a) A lack of risk decision making structure and lack of accountability for risk decisions in an organization.
Almost every business executive is comfortable with risk decision making, however, in many cases the right people aren’t making those decisions. Organizations need to develop a structure so that the important risk-based decisions are made, by the right people, those who are accountable for the impacts-good or bad. This typically means some kind of risk governance structure that defines what decision making powers each level of the organization has and an oversight structure and escalation path for those risks that need monitored or managed higher up in the food chain.
b) The lack of meaningful risk assessment process. There are organizations that consider risk management something they have to do from a compliance standpoint who conduct superficial risk assessments. Others just don’t have the right skills to develop a meaningful risk assessment process. A meaningful process enables the identification of risks based on the goals of the organization and describes those risks in business terms either qualitatively or qualitatively through a common risk taxonomy.
So who ARE the right people? Do they vary or should the team making decisions stay stable? What factors should be considered when we are looking at our decision making bodies?