The Problem With Enterprise Risk Management

There’s a problem with risk management. Nearly everyone is doing it wrong.

The typical approach to risk management is to identify and log all the risks. Maybe you put them in some nifty categories. You do a bunch of analysis and ranking. At the end of the day, you have a pretty heat map that just reflects your uncertainty.

What have you actually solved?

What if you focused on resolving your biggest business challenges instead? What if you focused on developing mitigations and strategies? What if you actually solved a few problems? Wouldn’t that be great?

Risk management shouldn’t be about compliance or collecting a list of risks. It should be about resolving business problems, addressing challenges, and ensuring business stability and growth.

I can hear the nay-sayers now… but Charlene, what about our frameworks?


Frameworks give you the big picture of “what you should do” but not the tactical “how to get it done.” Plus, they don’t include the next steps of making decisions, communicating risk, and tracking progress.

Frameworks focus on ranking risk giving little attention to understanding the root cause or learning how to avoid repeating the same mistakes. These are all part of critical thinking skills; something risk frameworks do not speak to.

Analysis in risk frameworks is basic qualitative or light semi-quantitative. These are fine, but you should also be able to quantify the risk and forecast negative events. Frameworks don’t provide tools to do any of that.

Here’s what I recommend. I call it the RACE methodology.

RACE stands for repeatable, agile, complete, and easy.

It’s a process for decomposing a problem, understanding the root cause, generating ideas, analyzing the available data, comparing options, actually making a decision, communicating that decision then tracking the progress.

The great thing about the RACE method is that it fits into any framework and actually extends it. The communicating and tracking elements are crucial to making the work of risk analysis relevant to the organization. That’s one of the reasons people don’t find frameworks effective.

Want to learn more? Check out my upcoming workshops HERE.

CISO Strategy