A while back I wrote an article about 3 fatal mistakes risk consultants make https://riskacademy.wordpress.com/2017/01/14/3-fatal-mistakes-most-risk-consultants-make. It made quite an impact and was republished in Australia, Canada, Singapore and Europe with dozens of thousands of views. I feel it’s only fair to write a follow up article about the 3 more mistakes that risk managers themselves make.
If you remember in the previous article I warned that it may upset some conservative risk managers. Well… this one you are going to straight up hate. Truth is never easy to swallow but it is so rewarding in the long term, so perceiver and read to the end. However, if you are lazy and can’t be bothered to read, just watch the video: https://www.youtube.com/watch?v=WKeCDWcmu-w
I have been in corporate risk management for over 14 years, this is by no means a record or even mildly impressive, it is merely long enough to notice some trends. Just like many others, I like soul searching, finding out new way to integrate risk into what is important for business, trying different tricks to improve culture and dropping risk analysis tools that simply don’t work.
The last 3-4 years really have been quite amazing in terms of the shift in thinking we are experiencing in corporate risk management. A new paradigm is beginning to appear and take shape with more and more people writing about risk-based decision making and culture. Somewhat ironically this shift has also uncovered some ugly truths. I have tried to summarize them in 3 buckets:
A. Solving the wrong problem
By far the biggest mistake many corporate risk managers make is trying to solve the wrong problem. Despite so much useful information published by @Norman Marks, @David Hillson, @Doug Hubbard, @Warren Black and others, many still believe risk management is actually about managing risks. It is not.
The irony is so steep. What? Risk management is not about managing risks? But it’s in the name! Well, my opinion, whoever coined the phrase “risk management” has made a huge mistake.
On a number of occasions I even proposed to ISO TC 262 to make the change in the upcoming version of the ISO31000, not surprisingly, with not much luck. That was a fun exercise, let me tell you. Some people are so precious about their risk management, it felt like Lord of the Rings.
Luckily, the house of cards falls apart very quickly, when corporate risk managers try selling better management of risks to executives and other employees. If you are being honest with yourself, you probably too have experienced something similar. No one in the organization, except the risk manager, cares about risks or their effective management. Risks are not on their agenda. Risks don’t excite people in the office. So what do executives care about? Meeting objectives, avoiding personal prosecution and making money for the company, but most importantly making money for themselves. Yet risk managers continue talking alien language that business doesn’t understand and doesn’t really care about.
I think it is about time we stopped treating risk management as an objective in itself. It is just another decision making tool. And an amazing tool at that.
The very second risk managers begins telling how they can help executives better manage risks, they lost. They lost credibility, interest and attention. This is for example, why I so passionately dislike latest COSO ERM draft and all the talk about things like risk velocity, risk visualization. It’s all about better managing risks. Risks. Facepalm.
Risk managers need to urgently change their internal sales pitch. So if not about managing risks, then what?
Risk management is about making better business decisions with risks in mind, helping business run better with risks in mind and helping people do whatever they do with appropriate consideration for uncertainty. Because taking uncertainty into account is not natural for human beings.
Don’t talk to the CFO about better managing financial risks, instead help him improve budgeting and forecasting, help build a better business case for the investors and regulators, help him save on insurance or refinancing. Here are just some of the ideas to move from risk management to risk-based decision making:
- Change how the strategy is articulated to give proper consideration of the risks. Replace all basic scenarios with proper simulations and risk analysis. Challenge management assumptions that underpin the strategy. Join this free webinar if you want to know how: https://events.genndi.com/register/169105139238458453/8ce93b6ccc
- Change how performance is measured and budgets are allocated to account for risk.
- Change how investment decisions are made with risks in mind. Change the methodology for calculating NPV, FV or IRR to account for risks, not just using arbitrary discount rate, which barely covers country and industry risk. More about this in another free webinar: https://events.genndi.com/register/169105139238458453/c43d1822cf
- Change how internal projects are budgeted and implemented to make sure risks are actively considered not once a quarter but at every decision point.
- Change existing policies and procedures to account for risks instead of creating a separate risk management framework document.
- Stop wasting your and management’s time on quarterly risk assessments.
Please share, like and comment