risk of getting a flat tire at all times.

If the risk did not just happen then did impact or likelihood just change? Not really. Only our perception of the likelihood of a flat tire changed or what I call the “Moment of Risk Enlightenment”. The tire may have gotten punctured days, weeks or months ago but since we now know about this nail (identify) we have to assess and treat. This is the responsible thing. Ignore is not a step in the framework.

While some people may believe they have to repair or replace the tire immediately, as risk treatments go, we choose to accept the risk and do nothing. Fortunately, this Chevy Traverse comes equipped with a risk dashboard (literally): a real-time tire pressure monitoring device. We will continue to monitor the pressure until the gauge displays a pressure value which exceeds our risk tolerance at which time we will decide on a suitable treatment.

Don’t forget that enterprise risk management is merely a tool to help you prioritize your risks. One doesn’t have to mitigate everything all the time nor should we be distracted by benign risks that just pop up at the expense of the risks where we are currently focusing our efforts and resources.


AUGUST 2012 UPDATE: So I finally took the car in for maintenance and had the GM guy look at the tire. Despite the appearance of a screw, the tire never lost pressure or anything. Seems it was a shallow screw that never really punctured the rubber completely. It looked like a threat but really was not. Good thing I did not spend any time and money replacing the tire. 


Yesterday I wrote about a white paper “Black Swans Turn Grey” from PwC. Here’s a footnote to that post.

I had a good chuckle when I read about these “new black swan risks”. The authors suggest that all these unknown unknowns and unpredictable events are happening more frequently these days. This of course is not true.

We are seeing the same sort of thing in the NHL with respect to concussions. For the longest time players have been getting concussions; the only difference is that now more players, coaches and people in the media are paying attention to them. Whereas a player might have been undiagnosed and complained about headaches 20 years ago, today the league is taking it more seriously. Same goes for these black swan risks.

I imagine people are having one of those moments like in the film Field of Dreams where Timothy Busfield’s character suddenly sees the dead baseball players and asks how long they have been there. Truth was they players were there the whole time; but it wasn’t until that moment when he finally believed that he truly saw them.

Same goes for those risks. They have always been there. It is only with increased awareness of risk management that folks are starting to see them.

(Fast forward to 2:40 of the video link.)


Eddard (Ned) Stark, Lord of Winterfell, is a protagonist in the book A Game of Thrones by George R.R. Martin. He is principled and tells the truth and believes in honour and justice. Ned would make an excellent Chief Risk Officer.

When King Robert Baratheon asked him to become the Hand of the King – a chief advisor to the King who executes the king’s command and speaks in the King’s voice – it was not a job Ned was seeking. He took the job because his friend needed him and Westeros needed a man like him. In that role, Ned Stark put the Kingdom first.

A successful CRO needs to be a bit like the Hand and Ned Stark. It requires someone willing to put the organization first, who tells the truth and seeks the truth. And like the role of the Hand, the CRO needs to have the power to be taken seriously so as to accomplish the organization’s objectives.

(Spoiler alert: Do not read the rest of this post if you have not read the book.)

While investigating why his predecessor was murdered, Ned identifies the biggest risk to the Kingdom: the king’s heirs are actually the progeny of Queen Cersei and her twin brother. Like a CRO, Ned tries to do the right and honourable thing and reveal the true risk to the king so it can be properly treated. But before he does, Ned approaches Queen Cersei and warns her to get out of town. Sadly, the Queen conspires to have the king murdered instead. Then with no legitimate and lawful heirs, Ned Stark suggests that the throne has to pass to Robert’s older brother Stannis; it is the right thing, the honourable thing. The truth.

But before the incestuous truths can be revealed, the Queen moves first against Ned and places her son on the throne. Ned is later beheaded for his treason.

As a risk professional I have always conducted myself like Ned Stark. Although my honour and affinity for telling the truth have perhaps gotten me beheaded once or twice as well, like the late Lord of Winterfell, I cannot behave any other way. Nor should any leader.

People in CRO (or any risk leadership) roles need to be more like Ned Stark but sadly there are too many Cerseis who place their own personal interests before the truth and their organizations. Too often they win but lately it appear the liars and cheats are paying for their crimes.


In his book “Outliers”, author Malcolm Gladwell explains how “The kinds of errors that cause plane crashes are invariably errors of teamwork and communication” as opposed to mechanical causes. Also, they usually happen after a sequence of mistakes and misfortunes and rarely because of one event.

Our respective cultures dictate how we work and communicate with others. Gladwell describes how communication is very formal in many places where there is a social hierarchy between the “inferior” and “superior” person having the conversation. (Think customer and waiter, accountant and CFO, and co-pilot and pilot.)

Even though it’s a co-pilot’s role to take control of the plane when he or she thinks the pilot has made the wrong decision or is unfit to fly, in cultures where the inferior and superior roles are well defined, the co-pilot won’t do the right thing and take control of the plane. Literally and figuratively this type of behavior won’t fly.

Like pilots, CEOs have dashboards with gauges to help them navigate the organization. They also have hundreds or thousands of co-pilots and flight engineers helping to fly these organizations who each have their own dashboards. Unfortunately, if someone hears a beep or sees a flashing light, not only is there no mechanism for warning the pilot, the culture usually won’t permit it. Even in an organization with a Chief Risk Officers or head of risk management, if the culture makes it socially unacceptable to speak up or tell the CEO he’s fucked up, the organization is destined to crash and burn.

The last word goes to Gladwell who solves this cultural problem by explaining: “Planes are safer when the least experienced pilot is flying, because it means the second pilot isn’t afraid to speak up.”


Original post

When my son was 7-years old he asked me what I did for a living. I explained that “Daddy goes to companies and helps them find where all the bad things are.” Ironically, this definition served me well when I had to explain what ERM was to grown ups. While others were quoting definitions from COSO frameworks and generating glazed looks and polite nods, I was explaining the concepts in a way so that my 7-year old could understand. And people liked it! Since then I’ve realized that what I learn from my children I can teach to my peers, employees or clients; and what I learn in my professional world often works on the children.

He is 13 now and his schedule is getting busier with hockey games, practices, chores, parties, friends plus increased homework. Despite the fact that his school provides him with a $12 agenda, he still doesn’t write any deadlines down or prioritize. For example, since he started being accountable for doing his laundry, on some mornings, when he realizes he doesn’t have any clean pants to wear, he digs into his laundry basket to pull out a pair of previously worn jeans. Gross.

What’s funny is that I think the behaviour of a 13-year old boy is a window into the attitudes of the C-suite and board members to risk management who seem to prefer to wait until their closet is empty before they wash their clothing. Doing laundry, like risk management is important, but it is not urgent until it becomes urgent.

My boy may be a little irresponsible and a bit lazy but I am optimistic I can teach him some of Stephen Covey’s basic lessons like putting the big rocks in first and being proactive. I have no doubt he will grow up to be a responsible young man.

As for all those people who keep putting off their risk management efforts… I think all they have to look forward to is wearing dirty stink pants from the laundry basket until a 13-year old girl tells them that they smell.