Risk Management is a hot topic. Risk managers are in great demand. Life is good.
Or so it seems.
Reality unfortunately intervenes.
The problem with risk management is that is does exist at all as a separate role or department, never mind as a separate discipline.
Let us first agree on what we are talking here about.
The Casualty Actuarial Society (CAS) defines risk management
… the discipline by which an organization in any industry assesses, controls,
exploits, finances, and monitors risks from all sources for the purpose of
increasing the organization’s short- and long-term value to its stakeholders.
and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as
…a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.
In reality, risk management is dealt with through a series of processes identifying, classifying, and quantifying risks to organizational outcomes. This process basis achieves three unfortunate things:
first, it fundamentally translates into an accounting based approach,
second, it leads to a controls and rule-based compliance mentality, where
risks are managed in a mechanical manner,
third, this rule based approach lulls organizations into a false sense of security –
we have all bases covered, because the processes are in place to deal with
the risks to the business.
Such a prescriptive “best” practice approach discourages debate and dialogue about risks.
Consequently, many viewpoints are missed and quite certainly, so are many risks.
Current risk management practices assume one has complete information about risks, their nature, quality, entrance likelihood, and monetary damages. Percentage likelihoods are assigned, but this nevertheless creates a comfort environment and subsequently risks are dealt with as if under total information, which is a fallacy that organizations paid for dearly and continue to do so.
Furthermore RM practices largely assume events to be stand-alone which can be managed accordingly, in reality however risks are always interconnected, reduction in one can lead to increase in another one or even other many.
The whole underlying belief of risk management as function is inherently problematic, because human beings are incredibly bad at predicting events that could pose a risk to an organization and incredibly bad at identifying risks per se. Now, the underlying thought that risks to an organization’s future should be, where possible, identified and mitigated is not problematic, the belief of being able to do so with certainty and the assignment to a separate function to identify and deal with it, however is.
In order to achieve the objective of mitigating risks to the future of an organization, the management of these events has to be ingrained in good governance, better decision making and a better understanding of the organization as a system. The creation of a new department does not achieve this
Better decision making has three components, firstly it is necessary to make people aware of how decisions are made – how experts make decisions and how management has to mitigate the shortcomings of this kind of decision making, secondly it is necessary to make people aware that decisions in one part of the enterprise affect other parts and to learn to assess and mitigate the impact of these decisions as much as possible, and thirdly it is important to understand that making decisions based on priorities is costly.
An organization is a system. That is old news. But system’s behavior is still badly understood and even less followed in management practice. An enterprise has to be managed as a whole. As Peter Senge so correctly expressed it, dividing an elephant into two does not create two little elephants. Prioritizing means subdividing the system, giving undue attention to subsystems and that inherently is risky and costly.
Apart from the awareness of the above and subsequent consideration the one overwhelming component in making an enterprise more risk resilient is making it more flexible.
Any modern enterprise needs to be able to react quickly to changing environments, it needs to question its very basis of existence routinely and be able to build on that.
Increasing an organizations ability to deal with a constantly changing reality is a management competency. Ensuring increasing quality of decision making is a management competency, In fact, risk awareness and management is ingrained as management competency requirement, and not the domain of an accountancy let approach. It is ludicrous to believe risks can be predicted qualified, quantified and assigned 5 years into the future, even 6 months would be a stretch.
A system capability assessment would be a far superior approach to assess the preparedness of an enterprise vis-a-vis the impact of unforeseen events
Good governance, informed decision making, and widespread systems thinking and awareness and conscious flexibility achieve more to safeguard and enable sustainable high performance in organizations than any currently so fashionable risk management approach.