The last 20-25 years has seen a broad effort to transform the field of risk management into a science. One in which we see complex matrices with convoluted weightings, multiple parameters and rating mechanisms, quantitative and qualitative inherent and residual risk, where the rating and analysis thereof often transcends into advanced scenario planning, Monte Carlo Simulations and Bow-Tie risk treatment tools. We talk about impact and the severity thereof, likelihood and probability, contributing factors and root causes, consequences and outcomes, incidents and risk events, plot risks on heat maps, and execute estimation, validation and stress testing. There are multiple frameworks and methodologies (think COSO, ISO31000, King IV, Public Sector Risk Management Framework, SOX, Basel, Solvency, BS 31100, FERMA, OCEG, and many more) that lay out the “right” way to perform risk management, but which often fall short of real, practical guidance. There are experts aplenty, and a growing academic community, providing incredibly valuable insight through research papers, thought-provoking articles and noteworthy presentations. A few strokes on your keyboard lays open a plethora of ideas, discussions, advice and recommendations, most of which are pretty robust and valuable to any risk practitioner.
But, in spite of this eat-all-you-like smorgasbord of beneficial information, there are still some companies out there who achieve immeasurable success without so much as a formalised risk register. In some of these cases there is a risk register, but it has only come about as a response to a regulatory requirement, and ends up being a static document without any real meaning or practical application. Why is this? Are we doing it all wrong? Should we be ripping up those risk registers with all their pretty colours, and just flying by the seat of our pants? Are the standards about as valuable as the paper they are printed out on? Should we give up on this risk management what-what, and rather take up woodwork? Well, I for one would certainly hope not, and not just because I’m terrible at woodwork. There are far too many success stories out there where a comprehensive yet practical risk management methodology has led to substantial gains, and added great value through a growing risk maturity, and an embedding of risk consideration into the decision making processes of the business.
So what is the secret? Are there perhaps learnings we can take from an informal approach to the management of risks within an organization? It would be no surprise to find that a common thread throughout these companies (and which are funnily enough probably characteristics shared with the ones who’s formalised approach to risk is working) is a decentralized management structure where employees are empowered to make decisions based on open lines of communication, regular and often no-holds-barred conversations and debates amongst management and staff, and an environment where wins and losses are analysed equally. There is often far more direct interaction between strategic decision makers, enabling the sharing of experiences, and the growth of a hive mentality in the achievement of objectives. This “one tribe many teams” style often engenders a co-operative drive towards the management of risks in achievement of the company’s objectives without the need for formalisation of the process. And time and again, the correct decisions are made, and where not, these lessons are absorbed into the corporate culture, and better decisions are made going forward. There is no discussion around a risk matrix, or the trending of key risk indicators. Often it is simply a case of frank, and sometimes ugly discussions taking place where the right questions are asked of the right people at the right time. And if there is anything to learn, perhaps that is it right there.
I’m fortunate enough to interact with many different companies, in a multitude of industries, often with disparate approaches to risk assessment and the management of risk. But the most common challenge is not “what framework should I use”? The one I encounter the most is “how do I get the managers to buy into the risk management process”? And perhaps we need to ask ourselves whether throwing a scientific approach to risk management at them is the wrong way to go about it. Maybe we aren’t asking the right question, of the right person, at the right time, in the right way. Is asking a manager to execute a risk assessment taking into account the impact and the likelihood inherently and residually, with consideration made of the contributing factors (with root cause analysis) and key risk indicators when deciding on the most effective and efficient mitigation action plan to implement, all in line with the appetite and tolerance levels, just confusing them with parameters that make perfect sense to us, but comes across as jargon to them? Is there more value in those water cooler conversations that tend to yield far more open and honest answers? Or in monthly “ask-me-anything” meetings where everybody gets to raise concerns, as well as put forward suggestions that are then followed up on, and have an impact on the performance of the organization as a whole?
How much collaboration do you experience between the various teams in your business when it comes to achieving the goals of the tribe? What can you do to stimulate and nurture this type of environment, or are you satisfied to remain within the realms of scientific measurement, where the numbers tell a story, and that’s all there is to it? As risk managers, the opportunity is yours to influence corporate culture at a level that can have a meaningful impact on the achievement of objectives. Don’t only rely on a widely used set of tools, just because the standards say so, or the industry recommends it. You also need to be inquisitive and hungry for knowledge, always interrogating to uncover the full picture, and providing a means to discover the answers. You have it within your hands to be a catalyst for change, even when it means being the one to ask the difficult questions.
“Ignorance is a temporary affliction, remedied only by asking the right questions”.
Colin Wright – Author of My Exile Lifestyle
Author – Paul van der Struys April 2018