Risk Management without Quantification is Voodoo Science

This article posits a process model that concurrently performs an organization’s risk management function together with its capital allocation (i.e., budgeting) in a manner that includes the requisite managerial control without the burden of numerous committees. The latter almost always adds organizational overhead to the process, slows it down, and adds little to no perceived value to the results. The process, as depicted in the graphic below, is more decentralized, resilient, accountable, and transparent.

Moreover, the proposed process should lead to higher quality and faster decision-making. Most C-Suites in mid to large organizations agree that slow decision-making represents one of their core competitive challenges. As Arie de Geus, former leader of Royal Dutch Shell's Strategic Planning Group, once said: “The ability to learn faster than competitors may be the only sustainable competitive advantage.” Decades after Arie de Geus formulated this quote it remains the quintessential advantage that companies large, small, and everything in between seek. Of course, this is not to discount the power of raw capital that may create significant barriers to entry, but once those barriers are broken, the race aggregates knowledge at an accelerated pace and commences in earnest. The quote has become axiomatic.

This article also discusses Compliance Maturity Models (“CMMs”) and argues that they represent anachronistic artifacts that yield no practical value in today’s fast-moving regulatory environment. We propose one of our own as an illustration of how arbitrary the various levels of a CMM are and why we suggest they be discarded. These linear demarcations may become a set of platitudes that supply fodder for academic arguments but do not result in actualized processes within an organization that create sustainable value.


The Process

The process describes assumptions that the organization in question has adopted universal grammar for calculating risk as proposed by the National Institute of Standards and Technology (“NIST”) in Special Publication 800-30 Rev. 1. The equation is as follows Risk = ((Threat (T) x Vulnerability(V)) x Impact(I)) to an organization. NIST interprets the equation as the probability that a T will exploit a V and then multiply the probability of the I to the organization. All quantities are calculated subjectively as High, Medium, or Low. To perform a risk assessment, subjective values work just fine. In fact, NIST indicates that all attempts at mathematical formulations have failed and therefore were discarded for this purpose.

However, to compare risks across organizational silos at least some rough, back-of-the-envelope calculations are required otherwise, management has no basis upon which to compare High risks that emerge from disparate silos. Further, when the “risks float” up the organization's food chain, the stakeholder floating the risk should document the Threat, Vulnerability, and the Impact to the organization. If a stakeholder cannot adequately define/quantify the risk to his line manager, then the manager has grounds to either deny floating the risk up outright or send the stakeholder back to the drawing board. After all that effort, the line manager will have to defend the risk to his manager (Director, Vice President, etc.), and so on up to the BOD. At the same time, a manager is floating risks they are also composing the operational budget necessary for next year, at each step in the organizational hierarchy. This budget should not include the high-value risks being floated. Why? Because if a given risk reaches the level of 5-to-10 High risks (closer to 5) then the understanding is that of course remediation for that risk must be funded, and potential specialized staff may be required to assist with remediation.

The CEO and BOD are generally faced with 3-5 mission-critical strategic objectives they must contend with. These have almost certainly already been identified. So, it makes no sense to float risks that do not pertain to these strategic issues because they will simply be ignored, no matter what justification, or how well quantified. The CEO and BOD accept risk quantifications as input but they are rarely determinative of the ultimate decisions that are made. They understand numbers, no matter how good they may be, but this only tells part of the story. Decisions will ultimately be made based on several factors, with the subject matter expertise of the CEO and BOD members, and finally their joint respective “gut feel.”

Compliance Maturity Models

Capability Maturity Models have existed in other industries since 1984. CMM was developed and is promoted by the Software Engineering Institute (SEI), a research and development center sponsored by the U.S. Department of Defense (DOD) and now part of Carnegie Mellon University. SEI was founded in 1984 to address software engineering issues and, in a broad sense, to advance software engineering methodologies. Compliance Maturity Models (“CMM”) were borrowed from this work for the compliance industry. However, in the fast-moving business environment that we all live in 24/7 365, these are now anachronistic because they are linear, assume that incremental improvement will occur to get from one level to the next, and are largely arbitrary. Like so many management methodologies they are anachronistic because they fail to reveal the inflection point that has occurred in the “science” of management over the last 20 years.

Agile methodologies currently dominate the software industry and have made significant inroads into compliance, and in just about every other knowledge-based industry you can think of (which now includes all industries).


Unless corporate managerial practices are disrupted and reinvented into processes that are Agile by nature, the intractable problems now faced by management teams, large and small, will continue to be ill-suited for the current business environment. Where change itself is the only constant, and it is accelerating exponentially. Innovate, learn, or die a death of a thousand cuts.