11/14/22, 10:48 AM 9 common risk management failures and how to avoid them

Enterprises are making massive changes to their business models at a faster rate than ever before due to the
effects of the COVID-19 pandemic, supply chain disruptions and environmental mandates. The pace of change
has introduced new risks for enterprises, making it imperative that companies take a close look at their risk
management programs. 

Risk management failures are often depicted as the result of unfortunate events, reckless behavior or bad
judgment. But a deeper analysis shows that many risks are due to systemic problems that could have been
addressed with a more proactive and ongoing enterprise risk management program. Here are nine common risk
management failures to avoid.

1. Poor governance
Citibank made headlines when it mistakenly wired a $900-million loan payoff to cosmetics company Revlon's
lenders in August 2020. A federal judge later ruled that Citibank was entitled to less than half of the $900 million.

Like all financial services institutions, Citibank had policies in place, such as dedicated terminals for wiring large
amounts of money and multiple controls that were rejiggered after the migration of its workforce to remote
locations during the pandemic. Compromised banking controls were first suspected to have caused the costly
error, said Chris Matlock, vice president, advisory -- corporate strategy and risk practice at Gartner. But the
problem was traced to a recently installed software package that had UI issues, didn't have the appropriate
controls and led to human error.

THIS ARTICLE IS PART OF

What is risk management and why is it important?

Which also includes:

governance, risk management and compliance (GRC)

risk avoidance

risk map (risk heat map)

https://www.techtarget.com/searchcio/feature/9-common-risk-management-failures-and-how-to-avoid-them 1/5
11/14/22, 10:48 AM 9 common risk management failures and how to avoid them

"This was a case where the human side of the equation can overwhelm any amount of good technology that has
been installed," Matlock added. Citibank was eventually fined $400 million by U.S. regulators and agreed
to overhaul its internal risk management, data governance and compliance controls.

2. Toxic work culture

Known for decades as the hub of technical innovation, Silicon Valley has evolved into a bastion of toxic "bro
culture," according to Alla Valente, senior analyst at Forrester Research. She also cited other forms of toxic work
culture when companies fail to mitigate risks that can alienate employees and customers.

Facebook's lukewarm response to the Cambridge Analytica scandal, Valente argued, has significantly eroded its
trustworthiness and market potential. Wells Fargo's executives turning a blind eye to the warning signs of the
bank's predatory selling practices with their customers "was a strategic decision," Valente said. "It could have
been fixed, but fixing culture is never easy."

3. Overemphasis on efficiency vs. resiliency

Efficiency and resiliency sit at opposite ends of the spectrum, Matlock said. Greater efficiency can lead to
greater profits when things go well. The auto industry realized significant savings by creating a supply chain of
thousands of third-party suppliers spread across multiple tiers. But during the pandemic, there were massive
disruptions in supply chains that lacked resiliency. A chip shortage ensued, and automakers' bottom lines
suffered when chip suppliers took advantage of the resulting higher margins in the consumer electronics
industry.

Conversely, interactive fitness platform maker Peloton, Matlock said, moved its entire supply chain and
manufacturing process from Asia to Ohio to meet the heightened demand for its exercise bikes during the

https://www.techtarget.com/searchcio/feature/9-common-risk-management-failures-and-how-to-avoid-them 2/5
11/14/22, 10:48 AM 9 common risk management failures and how to avoid them

COVID-19 lockdowns. That kind of resiliency in its supply chain helped insulate the company from disruptions,
bottlenecks and trade wars.

4. Toothless ESG statements

Until recently, companies would release impact statements that only paid lip service to their environmental,
sustainability and governance (ESG) initiatives and weren't tied to measurable results or meaningful outcomes.
Since the United Nations issued "code red for humanity," regulators, customers, employees and even
shareholders are pushing for more meaningful impact statements.

Securities regulators in the U.S. and U.K. are considering new ESG impact disclosure rules. ExxonMobil lost a
proxy battle for a board seat because activists demanded greater ESG accountability. "There was an
underestimation of the importance ESG would have," Matlock said. "Up until now, we've known that being
environmentally conscious and being socially conscious was important. But now suddenly, it seems like we all
have to take this seriously. And if we get it wrong, there may be a penalty in terms of capital flow and
opportunities."

5. Reckless risk-taking
A wildfire during unusually high summer temperatures approaching 122 degrees destroyed the village of Lytton,
British Columbia, in less than two hours and touched off a class-action lawsuit claiming the fire was triggered by
heat or sparks emanating from a freight train operating nearby. The suit alleged reckless behavior against the
Canadian Pacific and Canadian National railways because they should have known conditions were unsafe to
operate the train and failed to protect the town.

"But it's often not that simple," said Josh Tessaro, practice manager at Thirdera, a ServiceNow global services
provider. "When you see one of these news articles that looks like reckless risk-taking, it is almost always due to
lack of risk data, process definition and governance."

https://www.techtarget.com/searchcio/feature/9-common-risk-management-failures-and-how-to-avoid-them 3/5
11/14/22, 10:48 AM 9 common risk management failures and how to avoid them

6. Lack of transparency
National attention has been focused for some time on the underreporting and misreporting of COVID-19 deaths
in several states. New York's nursing home scandal, in particular, showed a systematic lack of transparency
about the actual number of COVID-19-related deaths among the elderly and the wide discrepancy between the
understated figures released to the public and the state attorney general's ultimate findings.

Withholding of data, lack of data or siloed data within organizations can create transparency issues and result in
untold consequences. "Many processes and systems were not designed with risk in mind and are often
disconnected across the enterprise and owned by different leaders," Tessaro explained. "Risk managers often
then settle for the data they have that is easily accessible, ignoring critical processes because the data is hard to
get."

A transparent risk management approach requires a consistent company-wide strategy that includes senior
management, clearly defines the role of risk management, encourages risk awareness, institutes a common risk
language and encompasses the various interests, objectives and critical risk concerns of all departments. A
centralized system of record for risk profiles and events should also be established to collect, manage and
report on key risk data.

7. Immature ERM programs

A combination of low interest rates and a surging stock market have spurred record numbers of global mergers
and acquisitions during the first half of 2021, according to financial markets data and infrastructure provider
Refinitiv. Buried among the success stories are many less-publicized M&A, IPO and product launch failures.

"Many of these failures can be attributed to organizations' immature risk programs," said Clifford Huntington,
global assistant vice president, sales, for risk products at ServiceNow. Enterprises often don't recognize that a
complete risk assessment as part of an ERM program to identify potential and inherent risks is needed in
preparation for making deals.

https://www.techtarget.com/searchcio/feature/9-common-risk-management-failures-and-how-to-avoid-them 4/5
11/14/22, 10:48 AM 9 common risk management failures and how to avoid them

8. Supply chain oversights

The rise in mass cyber incidents highlights the need to assess security risks up and down the partner supply
chain. "Organizations are increasingly focused on the risk from their vendors as it relates to sensitive data
breaches," said Mark O'Hara, managing director at consultancy AArete.

New contractual terms need to address cyber insurance requirements, data destruction practices and
destruction verification. But organizations, O'Hara acknowledged, don't regularly review existing agreements or
consistently communicate new requirements across their business units, resulting in noncompliant contractual
agreements.

9. Lagging security controls

While companies have been accelerating deployments of workflow procedures and technologies to
accommodate their new hybrid workforces, the controls necessary to ensure security, availability, processing
integrity, confidentiality and privacy, as well as their documentation, have not kept pace.

"We rapidly pushed everyone to remote work where possible," said Dan Zitting, CEO at governance, risk and
compliance software provider Galvanize, "yet controls around user access and physical security did not change
as quickly."

As a result, many organizations are encountering control failures and compliance issues, leading to risk
exposure and security breaches. Controls specified in SOC 2, Sarbanes-Oxley Act and ISO 27001 compliance
standards and regulations, for example, changed as workflow processes increasingly became remote-friendly.
One year later, companies are struggling to update their documentation to pass these types of security audits.

https://www.techtarget.com/searchcio/feature/9-common-risk-management-failures-and-how-to-avoid-them 5/5