Can there be overkill in risk management?

Can there be overkill in risk management? Actually, this is a strange question. It presupposes the existence of an ideal effort in terms of risk management, and that the corresponding level can be exceeded. I am not sure of one nor the other. I am presenting risk management here as simply as all the coordinated actions to direct and maintain an organization with respect to risk. Can there be an ideal level of risk management? Is it possible to coordinate too much? Is excess possible? So: can there be overkill in risk management?In this contribution, I express my own opinion, not that of any organization
Author: Manu Steens

One possible answer

One possible answer to this is, “When there is too much coordination and action, it is no longer risk management.”

In the mid-18e century, Samuel Johnson stated the following: “Rules may obviate faults, but can never confer beauties; and prudence keeps life safe, but does not often make it happy.”
As the organization’s Risk Manager, where do you feel ISO 31000 (the ISO standard for Risk Management) fits? Somewhere between perfection and beauty, between safety and happiness?

Perhaps General Chuck Yeager had a good take on it:

“You don’t concentrate on risks. You concentrate on results. No risk is too great to prevent the necessary job from getting done.”

“Never wait for trouble”

“I was always afraid of dying. Always. It was my fear that made me learn everything I could about my airplane and my emergency equipment, and kept me flying respectful of my machine and always alert in the cockpit.”

Key words in this are:

Results ; Necessary; Problems; Fear; Emergency equipment; Respectful; Alert


When I search keywords myself in risk management via associative thinking I come up with the following words:

Lean; Resistance (Resilience); Reputation; Beauty; Health; Cost-benefit; Anticipation and Uncertainty; Balance between RM (Risk Management) and General Management; Risk aversion; risk appetite; progress; worst case scenario; time and resources; Pareto.

Lean and uncertain

The basis of “Lean” is to first get a process running effectively, then make it efficient. That sequence is important. The problem with this is that sometimes people think that “efficient” means the same thing as “all encompassing,” and in doing so they make the process hopelessly complex.

In a world as uncertain, unpredictable and changeable as ours, the ability to adapt, to evolve, requires resistance (resilience). This is weaker in the culture of “Lean” working. This kind of thinking may impact the short-term impression of “health” but is not sustainable. In biological systems and business systems, redundancy and evolutionary adaptation are characteristics of resilience and sustainability. While “Lean”-built processes are often fragile, and sources of risk.

Too many standards?

Besides, there may be too many different standards, each susceptible to different interpretations, by benevolent people with limited resources. In the end, each must row with the oars he has, in the time he has. Some of it can be automated, such as some types of risk analysis, but in the end there are no shortcuts to performing the risk management process. On top of that, when the concept of reputation risk rears its head, things can get difficult. After all, reputation is threefold: 1) reputation you get through hard work, 2) reputation you get through the social status of your position, 3) reputation you get because of your pedigree. But we won’t go into that here now.

Standards also bring beauty. Beauty comes from within, and conventional risk management or literally implementing a standard often creates false cleanliness. It often turns out to be makeup that way. Preserving beauty (both for business systems and biological systems) requires a degree of health, and that is where the real focus should be. But, as with the causes of risk, this is a level deeper than the scope of conventional risk management or general management. While both serve to treat symptoms, without an understanding of a link between cause and effect, unexpected side effects will occur, and risk management and general management become a source of risk.

Health as an analogy

Actually, health is a good analogy. Some health conditions are treatable. But with others, the side effects may be worse than the disease. In such circumstances, it may be better to treat the symptoms rather than the disease. It is important to look at organizational health and make this way of working valid in compliant working with standards.

Every form of management must result in some form of return. If there is no value creation, you must consider why you are doing it. You can find the answer for risk management through economic concepts such as NPV (net present value), ROSI (return on security investment), et al. With that, the pareto principle can surface. So one of the reasons why the risk manager should do an assessment of their way of doing things is to make sure that they are not overdoing it. With those notions, they can then also justify to the board where the limits are of how far they want to go with their measures, unless the board wants otherwise. So with that, it is a question of cost and benefit. So it is not a matter of eliminating the risks completely, rather of taking measures to take the risks out of the danger zone and bring them to an acceptable level.

Anticipation, health and balance

Anticipation and uncertainty are human. We watch the news to get certainty, and then we say “I told you so.” Unconsciously, we apply this to watching a game of soccer, when the Red Devils are playing in Brazil, etc. In business, we can fall into the trap of excessive self-assurance, which in itself is a source of risk. Sometimes even ministers cite history by saying “we’ll see who is right about history.” But really, time is essential to give a chance to uncertainty: “only time will tell.”

More important than playing at random with anticipation and uncertainty is a healthy balance between risk management and general management. I think it is possible to make a judgment here about whether there is a tilt to one side or the other, and that is unproductive. There should be a healthy balance between risk aversion and risk acceptance (or risk appetite). You can only rarely eliminated risk from the idea of a balance. So you need a compromise between preventive measures on the one hand and cost and time on the other. Because if there is complete risk aversion, and one acts on it, then one no longer takes risks. However, every innovator knows that innovation and progress then stagnate. So risk-taking is every manager’s job. Failure to dare to fail can be the death knell for any organization.

Risk appetite

So every organization needs a certain level of risk appetite. Once you reach the proper level of risk appetite, you can adjust this risk appetite downward or upward. The limiting value in this is that the cost of taking or not taking risk measures is always less than the expected or actual return.

This does not mean that one should just start cutting back on prevention and protection. The cost-benefit principle can be followed there too, and if one then ensures a good balance there too, risk management can be very “empowering.” After all, a healthy employee in a pleasant workplace is always a boon to the entity. What is important here is how you ensure that you are taking acceptable, calculated, risks to keep moving forward. If risk management and RA are not part of risk-taking, then you are a dabbler, a gambler and not a strategic executive. Stakeholders respect the latter, and usually drop the former. After all, the purpose of risk management is also to help allocate resources, in support of overall management.

An important signal of risk management overkill

An important signal of risk management overkill is that one tries to plan for every eventuality. A good check and balance for deciding how far to go is that one plans for a “worst case scenario” that is “reasonable.” In other words, before that, plan for what you can reasonably see as an event with the most severe impact, and go forward from there. More planning would give rise to opposition from anyone with a healthy farmer’s mind because they will argue why it cannot be justified.


The question was “can there be overkill in risk management?” I invariably believe:

  • Yes you can
  • But it rarely happens
  • After all, people are very quick to say “We can’t plan for everything” and “We don’t have the time or resources to plan for everything.”

I would further say, no we cannot predict everything, nor do we need to. We need to work toward a reasonable worst case and we need to make the subsidiarity principle apply to RM. At all levels of the entities, we need to provide an appropriate amount of training, practice, put the right tools in place, but also benchmark ourselves against the appropriate relevant standards, so that we are ready for the bulk of possible circumstances coming our way. Remember that in this, the pareto principle will apply: 20% of the measures will stop or intercept 80% of the problems. Involve all stakeholders in the RM. Remember that one crisis can trigger another, and remember that unprecedented factors can also come into play all the time, for which you cannot plan.

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts