How Do We Know What Works?
Leaders get out in front and stay there by raising the standards by which they judge themselves—and by which they are willing to be judged.
“How do we know our risk management efforts work?” should be the single most persistent question of all those who manage risks. If they can’t answer that question, then they have no reason to believe that efforts to manage risks are working or, for that matter, are even focusing on the right risks. The standard must be some objective measure that could be verified by other stakeholders in the organization or outside auditors.
If our question were instead “Do you feel your risk management has been successful?” then the evidence shown in the previous chapter would tell us that risk management is generally successful, at least half the time. So let’s look at why self-assessments tell us so little, some possible objective measures we might use instead, and what we should be prepared to discover if we use objective measures.


Skepticism about what gains can be attributed to popular management tools is not only justified, but a requirement of good management. And self-assessed results of implementing these methods should be considered with even more suspicion. Such suspicions are sometimes tested and sometimes confirmed. In July 2003, Harvard Business Review (HBR) published the results of a study involving 160 organizations ...

Get The Failure of Risk Management: Why It's Broken and How to Fix It now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.