According to some risk management surveys, organizations are very often satisfied with their risk assessment and risk management methods. For example, a survey by the major consulting firm Deloitte in 2012 found that 72 percent of organizations rate themselves as “extremely effective” or “very effective” at managing risks (up slightly from 66 percent in 2010). In other words, a majority believe their risk management is working. But, as the quote by Feynman above tells us, we are easy to fool.

A harder question to answer is, “What is the evidence for the belief that it works?” For any firm that hasn't asked that question before, it should be an immediate priority. If the firm can't answer that question, then it has no reason to believe that efforts to manage risks are working or, for that matter, are even focusing on the right risks. The standard must be some objective measure that could be verified by other stakeholders in the organization or outside auditors.

Most (69 percent according to the HDR/KPMG survey) don't even attempt to measure whether risk management is working. Of those who say they do measure risk, most (63 percent) ...