Should we abandon risk assessment, risk management, and risk appetite?


Many perform a periodic risk assessment and come up with what they consider to be the ‘level’ of a risk.

The traditional approach is to share that in a list of risks with management and perhaps the board to see whether it is acceptable (within some limit, threshold, or so-called risk appetite) and determine what to do about the risk: accept, manage, or mitigate.

Carol Williams describes this approach in an older article on her website, 4 risk response strategies you will have to consider after assessing risks. (I thank her for referencing one of my books in it.) Perhaps Carol will share with us whether she continues to believe these four risk responses, which are traditional and recommended in most frameworks and guides, remain appropriate. I suspect she has moved on.

The four traditional responses are:

  1. Avoid
  2. Reduce
  3. Transfer
  4. Accept

Her article recognizes the need for continuing monitoring to ensure that responses change should the risks and business conditions change.


More and more people are recognizing that managing or mitigating a list of risks is not effective, nor of much value beyond compliance: doing what is required by the regulators rather than what is needed by the business.


Let’s imagine that I am the new Minister of Defense and Q, the risk manager in the weapons development function,…
