With Martin G. Moore

Episode #141

Mastering Risk: Improving every decision

Understanding risk, and being able to respond in a manner that’s both appropriate and proportional to the level of risk is a fundamental capability for leaders.

When we talk about judgement in leadership and decision making, a lot of it comes down to how well we can assess and respond to risk, given the uncertainty that faces us at any given point in time.

This episode brings the discipline of risk management to life, with a number of examples that take the mystery out of the subject. It will help you to implement a fit-for-purpose risk management approach that’s sure to enhance your decision-making.

Download the free accompanying PDF below 👇


Get yours delivered straight to your inbox by filling out the form below 👇

Please enable JavaScript in your browser to complete this form.


Episode #141 Mastering Risk: Improving every decision

One of the concepts that I mention all the time in passing, but I’ve never really delved into is the concept of risk. For leaders, understanding risk and being able to respond in a manner that’s both appropriate and proportional to the level of risk is a fundamental capability.

This may well be one of the least sexy topics I’ve ever taken on.  So, I’ve loaded this episode with examples to help keep you entertained. Ultimately, being comfortable with risk is a key differentiator that sorts out the dogs from the fleas (or I suppose the excellent leaders from the average leaders).

When we talk about judgement in leadership and decision-making, a lot of it comes down to how well we assess and respond to risk, given the uncertainty that faces us at any given point in time.

In this article, you’ll find:

  • A definition of what risk is

  • How to identify risks and determine how serious they actually are

  • Half a dozen principles of good risk management, which I’ve also prepared as a PDF for you to download here.

What is risk?

The dictionary definition is the “exposure to the possibility of loss”. But I like the Investopedia definition better. It describes risk as “the chance that the actual outcome of an investment will differ from the expected outcome.” Of course, this may include full or partial loss of the investment itself.

Let’s start with an example where we commonly talk about risk factors: health, and wellbeing. Now, smoking is a key health risk, and it’s very well understood. There’s been a massive body of research undertaken over many decades, so it’s not a mystery to us at all. It’s a very, very well understood risk, and there are some solid facts about this risk factor that we need to pay attention to.

For example, if you smoke, you are much more likely to die from lung cancer than if you don’t smoke. According to the CDC (the US Centre for Disease Control and Prevention), somewhere between 80 and 90% of lung cancer cases are the result of smoking tobacco.

Does this mean that you will definitely get lung cancer if you smoke? No, but research has shown that you’re 15 to 30 times more likely than a non-smoker to contract lung cancer. Clearly your actions can directly increase this risk and, as this increases, so too does the likelihood of an unsatisfactory outcome.

But the converse is also true. For example, if you have a clean diet, exercise regularly, and maintain a healthy body weight, you’re less likely to suffer from heart disease than the average person. But does this mean that healthy people never get heart disease? Well, of course not. But it does mean that the likelihood of them getting heart disease is lower.

As with all risks, your actions either enhance or diminish your likely long-term health outcomes. This is simply what we call risk management. What things do you choose to do to reduce your risk of adverse health outcomes and what risks are you prepared to take in the pursuit of a balanced life and an enjoyable existence?

As an aside, if we think of things like health behaviours and outcomes, in terms of risk, we begin to adopt a much more clinical way of looking at other people’s behaviours. This can be extremely useful for our own state of mind. If we think simply in terms of risk, it helps us to temper our judgmental nature because people’s  actions can ultimately be seen simply as either good or bad risk management. We don’t look down on people’s choices as much as we otherwise might.

There’s another expression I want to introduce here called risk tolerance. Some people are much more tolerant to risk than others in all sorts of ways. For example, a serial entrepreneur is likely to have a much higher risk tolerance than a government employee. The range of possible outcomes in terms of job security and remuneration are much greater. The certainty of the outcome is much lower for the entrepreneur. A government employee has a relatively high degree of job security compared to other industries and occupations. Their pay is generally very good. It’s solid without being stellar. An entrepreneur on the other hand has very little security because they’re creating something in the market that carries a high degree of risk.

We now start to see the link between risk and reward. The potential rewards for the entrepreneur are orders of magnitude higher than they are for the government employee, but on the downside, many entrepreneurs can easily lose the shirt off their backs. A government employee has much greater stability and security than the entrepreneur will ever have.

Another good example of risk tolerance is those who engage in extreme sports. If you choose to free solo climb, a sheer rock face, you’re more likely to die than if you’re watching that activity on the Discovery Channel from the safety of your own living room.

The climber has a much higher risk tolerance than the couch potato in the short term. But remember in the long-term being extraordinarily fit and active, like the free climber is, may provide a better long-term outcome than a sedentary person, who’s just watching their activity on TV (that’s of course, assuming they don’t fall to their death several hundred feet below in a terrible accident).

Let’s drill just a little more into the risk reward relationship. There’s a very firm relationship between risk and reward in business and in investing. If you put a lot of money into US Treasury Bonds, your money will be a hundred percent safe. It’s actually called a risk-free investment because the investment is underwritten by the US government. It’s guaranteed to protect your principle amount for the duration of the investment. Bearing this in mind, however, you won’t make a huge amount of money off a T-bill. The money is tied up for 20 plus years and pays out, maybe 1% to 1.5%.

Let’s compare this to a much riskier investment. If you were to buy shares in a startup company that has an innovative new artificial intelligence app for smartphones in the travel sector? Well, that’s a hell of a lot riskier, as I found out a number of years ago. That investment was never going to return a few percentage points of interest over the life of the investment. It was either going to make massive returns (like, an order of magnitude greater than my original investment), or it was going to totally crash and burn in a slow-motion train wreck.

I clearly remember the conversation I had with my wife, Kathy, before I decided to make the investment. I said to her, “Darling, this is not the type of investment that’s going to give us a 5% annuity for the next 20 years. We’re in startup territory and in this space, it’s all or nothing. If we’re not prepared to put that money on the table in front of us and set fire to it, then we shouldn’t go ahead with the investment; because that outcome is entirely possible. Well, turns out I was right… And I didn’t even get to warm myself on the embers as my cash went up in flames.

How do you determine risk as a leader?

Risk can and should be measured.

It’s a factor of two separate variables: likelihood and consequence. How likely is it that an adverse event or outcome will occur? If it does, what are the consequences to the organisation of that happening? This requires some careful planning, and it starts with a pretty straightforward question: “What could possibly go wrong?”. This basically just gives you the opportunity to brainstorm and to take an inventory of all the things that might impact the expected outcomes of any activity.

You can do this on a discrete basis for specific projects or initiatives, or you can apply it to the day-to-day operations of your business, as a whole.

Common areas of risk assessment to consider

Cash Flow Risk

What is the likelihood that we will have cash flow problems? And what are the consequences if we do? If you have plenty of available debt facilities, or plenty of cash at the bank to draw upon, you may have a sufficient buffer to ride through any cash flow difficulties.Even in cases where the likelihood of having problems might be high, the consequences could be quite low, and so it’s not a high risk.

In other cases where a business has little access to debt facilities, any cash flow problem could be fatal. The consequences in that case are catastrophic, and this would completely change our assessment of that risk. It would be severe.

Supply Chain Risk

Let’s say I’m relying on a supplier of critical parts in order to manufacture my own product. For example, a supplier of motherboards that are an essential component for a computer manufacturer. I need to make sure that that supply is protected if there’s limited supply in the market.

For example, there’s only one supplier of this component globally. My risk is extremely high. Why? Because if there are any problems with the supply chains that deliver that component, or if the company itself goes out of business, for any reason, that can be a catastrophic outcome for my business – I don’t have access to the critical parts I need to create my products. I have to find a way to somehow mitigate this risk.

To work out how significant a risk is means you have to be able to rate and combine the likelihood and consequence. It doesn’t have to be highly quantitative, although some organisations have a very prescriptive definition for levels of both likelihood and consequence. What we need to do with each risk is to rate its likelihood of occurring.

Let’s start with a simple five point scale that describes how likely it is to happen. On that five point scale, I’d start from the least likely to the most likely. So, number one, “rare”… number two, “possible”… level three might be “likely”… level four, “probable”, and level five, “almost certain”. That covers a range of likelihoods from really, really unlikely to happen, to almost certain to happen.

Then another simple five point scale that describes the consequence if it does. So one, the consequence might be “trivial”. And then at the top end of the scale, the consequence might be “catastrophic”. It might be failure of the business, and in between you could have “minor”, “material” and “significant”, just to graduate those a little bit more.

Once you’ve done this, you can map these on a simple two by two matrix, that combines the likelihood on one axis with the consequences on the other axis.

This is going to inform you about the overall severity of the risk itself. It also tells you which risks you might want to spend some resources to mitigate. If you’ve assessed a risk to have a likelihood of “rare” and a consequence of “trivial”, then you don’t want to spend any time on it at all.

If its likelihood is “probable” and its consequence is “significant”, you’ll want to take some proactive action to make sure that risk is mitigated in some way.


The objective of risk mitigation is to take actions in advance that will reduce the severity of the risk.

You can do this in two ways:

1) You can reduce either the likelihood or the consequence to a more acceptable level, which in turn reduces the overall risk rating. Let’s go back to our cash flow example. Cash Flow risks can be significant (as many failed business owners will tell you). They’re normally a big enough risk that it’s very much worth our while to put some proactive measures in place to mitigate the risk. We can reduce the likelihood of having a cashflow problem if we plan well, we have good processes in place for managing our debtors, and we negotiate more favourable payment terms with our suppliers and customers. That will reduce the likelihood of it happening.

2) We can also minimise the consequences of a cashflow shortage if it actually does happen by having negotiated financial facilities that we can draw upon in case of emergency.

If we look at our computer manufacturer supplier risk example, we can reduce the likelihood of having a supply chain problem if we have multiple suppliers based in multiple geographical locations to fulfil our overall demand, rather than just relying on a single supplier. If one goes under or has problems, our whole supply chain isn’t interrupted. We can also reduce the consequences of a supplier issue by perhaps holding a larger inventory of motherboards that will give us a month of manufacturing capacity if our supply chain experiences issues, while we solve that problem.

Risks and the mitigation activities that accompany them can be in many different categories. We have safety risk, operational risk, compliance risk, reputational risk, financial risk, and asset risk, and many others. We’ve really got to consider all the risk categories to do a holistic job of understanding our organisation’s position. Obviously knowing and understanding the risks your organisation faces gives you information that you can act upon to manage your business better. This is the nexus between mastering risk and making better decisions.

To manage risk well, you have to understand it profoundly… deeply.

Your challenge is to determine what the appropriate mitigation actions might be for any given risk, including doing nothing.

Now here’s a really important point. Mitigating risks costs money. To do so, you need to dedicate scarce resources (time, money, and people) to taking actions that reduce the level of a risk. That’s why it’s so important to recognise the relationship between risk & reward, and likelihood & consequence, and then to allocate the appropriate level of resources to any mitigation activities.

Theoretically, you could reduce a risk to almost zero, but I’ve not seen any cases in real life where this is actually warranted and practical. The cost of doing so would be absolutely prohibitive.

Let’s go back to our health example. You could reduce your controllable health risk, very close to zero, notwithstanding genetic factors, of course, by doing certain things. Let’s start with not driving a car. That’s a dangerous activity and it poses a significant risk of injury. You could choose to only eat fresh, naturally occurring and prepared foods. You could choose not to take any toxins in, in any form like nicotine, alcohol, caffeine, all gone. But then this produces another dilemma: the balance, and trade-offs that accompany every risk. We need to balance the management of our health risk with our need to live normally and enjoy our lives. Every individual has a different risk tolerance and will be either more on the side of cautiousness or recklessness when deciding how to strike this balance.

We’ve recently seen some really good examples of what happens when we try to reduce a risk to zero. Top of mind for me is the COVID-19 approach taken in Australia and New Zealand. Our governments have decided to pursue an elimination strategy for the virus.

On the upside, we’re living virtually virus free and relatively normally barring our inability to travel and the odd impromptu lockdown of state borders, which makes business pretty hard to plan out. But that’s really just a pain in the arse. It’s not a catastrophic outcome.

On the downside we’ve had to amass an incredible amount of debt while the government has provided financial support to keep impacted businesses and individuals from going under, and the economy ticking over.

That money doesn’t come from a magic well in the basement of Parliament House in Canberra: it comes from the people who pay taxes in these countries. I know that modern monetary theory says you can print as much money as you like in this low-inflation, low-interest-rate world, but at some point the music is going to stop.

How expensive has it been to run a zero-risk strategy for COVID? Well, we sort of don’t really know because we haven’t got the bill yet. We’re saving that for our kids – and the Piper will have to be paid at some point.

How to make better decisions through prudent risk management

#1 Protect value

Ensure that you look at every risk through the value lens. This is regardless of the risk category – compliance, safety reputation – all of these need a value assessment, not just the financial risks. The cost to mitigate a risk is equally important to understand, as is the impact of the risk itself materialising. Be selective, be targeted and be thorough. Make conscious decisions based on the circumstances you’re in and the knowledge of the severity of the risks and what they’re likely to cost you.

#2 Be systematic

Assess and formally track your key risks. It’s awesome if you can get a consistent framework across the organisation that lets you compare apples with apples, between your different divisions. It doesn’t have to be rigid, but it should be driven by credible data. It should be as quantifiable as you can possibly make it.

#3 Ensure that risk is central in decision-making

This is particularly important in investment analysis. I always found things like tornado charts really useful. If you haven’t seen these, these allow you to map each financial risk with an assessed outcome in terms of the negative or positive impact that will happen under various scenarios. For example, if the US dollar drops by 5%, this risk will reduce our net present value by $3.6m. But if it increases by 5%, it will increase our NPV by $2.1m.

These things are rarely linear, but it gives us the ability to assess a range of outcomes based on variance in assumptions and risk.

Having said that, decision-makers need to be able to explain this assessment verbally. Don’t just rely on a chart in a business case, because quite often they’re generated by analysts who don’t see the big picture. It’s really worth going back through Episode 126, which is “Selling Your Proposal”. It has a much better treatment of this stuff.

#4 Make it cultural

You need your organisation to think in terms of risk. Even when things go roughly to plan, they never come off exactly the way you initially expected. Just recognise and accept this: build it into your language. Always ask the “what if” questions? “What if this happens?”… “What if this doesn’t happen?”… “What haven’t we considered?”.

Your goal is to push for ‘excellence over perfection’. The level of excellence required in any activity depends entirely on the risk of the activity itself. Decision-making speed is critical, so don’t let risk weigh you down. Instead ensure that your understanding of risk supports and informs your decisions.

#5 Treat all elements of risk

We’ve spoken about some of these categories before. Reputation, safety, financial, people, regulatory, market. This takes a lot of breadth of thinking, and a lot of ability to understand context, to put all these pieces together and get a consistent frame for understanding your risk. That’s why senior executives get paid the dizzy dollars.

#6 Review your risks regularly

Risks change over time. All your major risks should be reviewed on some sort of formal cycle, but by exception only. You don’t want to have to go through them laboriously each time, because then that becomes monotonous, and no one pays attention.

For example, in my monthly executive strategy meetings, we used to have an action item to look at any major risks that we had and how they’d increased in the prior month. Each executive had to do an assessment pre-meeting of the ones they’re accountable for and to bring material changes to the executive table.

If you get used to looking through the value and risk lenses to everything you do, you find that you start to get more comfortable with your decisions, as there are a lot fewer unknowns in your world.

Methodical consideration of the risks we face stops us from doing the things that pose an unacceptable risk, without preventing us from doing the things that bring the personal and financial rewards that we are ultimately seeking.

Loved this episode?

  • Give us a review on Apple Podcast

  • Share this episode with a friend or colleague



Here’s how you can make a difference:

  • Subscribe to the No Bullsh!t Leadership podcast

  • Leave us a review on Apple Podcasts

  • Repost this episode to your social media

  • Share your favourite episodes with your leadership network

  • Tag us in your next post and use the hashtag #nobsleadership