Antoine Damelincourt

GRC Music, Risk management according to the Eagles

Blog Post created by Antoine Damelincourt Employee on Jan 25, 2016

With Glenn Frey’s passing last week, I was reminded of all the great songs he wrote for the Eagles. As I started going down a list of hits, something dawned on me, a lot of Eagles song can be used as recommendations for an efficient risk management program. Here are a few examples:


Take it to the limit: Risk management is all about knowing what level of risk is acceptable. Risk is a by-product of innovation and production. You need to have some risk in order to achieve goals. The key is to know what the limit is, what the acceptable risk is, your risk appetite and tolerance, and not go beyond.


You are not alone: If you are a risk manager, you are not the only person responsible for managing risk in your organization. In fact, you could argue that every employee has a responsibility to manage risk. This especially true when you look at the 3 lines of defense concept that outlines responsibilities for the 1st line of defense (Business Owners), the 2nd line of defense (Risk Managers) and the 3rd line of defense (internal auditors).


I can’t tell you why: But a Risk Manager should be able to. Whenever your company suffers a loss, you should be able to determine the underlying reasons for such a loss. Performing root cause analysis is crucial to avoid reproducing the same mistakes.


Life in the fast lane / The long run: There is a fundamental paradox with Risk management. It’s a reactive discipline that deals with emergencies and crisis as they arise but it’s also a long term program that relies on processes, planning, policies and tools to make dealing with the crisis easier. Solving that tension between the fast lane and the long run is not a small challenge.


Wasted time: Running a risk management program takes time. A Self-assessment campaign, where you need to get inputs from business owners throughout your organization is a big undertaking with a lot a low added value tasks. This process can be made easier and more time efficient by tools.


Lying eyes: I know the song is about kept women and cheating, but the idea that your eyes can not only betray you but also deceive you is relevant to risk management. Your eyes might be lying to you when assessing likelihood and impact of a risk. Expert opinion is valuable but so are hard data and analytics. Trust your eyes and your assessments, but back them up by cross-referencing losses, findings and Controls to root you assessment in reality.


Take it easy: Risk Management programs generate a lot of noise and traffic. There are events, new risks, failing controls, new findings on a weekly if not daily basis. It’s easy to get lost and feel overwhelmed without some kind of filter to sift through all the information and focus on what is relevant. Take it easy on the small stuff so that you can devote your resources to what is an actual threat.


Peaceful easy feeling: what you should ultimately feel, not that nothing wrong is going to happen, but being confident you have the processes and tools in place to deal with what will happen when it does.


Now, even if I tried really hard, I wouldn’t be able to explain how Hotel California relates to Risk Management, it has more of a Business Continuity Management feel to it I’d say.