This article was written by Grant Purdy, Associate Director, for the March 2013 edition of Risk Post, the newsletter of the New Zealand Society for Risk Management.
Thoughts on the integration of risk management
In 2011 I wrote in Risk Post of the virtues of keeping risk management simple. However, I've seen few signs over the last 18 months that our profession is seeking to reduce complexity or is striving to make what it does more understandable and relevant to its customers.
As risk managers, we make a great fuss about the need to integrate the management of risk into a system of management and, in particular, into the processes of decision-making. Indeed, this is one of the principles of effective risk management given in AS/NZS ISO 31000. And yet the escalating proliferation of special terms and concepts that are said to be specific to risk and its management send a different signal: that risk management is separate, distinct and different from other aspects of organisational management with a private language understood only by specialists.
Of course, all people and organisations manage risk everyday and all the time as a natural part of how they make decisions. Risk management is already 'integrated' into how we think before we decide to do something.
Some of us are naturally better at this than others at this but, if we become more systematic about it, we can all improve the quality and confidence of our decision-making and therefore enhance the chance that we will achieve our objectives. If 'integrating risk management' means anything, it must mean adopting ways to influence the processes that already exist - to enhance and improve them but not necessarily to replace them. It should not mean forcing something foreign and different the natural process of decision-making.
Unfortunately, it seems that many people approach 'integrating' or 'embedding' risk management by trying to impose generic risk management tools and processes (like the ubiquitous matrix!) onto people and processes where there is no obvious 'fit' or synergy. There seems to be a failure to understand that true integration requires the adaptation and alteration of risk management tools and processes to suit the needs of the decision makers and their existing approaches to decision-making. To do this well a facilitator has to understand how it should be managed at a fundamental level so that he or she can tailor the basic process to suit the decisions and the decision maker without compromising its integrity.
We cannot easily achieve integration working from the outside in; by trying to force our general risk management tools and processes into existing processes, unaltered. We have to work from the inside out by understanding how decisions are made. For example, we need to understand how the best managers and decision makers:
- Prepare for decision-making by considering relevant sources of uncertainty and who they need to involve to ensure they are properly informed and assisted
- Discover, understand and appreciate risks
- Respond by taking actions; and then
- Continually and periodically check to make sure that their decisions were the right ones and that they are still on course to achieve what they set out to do.
I’m not sure that this type of thinking is necessarily shared by all those who profess to lead our profession. When I read the documents they use to communicate to their members I see a very confused and contradictory picture. For example, when I read the latest version of a magazine published by one of the largest risk management professional bodies I find mentioned terms and concepts such as risk maturity, risk tone, risk focus, external risks, risk convictions, pyschosocial risks, risk leaders, risk intelligence, risk appetite, risk culture, pervasive risk, ‘Resilience’ (apparently its here to stay!) and the risk management training game. I’m confused by all this and I am sure those outside the profession will be baffled and will struggle to see how it aligns with their needs.
Such magazines and the terms used in them seem to me to suggest that our profession has forgotten its status and role: rather than serving its masters it is now preaching to them in an increasingly shrill manner using impenetrable language.
A recently article by Annette Mikes from Harvard Business School suggested that I think that risk management faces an 'existential crisis' which is 'like peeling an onion'. I'm not sure that that is wholly correct or even that I fully understand the point she was making but nevertheless my eyes certainly water whenever I read of how we have to work harder to make managers think more like we do.
The messages that simple is more beautiful and less is more seem to be lost on some of our colleagues. We seem to have forgotten that our role is to support those who make decisions and that means that we must frame our advice in the language our customers use and should only invoke concepts that they already understand in order to explain our advice.
We may now even have to consider shifting our focus away from the terms risk and risk management as these have become so distorted and discredited through misuse and abuse. Maybe our role should be simply re-framed in terms of helping decision-makers understand and deal the uncertainties they face in the pursuit of their objectives.
The ISO Committee TC 262 is about to start the formal review and revision of ISO 31000 and it seems vital that the revised standard does not add complexity to or further compromises the existing document. We need simple advice on how organisations and the people who work in them should deal with the uncertainty they face in pursuing their objectives. If it expresses the fundamentals correctly, in a way that is coherent and understandable, then there should be no need for further amplification, perturbation or the continual re-invention and embellishment we see now. Of course, if things were this clear and obvious some people might unfortunately find that they could no longer make money out of peddling this year's variant or revised paradigm and a three letter acronym!
It was the clear intention of those who sat on the original working group for ISO 31000 to keep things simple, understandable and generic. Perhaps because of a lack of clarity of purpose and the need to compromise to gain agreement, some aspects were fudged as is often the case with complex committee driven processes. With hindsight these fudges can be easily fixed but only if all the nominating organisations represented on the committee share a common goal: to make things simpler and clearer.
The commercial and political interests at play in our profession may not let one simple set of advice emerge in the revised ISO 31000 as it seems that many people still want their variant of the truth or commercial interest endorsed in the standard. Unfortunately, clear + simple ≠ $.
Nevertheless, can I suggest that the readers of Risk Post make a fresh start to their practices at the beginning of this New Year? This should be based on a fundamental understanding of uncertainty and how to deal with it – as appreciated from our perspective, but framed and explained in terms of the way managers and executives make decisions –expressed from their perspective and in simple language.
Some final thoughts:
- If integration requires us to view risk management from the perspective of decision makers and their processes for making decisions, where does that leave the artifacts of our profession such as risk registers, risk treatment plans and risk assessment workshops?
- If our primary objective is the integration of risk management, how can risk have a separate culture? Surely there can be only one culture for an organisation?
- If humans already manage risk in some way as a natural part of deciding how to act, does our current approach really amount to un-integrating rather than integrating?