How to manage risk more effectively — make it part of how you manage
This thought piece by Grant Purdy was requested by IFAC, the International Federation of Accountants for their Global Knowledge Gateway. The article is published here
We all manage risk, every day and all day, as we make decisions. Mostly, this is intuitive and we cannot prevent ourselves from doing it every time we decide what to do and how to act. That is not to say that we cannot improve the way we manage risk to ensure that our decisions are more reliable and that we increase the certainty that we will achieve our goals and objectives.
When it comes to organizations, the way people who work for them understand and deal with risk links directly to their actual and perceived success. Decisions have to be made that support and facilitate the achievement of the organization’s objectives, and this requires approaches that encourage more consistent and coherent decisions.
Because managing risk is already a natural part of how people make decisions and execute them, risk management is already 'integrated'. To the extent that we might not be aware that it is going on — even before consultants and risk management specialists start thinking about how they might go about achieving that state of grace. Indeed, it seems that many of the steps that are often recommended to implement risk management in an organization seem directed at isolating it from where it naturally sits or, worse still, imposing a parallel, alien, and competing way of thinking about and acting on the effect of uncertainty on the organization’s objectives.
Integrating risk management should mean adopting ways to influence the processes that already exist — to enhance and improve them but not necessarily replace or increase them. It should not mean forcing something foreign and different into the natural process of decision making — processes that have often evolved to be efficient and effective within the context in which they operate.
Unfortunately, it seems that many people approach integrating or embedding risk management by trying to impose generic risk management tools and processes (like the ubiquitous risk matrix) onto people and processes where there is no obvious fit or synergy. True integration requires the adaptation and alteration of risk management tools and processes to suit the needs of the decision makers and their existing approaches to decision making rather than the other way around.
Proper integration is not assisted by the continual adoption of new terms and concepts, such as those that are regularly invented and promoted by those who seek to embellish and complicate the risk management process. Recent examples of such terms and concepts include risk maturity, risk tone, risk intelligence, risk clock speed, risk appetite, and risk appetite statements. Each new addition that does not satisfy a real need or fill a manifest gap in the existing way of thinking about risk and its management fosters the notion that managing risk is something separate and different from our normal processes for running organizations. It should not be. Anything that creates, sustains, or reinforces that apparent separation does a disservice to those upon whom it is imposed.
We cannot easily achieve integration working from the outside in by trying to force general risk management tools and processes into existing processes, unaltered. Instead, we have to work from the inside out by understanding how decisions are made and subsequently implemented.
For example, we need to understand how the good managers and decision makers in the organisation:
- Prepare for decision-making by considering relevant sources of uncertainty and who they need to involve to ensure they are properly informed and assisted
- Discover, understand, and appreciate risks
- Respond by taking actions, and then
- Continually and periodically check progress to make sure that their decisions were the right ones and that they are still on course to achieve what they set out to do.
Points 1-4 above are, of course, the intentions behind the well-known steps of the process in ISO 31000: 2009, Risk Management – Principles and guidelines.
One approach to encouraging this integration is to consider how the people in an organization draw on different sources of information when faced with making a decision. This can be done by:
- Drawing on an appreciation of the causes of outcomes from previous and past events—whether these are considered successes or failures (this can be described as hindsight)
- Forming an assessment of present conditions and, in particular, the effectiveness of those things the organization relies on to enable it to achieve its objectives—its controls (this can be described as insight)
- Challenging the proposed actions and anticipating what might happen in the future and what that might lead to in terms of the effect on the organization’s objectives (this can be called foresight).
Risk management should only ever be a servant of the organization with the role of helping it achieve its objectives by supporting consistent and coherent decision making that is fully cognizant of sources of uncertainty and how these should be dealt with. The risk management process does not make decisions, people do.
Organizations wishing to improve their decisions should build upon their existing systems and processes, adapting them in the manner suggested here, so that the risk management process becomes fully and appropriately absorbed.