Blog post

One Simple Way to Get Your CEO to Embrace Risk Management

By John A. Wheeler | May 28, 2014 | 4 Comments

Tech and Service ProvidersSecurity and Risk Management LeadersRisk ManagementOperational risk managementLegal and ComplianceIRMintegrated risk managementGRCEnterprise risk managementAudit and Risk

Why do most CEOs or other senior business executives cringe at the thought of having to meet with risk management professionals? By their very nature, CEOs are hard wired to seek out growth opportunities that will add value to their companies. However, risk management professionals are hard wired to find ways to minimize losses that will erode value. The goals are polar opposite to one another.

So, how can you get your CEO to embrace your risk management program? You must change the way you communicate about risk. For most risk management professionals, the focus of the conversation with their CEO is on the likelihood and impact of risks that a company faces. This is typically depicted by using a risk heat map such as the one below.

high low risk graphic

The problem with this exercise is that it is born out of an insurance mentality of minimizing or eliminating losses by reducing or avoiding high risk business activities. This is counter-intuitive for the CEO. CEOs are the ultimate risk takers in your company and rightfully so. However, what separates the successful CEOs from the unsuccessful CEOs is the ability to take the right risks. So, you must re-frame the conversation about risk from “high risks vs. low risks” to “good risks vs. bad risks”. Some of the very same “high risks” may actually be “good risks” when fully evaluated against the value created and the company’s understanding or appetite for taking the risk. A different way to view the risks is depicted below.

good bad risk graphic

Many of these “good risks” lie at the heart of innovation that have driven companies like Apple, Google and others to break from the pack to dominate their market. Gartner’s research and advice can help you make this simple shift in your risk-related communications with the CEO and others in your company. To learn more, view my latest research by clicking here or attend one of our upcoming Security & Risk Management Summits around the globe.



Comments are closed


  • Hadiza says:

    I like your profile in this community network and I think you are a nice person. Can we get in contact? I’m sorry if i am embarrassing you, I got curious to know you better after viewing your profile i think that i have something important to exchanged with you i shall explain more about myself including my pictures, please E-mail me to ( ) not in this site because i am a new in this community and i don’t visit this site often, I’d like to get to know you if you don’t mind
    Please i will Tell you more about my self
    thanks & regards

  • Hi John,

    Good out-of-box thinking. I was seriously thinking in adopting it, but I got some concerns that prevents me from doing so. That said I would like to discuss them with you:

    1) All over the world, the reports use the GREEN color for good things. Shall I use the GREEN for Good Risks and everybody will think that the item is fine and must stand still. This is counter-intuitive regarding analyzing a report. This kind of report will be an exception that may confuse who gets used to analyze many reports.

    2) Is there anything between Good and Bad risks? Isn’t it something boolean, like true or false? You must take an option: “mitigate/avoid/transfer” or “accept”, so there is no reason to put the yellow line in the image.

    3) What about the action to take on the “Bad Risks”? The CEO should think “I will never bother about this risk”. How do you explain that even the “Bad Risk” also need to be mitigated/avoided/transfered? He may ask “Didn’t you say that it is a bad risk? Why should I care?”

    4) Which could possibly be the objective criterias to define the “Value” and the “Appetite”?

    I thought just using the Image 1 (Impact x Likelihood), inverting the colors, removing the yellow layer, renaming “High Risks” to “Good Risks” and “Low Risks” to “Bad Risks” may be a better representation instead of using “Value” and “Appetite”.

    I like the good and bad risks approach and already read some articles about it, although this approach does not seems to fit in a risk report.

    What do you think, John?

    Anderson Dadario

  • world news says:

    This is really interesting, You are a very skilled blogger.
    I’ve joined your rss feed and stay up for looking for more of your
    excellent post. Additionally, I’ve shared your web site in my social networks

  • fourquadrant says:

    I like the good and bad risks approach and already read some articles about it, although this approach does not seems to fit in a risk report.