Risk management in modern non-financial companies is very different compared to say 5 years ago. The level of risk management maturity, for lack of a better word, has grown significantly.
As more and more companies across the globe are looking to implement robust risk management, the demand for risk management consultants is also growing. Unfortunately, not all risk consultants are able to generate long term value for their clients, here are three reasons why:
A. Selling the wrong product
Non-financial companies want to buy and many risk consultants continue to sell risk assessments, risk management frameworks, risk appetite statements and risk profiles. What do all these products have in common? I am being intentionally provocative here, so I will say all these products are missing the point completely. One thing they have in common – they are designed to measure, capture or document risks, making us all believe that risks and their mitigation are the ultimate goals of the exercise.
Over the years this tendency to treat risk management as a separate, standalone (some go as far as say independent) process with its own inputs (data, interviews, experts) and outputs (risk reports, risk matrices, risk registers) created a whole community of risk consultants who seem to be missing the plot completely. Risk management is not really about dealing with risks, risk management is about helping companies achieve their objectives and make better decisions.
Ok, sometimes it may be useful to capture risks for the sake of risks and discuss them with the management team, but this should be more an exception than a norm.
So if risk management is not about risk assessments or risks, then what?
I believe, that risk management is ultimately about changing how companies make decisions and operate with risks in mind.
The two modern trends in risk management by far are: integration into business processes / decision making and human and cultural factors. Yet, it seems most of the modern risk consultants completely ignore both of them. For example:
- It is fundamentally wrong measuring risk level when instead you could measure the impact risks have on key objectives or business decisions usingbudget@risk, schedule@risk, profit@risk or KPI@risk.
- I believe any qualitative risk analysis based on expert opinions is evil. More on this here: https://www.linkedin.com/pulse/risk-management-used-science-became-art-now-its-just-sidorenko-crmp
- It is wrong to have a risk management framework document, when instead you can integrate risk management principles and procedures into operational policies and procedures, like budgeting, planning, procurement and so on. I bet this example upset quite a few of you.
- It is a mistake try and use single enterprisewide approach (sometimes referred to as ERM) to measure different risks. Different risks, different types of decisions and different business processes deserve unique risk methodologies, risk criteria and risk analysis tools.
Join the discussion in the G31000 group dedicated to ISO31000:2009https://www.linkedin.com/groups/1834592 to find out more about latest trends in risk management. As strange as it may sound, many risk consultants still have not read the ISO31000:2009 or are unaware of the changes happening to the most popular risk management standard in the world (officially translated and adopted in 65+ countries in the world and is currently being updated by 200+ experts from around the world).
Reality is, most risk management consultants sell completely wrong products. Management doesn’t care about risks, they care about making decisions that will hold in court, making money and meeting KPIs. No wonder why modern risk management is mainly lip service.
The funny thing is that corporate risk managers make exactly the same mistakes. They too need to show value from risk management and fail to do so by focusing on risks (their domain) instead of business processes or decisions (business domain).
B. Confusing risk management with compliance
Did you know that unlike many other ISO standards, the ISO31000:2009 is not intended for the purpose of certification? This was a conscious decision made by the people working on the standard at the time. It is a guidance document.
Risk management is just not black and white. For example, risk management is about integrating into decision making and business processes, but every organisation will find its unique way of doing so.
Many consultants make a huge mistake on insisting on a single version of the truth. Non-financial regulators or government agencies make even bigger mistake by taking guidelines and making them compulsory. Like COSO:ERM in the US, a bad document made obligatory for listed companies. Read more about the new COSO:ERM:https://www.linkedin.com/pulse/cosoerm-2017-review-alex-sidorenko-alexei-sidorenko-crmp
By far the best way to assess risk management effectiveness is by applying a risk management maturity model. Just keep in mind that most existing maturity models were created by consultants who miss the big picture, see point A.
C. Failing to see the intimate details
One of my good friends, Anna Korbut, few years ago said an interesting thing – “Risk management is a very intimate affair”. I liked this phrase, so I used it ever since. Risk management truly is intimate and unique. I have been working in risk management for over 13 years in 4 different countries, I have seen close to 300 risk management implementations and yet every single one was unique in some way.
Unfortunately, many consultants fail to dig deep enough to see how risk management is really implemented into organisational processes and into the overall culture of the organisation.
Risk management goes against human nature (see research by D.Kahnemann and A.Tversky), so most of the time risk managers use techniques that border line neuro-linguistic programming or building an internal intelligence network. Here are just two examples:
- I personally created a table tennis tournament in the company where I used to work to get an opportunity to meet all business units in informal settings and build rapport. This had a bigger positive impact than monthly executive risk committee meetings where all the same department heads were present.
- A colleague of mine created the whole operational planning procedure within the company to reinforce the need to discuss risks on a daily basis.
The key takeaway is – unless specifically asked most risk managers will never disclose how they really build risk management culture within the organisation or how they integrate risk analysis into the business. According to ISO31000:2009 risk management is coordinated activities to direct and control an organization with regard to risk. It consists of about a 1000 small things that risk managers do on a daily basis, most of which may not directly relate to risk. Yet it is those small things that build risk management culture within the organisation. Unfortunately most risk consultants are quick to jump to conclusions and do not bother to dig deep enough to see all the nuances.
Risk management in every company is unique, it is risk consultant’s job to figure out how it all comes together to build better risk-based organisation.
P.S. Remember, that if your consultant is showing signs of any of the above, it’s time to have an honest chat with him/her.
P.S.S. Please share your thoughts in the comments section below.
RISK-ACADEMY guides and templates:
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
Very good article. Indeed Risk is very volatile and means different things for different people or companies. Many Risk Consultants look at it with one solutions fits all.
Risk is clearly not just a quantitative gathering of stats and assumptions, one has to dig deeper to get the complete picture…Liked the article very much.
Alex,
A good article. I somewhat disagree with your point about a single enterprise-wide approach. I don’t completely disagree. My point is: Authority levels to accept risk should be enterprise wide, consequence tables should as well. We don’t loose safety finances. – we loose company finances, we don’t have safety fatalities we have company fatalities. As you pointed out, we should be looking at the impact of usingbudget@risk, schedule@risk, profit@risk or KPI@risk.
Where this gets difficult is when branches of the organisation don’t understand the impact of “their” risks upon the whole of the organisation and insist that something is catastrophic when it isn’t, or play down risks that may have an asymmetric impact upon the organisation. (The factory fire that impacted Nokia and Ericsson is a good example) This is where the organisation (at enterprise level) should be informing their business areas of how branches’ (local level) risks impact the rest of the organisation. This is a matter of putting consequences into perspective – not just locally, but across the enterprise and understanding the longer term impact.
Alex I totally agree as risk management should run in the organization’s veins. Awareness, education and culture are crucial elements that are to be mobilized to accomplish the integration of risk management. It might seem a painful / costly process but it’s necessary to achieve the required oragisation’s risk maturity.
Thank you
Good and valid perspective on risk management. So useful for aspiring risk consultants like me.
In a sense Risk Management must be a “built in” not a “bolted on”
Thanks for your insightful comments.
In my experience, the ongoing challenge of effectively managing risk is to actively take into account the human element.
As well as being the source of human error, the human element is ultimately the best control/barrier to prevent incidents from happening. Almost all the time, well informed, planned and communicated human decisions and human actions ARE SUCCESSFUL.
At the same time, risk management activities cannot just be a once and done thing. Nor can they be only annual, monthly, weekly or even a daily thing. To be most effective, in my experience, the management of risk must be actively applied prior to, during and after every decision and action everyone in the organization makes.
I have found that this can be achieved when risk assessment is “baked in” to the decision-making process at the individual level. Teaching, supporting and positively reinforcing the following four questions to be asked continually throughout the workday (and life!) can make this happen.
The questions are:
1. What am I about to do?
2. What can go wrong?
3. How bad could it be?
4. So what do I need to do about it?
This ongoing mindset trains every employee to be an effective risk manager, applying the human element to increase the chance of doing things right.
A further application of the human element to practical, active risk management is having a debriefing or “hot wash” at the end of every day, shift, or major activity.
We do it after emergency drills, why not every day?
Ask
What went right?
What went wrong?
How did you deal with it?
What did you learn?
What can the organization learn?
What can we change to be even better?
To make this effective, supervisors and managers need to be committed to listening, learning and positively acting on these “lessons learned” opportunities.
This also requires a consistently non-punative culture where individuals are encouraged to report discrepencies and errors, and not disciplined or otherwise “punished” for being human.