Measuring Risk Management Outcomes

Being a risk manager in an
is a thankless task---but
you already
 knew that, didn't you?
In his book Decision Making: Risk Management, Systems Thinking and Situation Awareness, Dr Alan McLucas introduces the concept of the Risk Management Paradox:
“The task of managing risks effectively is confounded by a classical paradox.  That is, if risks are being effectively managed as a matter of routine, there will be very few surprises.  Nobody becomes aware of just how effective careful risk-management actions have proven to be.  Nobody slaps the manager on the back and congratulates them for a job exceedingly well done.  In stark contrast, however, if risks are managed poorly, the whole world lines up to say so.
This paradox provides two critical insights.  The first, and most obvious, is that being a Risk Manager in an organization is a thankless task – one that rarely draws praise, yet is the first to be put under scrutiny when outcomes are not as planned.  The second insight is that organizations are not adept at measuring the outcomes of risk management and the value it is adding to the organization. 
The task of measuring the benefits risk management brings to an organization is a challenging one.  To overcome this challenge, the measurement of risk management performance needs to consider a wide range of factors.  Measurement can be divided into three distinct categories:
a.      Compliance.  This measures whether the organization is complying with its own risk management policy directives.
b.      Maturity.  This measures the maturity of the risk management program within the organization against industry best practice.
c.      Value Add.  This measures the extent to which risk management is contributing to the achievement of the organization’s objectives and outcomes.


Like all programs within an organization the risk management program should be subject to compliance auditing.  This auditing is aimed at ensuring that the fundamental requirements detailed in the organization’s Risk Management Policy are being followed.
For some organizations, the measurement of compliance to the risk management policy is the only measurement that occurs.  Simply restricting the performance of the risk management program to compliance against the policy, however, is fundamentally flawed. 
Note however, it is actually conceivable that an organization has 100% compliance against all of the risk management policy requirements and yet their risk management is not contributing to the achievement of effective outcomes.

Maturity Assessment
One of the first steps involved in establishing a risk management framework for any organization is to evaluate existing management processes and systems.  The most effective means of understanding the current status of the risk management processes within an organization is through the conduct of a risk maturity assessment.

The following is the output from the assessment conducted by Paladin Risk ManagementServices.

Organizations should strive to improve their risk maturity over time.

Value Add
Whilst measuring compliance and the maturity of the risk management program are absolutely critical, what is not being captured by the majority of organizations is the contribution risk management is making to the achievement of the organization’s objectives. 
The irony is that metrics that are currently being measured by organizations to indicate performance can provide an insight into the contribution risk management is making. 
If an organization continues to improve its risk maturity over time, then it follows that the performance against these metrics will also improve.  Whilst it is by no means a linear relationship, improved risk maturity will result in improved performance. 
The following series of diagrams give an indicator of what this may look like:

What these diagrams demonstrate in practical terms is that every time the organization benchmarks its risk maturity, it also needs to benchmark its performance measures.
It needs to be recognized, however, that this is not an exact science, and as such a direct relationship cannot be proven, but it does provide an excellent indication of a correlation between improved risk management and improved performance.
When it comes to measuring the outcomes of risk management, this is the best you can hope for. 

Reproduced with the author’s permission from Paladin Risk Management Services. 

Three ways to use this information now:
1.  Share this post on LinkedIn or Facebook
2.  Leave a comment in the box below
3.  Share your comments with the author at 
Rod Farrar is the Director of Paladin Risk Management Services, an Australian-based risk management business that provides risk management training and consultancy services to government and industry.  Paladin’s flagship courses, the Diploma of Risk Management and Business Continuity and the Advanced Diploma of Governance, Risk and Compliance, have been attended by over 300 participants from all locations across Australia as well as Indonesia, New Zealand, PNG and Solomon Islands. Contact him at