Is Your Business Blind?

Key Takeaways

• Organizational Blindness: The greatest risk is not the threat itself, but the organization’s inability to see and understand it in time.
• Static Risk Lists Fall Short: Many organizations maintain risk registers but lack real-time, decision-focused risk management that guides action.
• Decision-Centric Risk Insight: Effective risk management means continuously understanding the likelihood of achieving objectives and adjusting when that likelihood changes.
• Internal Audit’s Critical Role: Internal auditors should assess whether risk management practices actually support informed decision-making, not just compliance routines.
• Missed Threats and Opportunities: Without improving visibility and foresight, organizations risk hitting avoidable obstacles and overlooking opportunities for success.

Deep Dive

In this article, Norman Marks dives into the idea that the greatest threat facing organizations today isn’t a specific cyber event, market shift, or operational disruption—it’s the inability to see risks and opportunities in time to respond. He argues that many organizations are effectively navigating with blurred vision, relying on static risk registers rather than dynamic risk insight that informs decision-making. Marks challenges leaders and internal auditors alike to rethink how risk management operates, not as a compliance exercise, but as a critical driver of performance and strategic success.

A Reflection on Organizational Blindness and the Role of Risk Management

If you are driving down the highway at 65mph (104.6kph), a broken-down truck in the middle of the road ahead is a serious source of risk. You might consider it the #1 entry in your list of top risks (if you were to put such a list together as you were driving). But what if you can’t see it?

What if you are blind to its existence or the threat it represents to your safety, let alone your ability to reach your destination? Maybe you are not totally blind, but your poor eyesight doesn’t let you see until it’s too late that the truck is blocking all lanes.

Maybe the information is available, but you are not using it effectively? (For example, your systems have been breached and your cybersecurity provider has sent you a message to that effect, but you are not looking at it—something that happened to a major organization last year.)

This is where risk management comes in. It helps the driver of the vehicle not only to see the truck but also to understand the consequences of hitting it—so they stop the car.

In my honest opinion, most organizations have poor eyesight; many are essentially blind. While they may have put together a list of top risks that they review periodically (slower than the speed of the vehicle or the business), they don’t have processes that provide reasonable assurance that:

• The right objectives and strategies are set, given the risks and opportunities ahead.
• The best decisions are made, both tactical and strategic, with sufficient knowledge and understanding of the relevant risks and opportunities ahead.
• Leadership understands, as they navigate towards success, the likelihood of achieving their objectives given the risks and opportunities in their path. They can act if that likelihood is less than desired.
• The most significant threats are addressed, and important opportunities are seized.

Poor eyesight and understanding of what is ahead is the greatest risk, in my honest opinion. In other words, poor risk management is a tremendous source of risk to the success of the organization.

Isn’t it the #1 risk? But Where are the Internal Auditors?

Are they assessing the effectiveness of risk management practices, including:

• Objective and strategy-setting?
• Strategic and tactical decision-making?
• Management and reporting of performance against objectives, especially the likelihood of achieving them?
• The management of significant risks and opportunities?
• Providing management and the board with that assessment, pointing out the extent of their corporate blindness?
• Helping management make the necessary investments and upgrades in risk management practices in time to stop the car?

This has been of great concern to me for a very long time. It’s why I wrote the best-selling World-Class Risk Management and other books, notably Risk Management for Success. If you don’t understand what effective risk management is, how can you assess it?

So, while my latest book is a novel (I enjoyed writing and hope you will enjoy reading Mystery on Earth: a novel of imagination), I encourage you to look at another one. I published How Do You Audit Enterprise Risk Management? earlier this year. It includes a lot of detailed guidance, not only on what effective risk management is, but on how to audit it.

Please have a look. Maybe you can be your organization’s eye doctor.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.