JOnline: The Failure of Risk Management: Why It’s Broken and How to Fix It 

Download Article

The Failure of Risk Management: Why It’s Broken and How to Fix It is a critical analysis of some of the most popular risk analysis and management methods used within large prominent business and government settings. Via detailed and clear objective analysis, these best practices are exposed to provide little added value in actually assessing risks. According to Hubbard, “If risks cannot be properly evaluated, risk management itself becomes the biggest risk.”

Hubbard analyzes standard methods and elements of risk management analysis, and existing tools presumed to measure risks—all of which are subsequently shown to be built upon underlying flaws, incorrectly or incompletely applied, or generally ignored. As critical questions are asked and answered surrounding the use of popular risk management techniques—techniques utilized to make major corporate and government decisions— these soft qualitative techniques are shown to be lacking support by theoretical or empirical analysis and to not be based upon more sophisticated scientific and mathematical techniques in existence and applied by actuaries, engineers and financial analysts.

The Failure of Risk Management transcends the 2008 financial market crisis. It dissects reallife major risk management case studies involving national disasters, industrial accidents, outsourcing drug production to China, computer security and other major risk management case studies, where risk was consistently underestimated or proven to be woefully unrealistic. Hubbard is then able to explain how these major failures of risk management can be corrected.

Recommended fixes to the risk management issues identified transcend adherence to the use of a formal risk management process or having a chief risk officer in-house. Recommended fixes include the need for additional collaboration across industries to perform risk assessments and share results, while looking out for continuous opportunities to improve, and the utilization of more sophisticated risk management techniques. More sophisticated techniques recommended include the use of calibration methodologies to counteract subjective measurements, breaking down the major risk into distinct subcomponents, utilizing Monte Carlo simulations and using additional available research to reduce uncertainty surrounding the subcomponents impacting the major risk.

Hubbard acknowledges a conflict with the methodology of COBIT, and its best practice of utilizing a scoring method for assessing IT risks. Simple scoring methods are considered to be of little added value, according to Hubbard, in measuring overall risk. Multiple problems with scoring methods are critically analyzed, including the overall lack of empirical evidence that their use improves decisions at all, an inability to adequately remove or adjust for subjective judgments, and a lack of precision surrounding the use of ordinal scores.

An appropriate amount of documentation, such as checklists and practice examples, is included within the book. Other excellent tools demonstrated and cited are available via Hubbard’s web site, which is well referenced throughout the book.

The Failure of Risk Management is an enlightening guide that focuses on IT governance and assurance, and should be a worthwhile read by basic, intermediate and advanced readers across all industries, not only the financial, banking and government industries. As a recommended reference for the business library with an unlimited shelf life, the target audience includes anyone who makes critical business decisions and all levels of management, consultants and academics interested in general corporate business management, government, economics, statistics, information technology, corporate finance and mathematics, within all geographic areas.

Editor’s Note

The Failure of Risk Management: Why It’s Broken and How to Fix It is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit, e-mail or telephone +1.847.660.5650.

Reviewed by Gail Michaelson, CISA, PMP, SSGB
an IT professional from Cincinnati, Ohio, USA, with more than 10 years of expertise in business process optimization and continuous improvement, program and project management, portfolio management, strategic planning and budgeting, and IT auditing. Her industry exposure spans health care, pharmacy benefits management, financial and government services, large retail, education, telecommunications, logistics and manufacturing. Michaelson is a member of the ISACA Publications Subcommittee.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.