Kantyra Kantyra

← Alle artikelen

Algemeen

Does risk management protect, or mainly reassure?

Alain Rees · 10-07-2026 · 7 min leestijd

There is one article every risk manager should have read once, if only to be annoyed by it. In 2009, Michael Power, professor at the London School of Economics, published an essay with the venomous title "The risk management of nothing". His proposition: in the middle of the financial crisis, modern risk management had failed to control risks because it had started doing something else, namely producing accountability. Whoever sells an ISMS or GRC platform, as I do, should not wave that criticism away but work through it. Because Power is right about the problem, and the research of the years since points quite precisely to where the line lies between risk management that protects and risk management that only reassures.

This article is one of the deep dives accompanying the model behind Kantyra and touches all four phases, because the question of whether the system works precedes every phase.

What did Power mean by the risk management of nothing?

Power's analysis has three layers. The first: risk management has in practice come to obey the logic of the audit trail. Not the question "do we understand this risk?" drives the work, but the question "can we show that we followed a process?". The second layer he had already described in 2004: organisations and professionals are increasingly occupied with what he calls secondary risk management, covering their own exposure to blame. The risk register then becomes a defence file: should things go wrong, we can prove we followed the process. The third layer is his critique of the concept of risk appetite, which in the boardroom has withered into a static document with percentages, while it should be a living organisational process. Terje Aven later dissected the concept formally and reached the same verdict: the definitions in the prevailing frameworks are ambiguous and mix up acceptance, willingness and goals.

Whoever has read the base article recognises institutional theory here. Meyer and Rowan described as early as 1977 how organisations adopt formal structures as ritual, to acquire legitimacy, and then decouple those structures from the real work. Power's risk management of nothing is that decoupling, applied to risk.

Do organisations with risk management demonstrably perform better?

You would expect this question to be amply answered after twenty years of enterprise risk management. That is disappointing, and that is itself a finding. Bromiley and colleagues concluded in their review of the management literature that the evidence is thin: researchers measure the presence of risk management with weak approximations, such as whether a Chief Risk Officer has been appointed, and the results on performance effects are mixed. The core assumptions of ERM, such as the idea that all of an organisation's risks can be added up and quantified, are according to them largely untested.

The studies that do exist draw a consistent pattern. Gordon, Loeb and Tseng found that risk management only correlates with better performance when its design fits the organisation: its environment, size, complexity and oversight. A generic design yields nothing. McShane and colleagues found among insurers that firm value increases with the quality of ordinary, professional risk management per domain, but that the step to the highest, holistic ERM level added no demonstrable extra value. And Aven showed in his review of the scientific foundations that probability-based risk descriptions structurally underestimate how important the strength of the underlying knowledge is, a point that also returned in the article on the risk matrix.

The sum is more nuanced than either the brochures or the cynics put it. Risk management that fits the organisation and is executed professionally correlates with better outcomes. Risk management as a generic edifice, erected for form's sake, shows no effect. The instrument is not empty; the ritual application is empty.

How do you recognise risk management that exists only on paper?

The recent literature, including the Dutch, makes the diagnosis concrete. Bart Heerma van Voss and Ira Helsloot, the latter professor of governance of safety at Radboud University, investigated why states systematically do too little about rare, disruptive risks. Their most painful example: almost all countries had a pandemic neatly listed in their risk assessments before 2020, and almost no country took the cheap precautions that followed from it. The risk had been assessed, registered and reported, and nothing happened. That is the ritual in its purest form: the analysis as endpoint instead of beginning. Arjen Boin of Leiden University pointed with Martin Lodge to a related problem: modern risks cut across sectors and borders, and a system that only guards its own register misses exactly the interconnectedness Power was aiming at.

The symptoms can thus be named. A register full of risks with no decision or control attached. A risk appetite untouched in four years. Assessments updated for the audit instead of after an incident. And most treacherous of all: a system in which nobody ever finds anything the executive board finds unwelcome. Van Asselt, then professor in Maastricht, and Renn summarised in their work on risk governance what is missing in that case: for uncertain and contested risks, the system is only worth something when it organises communication, involvement and clashing values, instead of calculating them away.

How do you do it right, then?

The research points to four characteristics that make the difference. First, fit: design the system to the measure of your organisation, not to the measure of the framework. Second, decisiveness: every risk in the register deserves a decision, namely treat, accept, transfer or avoid, with an owner and a deadline; a register without decisions is a defence file. Third, movement: the assessment changes when reality changes, so after incidents, exercises and shifts in the environment, and not only in the annual round. Fourth, contradiction: a healthy system regularly produces uncomfortable outcomes, and risk appetite is a conversation that returns to the board table, not an appendix.

For completeness: this is why Kantyra treats risks not as a list but as a junction. Every risk is linked to controls, tasks, incidents and review moments, so that it is visible whether anything happens with the judgement, and a serious incident automatically queues up the reassessment of the affected risk. Power's test, does this system produce understanding or only accountability, remains the right question to ask of your own setup. The honest consequence: even the finest platform cannot prevent the ritual, it can only make it visible.

What does this mean for your organisation?

If you take one thing from this article, let it be Power's distinction: producing accountability is not the same as controlling risks, and the second sometimes requires violating the logic of the first. Ask yourself three questions. Can you point to the most recent decision taken on each of your five biggest risks, with a date and an owner? Has your risk appetite been noticeable in a concrete decision in the past year, for example by deliberately not doing something? And when did your risk process last produce something that startled the board? Whoever says yes three times is doing risk management. Whoever says no three times is doing reassurance, and at least now knows where to start.

Accountability and sources

This article is a substantiated synthesis of existing scientific research and not independent, peer-reviewed research of its own. Where I interpret or explain, that interpretation is my own responsibility.

  1. Power, M. (2009). The risk management of nothing. Accounting, Organizations and Society, 34(6-7). https://doi.org/10.1016/j.aos.2009.06.001
  2. Power, M. (2004). The risk management of everything. The Journal of Risk Finance, 5(3). https://doi.org/10.1108/eb023001
  3. Power, M. (2007). Organized Uncertainty: Designing a World of Risk Management. Oxford University Press.
  4. Van Asselt, M.B.A. & Renn, O. (2011). Risk governance. Journal of Risk Research, 14(4). https://doi.org/10.1080/13669877.2011.553730
  5. Bromiley, P., McShane, M., Nair, A. & Rustambekov, E. (2015). Enterprise Risk Management: Review, Critique, and Research Directions. Long Range Planning, 48(4). https://doi.org/10.1016/j.lrp.2014.07.005
  6. Gordon, L.A., Loeb, M.P. & Tseng, C.-Y. (2009). Enterprise risk management and firm performance: A contingency perspective. Journal of Accounting and Public Policy, 28(4). https://doi.org/10.1016/j.jaccpubpol.2009.06.006
  7. McShane, M.K., Nair, A. & Rustambekov, E. (2011). Does Enterprise Risk Management Increase Firm Value? Journal of Accounting, Auditing & Finance, 26(4). https://doi.org/10.1177/0148558X11409160
  8. Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1). https://doi.org/10.1016/j.ejor.2015.12.023
  9. Aven, T. (2013). On the Meaning and Use of the Risk Appetite Concept. Risk Analysis, 33(3). https://doi.org/10.1111/j.1539-6924.2012.01887.x
  10. Meyer, J.W. & Rowan, B. (1977). Institutionalized Organizations: Formal Structure as Myth and Ceremony. American Journal of Sociology, 83(2). https://doi.org/10.1086/226550
  11. Boin, A. & Lodge, M. (2016). Designing Resilient Institutions for Transboundary Crisis Management: A Time for Public Administration. Public Administration, 94(2). https://doi.org/10.1111/padm.12264
  12. Heerma van Voss, B. & Helsloot, I. (2023). How states deal with long-term destabilizing risks. Journal of Risk Research, 26(10). https://doi.org/10.1080/13669877.2023.2259405
Zien hoe dit in Kantyra werkt?

In een demo van 30 minuten lopen we het model door aan de hand van jouw situatie.

Plan een demo

Meer in de fase Algemeen