This article by Grant Purdy, Associate Director, was published in the March 2014 of Risk Management Professional.
The principle of Occam’s Razor is that if there are two equally likely solutions to a problem, we should then choose the simplest. This article suggests that to be effective we should only describe the process for managing risk in terms of the way people make decisions, and interpret the ‘framework’ for managing risk in terms of the common elements of an organisation’s system of management.
When we decide what to do, and how and when we should act, we can never be sure that we will be successful. Even if what we want to happen does happen, it is only later that we find out if the decision we made was the best one in terms of enabling us to achieve our personal goals and objectives.
We all face personal and external factors and influences that make it uncertain whether, when, and the extent to which, we will achieve or exceed our goals and objectives. Often, it is our biases and sense of infallibility which leads us to make the wrong decision, to fail to act to deal with the sources of uncertainty that threaten our objectives or to seize the opportunities presented by others.
The effect of uncertainty on our objectives is what we call risk.
We all manage risk, every day and all day, as we make decisions. Mostly, this is intuitive and we cannot prevent ourselves from doing it every time we decide how to act. That is not to say that we cannot improve the way we manage risk to ensure that our decisions are more reliable and that we increase the certainty that we will achieve our goals and objectives.
When it comes to organisations, the way people who work for them understand and deal with risk links directly to their actual and perceived success. Decisions have to be made that always support and facilitate the achievement of the organisation’s objectives and this requires approaches that encourage more consistent and coherent decisions.
ISO 31000 emphasises the close association between the process for managing risk and those used for making decisions – at all levels and for all aspects of an organisation. The clear (and correct) impression is given that risk management is only the means to an end and not the end itself: its sole purpose is to support decisions, that lead to the creation of value, however this is measured.
In this way the international standard is different from many other codes that portray risk management as a separate, periodic and self-justifying process that generates reports about risks.
While some other guides mention that the ‘integration’ of risk management into decision-making is necessary for it to become effective, the manner in which they describe the management of risk and their preoccupation with risk-specific artefacts and outputs mitigates against that.
What integration really means
Because managing risk is already a natural part of how people make decisions, risk management is already ‘integrated’. This is so much so that we might not be aware that it is going on, - even before consultants and risk management specialists start thinking about how they might go about achieving that state of grace. Indeed it seems that many of the steps that are often recommended to ‘implement’ risk management in an organisation seem directed at ‘isolating’ it from where it naturally sits or, worse still, imposing a parallel, alien and competing way of thinking about the effect of uncertainty on the organisation’s objectives.
Integrating risk management' must mean adopting ways to influence the processes that already exist - to enhance and improve them but not necessarily to replace them. It should not mean forcing something foreign and different into the natural process of decision-making - processes that have often evolved to be efficient and effective within the context in which they operate.
Unfortunately, it seems that many people approach 'integrating' or 'embedding' risk management by trying to impose generic risk management tools and processes (like the ubiquitous matrix) onto people and processes where there is no obvious 'fit' or synergy. True integration requires the adaptation and alteration of risk management tools and processes to suit the needs of the decision makers and their existing approaches to decision-making rather than the other way around.
We cannot easily achieve integration working from the outside in; by trying to force general risk management tools and processes into existing processes, unaltered. We have to work from the inside out by understanding how decisions are made. For example, we need to understand how the good managers and decision makers in the organisation:
- Prepare for decision-making by considering relevant sources of uncertainty and who they need to involve to ensure they are properly informed and assisted
- Discover, understand and appreciate risks
- Respond by taking actions
- Continually and periodically check to make sure that their decisions were the right ones and that they are still on course to achieve what they set out to do.
Points 1 to 4 above are, of course, the intentions behind the well-known steps of the ISO 31000 risk management process.
The terms risk and risk management have become so distorted and discredited through misuse and attempts to impose a ‘one size fits all’ approach so that if an organisation is serious about integration it will even need to move away from using them. Indeed, true integration must mean that artefacts such as risk management plans, risk registers, risk treatment plans and risk assessment workshops will have to be absorbed into decision making processes to the point where they cease to exist as separate risk-specific items.
Proper integration is not assisted by the continual adoption of new terms and concepts such as those that are regularly invented and promoted by those who seek to embellish and complicate the process. Recent examples of such terms and concepts include risk maturity, risk tone, risk intelligence, risk clock speed, risk appetite and risk appetite statements. Each new addition that does not satisfy a real need or fill a manifest gap in the existing way of thinking about risk and its management fosters the notion that managing risk is something separate and different from our normal processes for running organisation and making decisions. It should not be: anything that creates, sustains or reinforces that apparent separation does a disservice to those upon whom it is imposed.
In particular, if our primary objective is the integration of risk management, one aspect of management cannot have a separate culture from the rest: there can be only one culture for an organisation.
One approach to encouraging integration is to consider how the people in an organisation draw on different sources of information when faced with making a decision. This can be by:
- Drawing on an appreciation of the causes of outcomes from previous and past events – whether these are considered successes or failures. This can be described as hindsight
- Forming an assessment of present conditions and, in particular the effectiveness of those things the organization relies on to enable it to achieve its objectives – its controls. This can be called insight
- Challenging the proposed actions and anticipating what might happen in the future and what that might lead to in terms of the effect on the organisation’s objectives. This can be called foresight.
This paradigm is depicted in the figure below that shows a typical process for making decisions, the steps and inputs before action is taken and what should happen afterwards. While this diagram contains all the ingredients of the risk management process in ISO 31000, it is reframed in terms of the way humans and organisations go about making decisions, demonstrating the strong parallel between the two viewpoints.
The framework for managing risk
It should be recognised that this framework, like the process for managing risk itself, already exists in all organisations from the moment they are formed. This means that talking of ‘developing’ or ‘implementing’ risk management is really inappropriate and unhelpful. Rather, whatever we do to improve risk management is enhancing and adapting what is already present in some form and to some degree.
The purpose of a framework is simply to ensure that risk is effectively managed, throughout the organisation as a natural and integral part of decision-making. It therefore has two purposes:
- To clearly express the organisation’s intentions for managing risk in terms of what needs to take place, where, when and by what means
- To provide and maintain the capacity within the organisation to satisfy those intentions.
Element 1 demands more than a written document that instructs employees what to do and how to think. In practice, organisations and their people respond to a wide range of internal signals and other stimuli. Some of these, such as formal policies and plans, are explicit, others, such as the organisation’s general culture and brand, are implicit. Both can be equally powerful in influencing and directing the way that people in an organisation behave and perform but each can undermine the other if they are not fully aligned. In fact, the implicit stimuli are usually more powerful and deeply embedded and are always harder to change. In practice they often override the explicit stimuli.
The approach taken to build capacity to manage risk in line with the organisation’s intentions needs great care to avoid wasting effort and fruitless expenditure. Unfortunately, however, this is fertile ground for service and software offerings motivated by commercial gain rather than by a desire to help an organisation build lasting capability.
Risk management is no ‘silver bullet’ that, on its own, can rectify deficiencies or gaps in general management practices. For example, if the organisation does not already have an effective means to measure and motivate improvements in performance, using KPIs for risk management is unlikely to prove effective. Similarly, if the process for strategic or business planning is ineffective and unreliable, conducting risk assessments as part of that process will probably only generate a false sense of security about the veracity of the resulting plans.
The figure below shows the typical elements we would expect to find within a framework designed to ensure that the effect of uncertainty on objectives is properly considered as part of making decisions. As with the process for decision-making, the elements of the framework and their constituents are those that a well run organisation would already possess. While it would be possible to insert ‘risk’ or ‘risk management’ in front of every term, these should not be specific and restricted to risk as this defeats the goal of integration.
For example, training should not be risk management training but rather the training offered should include the process for the management of risk as an integral part of decision making. Similarly, the organisation’s policies, approaches and plans should not deal specifically and separately with risk and its management.
Organisations and the people who work in them need simple, practical advice on how they should deal with the uncertainty they face in pursuing their objectives. If the international standard and any future revision continue to express the fundamentals correctly, in a way that is coherent and understandable, then there should be no need for further amplification, perturbation or the continual re-invention and embellishment we see now in the risk management market.
Risk management should only ever be a servant of the organisation, whose role is to help it achieve its objectives by supporting reliable and coherent decision making that is fully cognisant of sources of uncertainty and how these should be dealt with. The risk management process does not make decisions, people do.
Organisations wishing to improve the integrity of their decisions should build upon their existing systems and processes, adapting them in the manner suggested here so that the risk management process becomes fully and appropriately absorbed.