Yes, that is right. Just buying a treadmill has absolutely no health benefits.
And in the same vein, just creating a risk management system does not provide any benefit. You actually have to activate that system and pay attenion to the signals that it sends.
And you can count on the risk management system being disruptive. In fact, if it is not disruptive, then you should shut it down.
The risk management system is a waste of time and money if it just stays out of the way and you end up doing exactly what you would have done without it. But, in at least 2/3 of the companies that claim to be running a risk management system, they have trouble coming up with even one story of how they changed what they were planning to do because of the risk management system.
Usually, in a company that is really running a risk management system, the stories of the impact of risk management are of major clashes.
Risk management is a control system that focuses on three things:
- Riskiness of accepted risks
- Volume of accepted risks
- Return from accepted risks
The disruptions caused by an actual active risk management system fall into those three categories:
- Business that would have been accepted prior to risk management system is now deemed to be unacceptable because it is too risky. Rejection of business or mitigation of the excess risk is now required.
- Growth of risky business that may not have been restricted before the risk management system is now seen to be excessive. Rejection of business or mitigation of the excess risk is now required.
- Return from business where the risk was not previously measured is now seen to be inadequate compared to the risk involved. Business emphasis is now shifted to alternatives with a better return for risk.
Some firms will find the disruptions less than others, but there will almost always be disruptions.
The worst case scenario for a new risk management system is that the system is implemented and then when a major potentially disruptive situation arises, an exception to the new risk management system is granted. That is worst case because those major disruptive situations are actually where the risk management system pays for itself. If the risk management only applies to minor business decisions, then the company will experience all of the cost of the system but very little of the benefits.