Risk & Decision-Making

Key Takeaways

• Risk Management Should Be Decision-Led: The most valuable risk discussions start with the decisions leaders are trying to make, not with static lists of risks.
• Better Questions Matter More Than Better Scores: Moving beyond likelihood and impact scoring toward decision-focused questions produces more meaningful insight.
• Uncertainty Needs Plain Language: Reframing “uncertainty” as what could happen or not happen makes risk discussions more accessible and actionable for managers.
• Risk Is Taken Through Every Choice: Risk is not something that is periodically reviewed; it is taken or modified through every decision and every delay.
• The Real Value of Risk Professionals Is Enabling Choices: Risk practitioners add the most value when they help leaders understand options, consequences, and trade-offs tied to objectives.

Deep Dive

In this article, Norman Marks reflects on a recent exchange sparked by Alex Sidorenko’s thinking on risk and decision-making, exploring where they strongly align and where a critical distinction emerges around the concept of uncertainty. While agreeing that risk management should move beyond static risk lists and toward enabling better decisions, Marks challenges how the term “uncertainty” is often understood and applied in practice. The result is a pragmatic reframing of risk conversations, one grounded in real managerial decision-making rather than abstract definitions or theoretical precision.

Risk, Uncertainty, & the Questions That Actually Improve Decisions

Alex Sidorenko is a good friend, and I highly recommending following him on LinkedIn and subscribing to his blog. We tend to agree on most things, but there is one word that sets us apart, and that word is “uncertainty”.

In a recent LinkedIn post, he wrote:

Most risk professionals ask: “What are our top risks?”

Better question: “What decision are we trying to make, and what uncertainties could change our choice?”

The difference? The first creates lists. The second creates insight.

Stop asking:

1. “What’s the likelihood and impact?” (Forces false precision)
2. “How do we manage this risk?” (Assumes you know what to do)
3. “What’s our risk appetite?” (Abstract concept divorced from choices)

Start asking:

1. “What range of outcomes could this produce?” (Embraces uncertainty)
2. “Which option gives us the best chance of success given what we don’t know?” (Decision-focused)
3. “What would have to be true for this choice to be wrong?” (Tests assumptions)

The quality of your risk management is directly proportional to the quality of your questions.

I agree wholeheartedly with Alex when he says we should be focusing risk management on enabling better decisions. The periodic review of a list of top risks is a low-value (sorry, traditionalists) activity. Risk is taken (a better expression than “accepted”) or modified with every decision that is taken or not taken.

I agree that risk practitioners should seek to understand what business decisions are being made, both tactical and strategic, and help management understand the related risks and opportunities.

But What Is “Uncertainty” and Why Consider It?

How do you think a typical business manager will answer the question, “what uncertainties could change our choice?” They will look befuddled. Maybe they will point out that nothing in this world is certain, except death and maybe taxes. They certainly won’t know what you are talking about unless they have been to a training class where the ISO 31000 definition of risk (the effect of uncertainty on objectives) is discussed and explained.

In this case, we are not talking about a lack of certainty. Increasing your certainty that something will happen doesn’t change its potential effects. It just increases your ability to understand and respond to it.

So let’s change the question to something that everybody will understand, “What could happen or not happen that would change your decision?” (Note that I modified the last word.)

I agree with Alex when he says:

The quality of your risk management is directly proportional to the quality of your questions.

So here are some questions I might ask a manager I am trying to help:

• What are you trying to achieve? What are your objectives and which are the most important?
• How serious is it if you don’t achieve them? What margin do you have?
• What decisions do you have to make now or have to make soon? Which are more critical to your success, our achieving those objectives?
• What is the current situation? Is it acceptable? What needs to be changed or addressed or not?
• What might happen, both good and bad, that needs to be considered? Do you have sufficient information about it? If not, how can I help?
• How will they change things? There’s usually a range of potential effects or outcomes. What’s the likelihood of them having a effect that means you should change your decision? Can I help you with that?
• What are your options? Given all the things that might happen, their potential effects and the likelihoods of those effects, what is the best option? What can you change to improve the likelihood of success while avoiding unacceptable losses? Can I help you assess them?

Of course you should tailor your questions, and the way you ask them, to the person you are asking. What do you think?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.