Is the risk management industry actually contributing to business failures?

by | Mar 27, 2022

The risk management sector has boomed into a USD $71 billion global industry, but not all risk management is created equal, writes small business mentor, Bronwyn Reid.

Given that I published a book in 2021 about how small and medium businesses can prepare for a potential business crisis, the title of this post seems a bit strange.

Surely, using risk management techniques is what we all NEED to do!?

Yes, risk management is absolutely what we need to do, but the question I am raising here is HOW we do it.

How the risk management industry contributes to business failures

There’s a lot of money involved in managing risks. Firstly, there’s a lot of threats out there to be managed – flood, fire, cyclones, fraud, cyber-hacking, booms and busts, etc. Secondly, because each one of those threats comes with a very big price tag if we become a victim.

And as always, where there is lots of money, people and businesses will gather to earn profits.

How much money, you ask? In 2021, the global risk management industry was worth almost USD $71 billion. So it’s not surprising that the industry has grown, and continues to grow.

But growth always comes with increased complexity and that’s where the trouble starts.

Controlling risk with compliance

The basis of the risk management industry has been compliance – making people comply and:

  • do things a certain way
  • not do things a certain way
  • follow a policy, process or procedure
  • measure things
  • report things

The complexity

The problem with the compliance approach is that it easily becomes addictive. If a crack appears, another policy, process, procedure or training course is needed, and it gets added on to the existing risk management system. It’s not hard to see how growth begets complexity.

This is how we finish up with:

  • a mountain of acronyms
  • long documents that seem to be designed as a sleep aid
  • forms that must be filled out but have no further function
  • reports that nobody reads

I have seen risk management systems that have internal contradictions, and where the people responsible for implementing them have no idea about what they actually contain.

I call this risk management by the kilo.

The trap with this approach is that because it’s so complex, it’s easy to think that everything has been covered. If you are spending 60 – 70 per cent of your day dealing with risk management paperwork, you would think that you’ve got it all under control! It’s also a productivity-killer.

The result

It’s not news that a small business owner or manager has a lot to deal with on a day-to-day basis. Just getting through the day can be a Herculean feat at times. The typical response of such a person to risk management by the kilo is predictable – they run a mile and curse the whole concept of dealing with threats to their business. They probably know intuitively that they should spend some time thinking and preparing, but the thought of all those acronyms, forms, documents and folders is just too much to bear.

The end result is a largely under- or unprepared sector of our economy that repeatedly falls victim to business disasters. Many fail, with a whole set of consequences for the people and communities involved.

Please be assured that I am not advocating throwing risk management techniques out the window, far from it. Many such rules are sensible and necessary, and do reduce some risks that could prove fatal to a person or a company.

But rules, forms, documents and acronyms will neither:

  • diminish either the likelihood or the impact of a major disaster, or
  • encourage businesses that can’t afford to buy into the risk management industry to engage in appropriate planning.


This post first appeared on on March 24, 2022.