Grant Purdy, Roger Estall: How the ‘risk management’ drivers interacted

Grant Purdy and Roger Estall have recently published a book on decision-making called Deciding. Written to help decision makers (they call them Deciders) to make ‘even better decisions’ it goes directly to the two big challenges for every Decider – ensuring that each decision will contribute to (rather than detract from) achieving the purpose of their organisation, and being sufficiently certain that the outcomes that result from the decision, are those they intend.

Encouraged, perhaps, by self-interest on the part of’ risk management’ advocates and suppliers of related services, the earlier mentioned four drivers had the effect of turbocharging and elevating the perceived importance and apparent validity of ‘risk management’ belief systems and adoption by some, but by no means all organisations.

Those who made a living from ‘risk management’, either as consultants or in-house specialists, naturally promoted the notion (or in reality, fiction) of a link between sound governance and their risk management’ belief system. Regulators who had responsibility for ensuring socially acceptable outcomes, bought into this notion as a means of fulfilling their responsibilities – or at least appearing to do so.

For both regulators and consultants, the idea of codifying ‘risk management’ (for example in published standards or codes-of practice) was appealing on several fronts. Such ‘standards’ were (wrongly) seen as giving substance and authority to what otherwise was just a belief system, unsupported by academic research or proof.
For the consultant, the standards became in effect both a text-book from which to extract a living, and, potentially, a defence against any liability for professional negligence for the advice they provided.

A standard or code published by an apparently reputable body (such as a national or international standards-making organisation) was something which a regulator could also adopt or cite in their legislative instruments as it carried the appearance of authority, independence and integrity. Such references avoided political accountability for the detail and any subsequently discovered weaknesses could be attributed to the standard, rather than the regulator.

It was for these reasons that the technical committees that developed these standards typically came to have a high degree of participation by ‘ risk management’ consultants and regulatory types rather than by representatives of organisations concerned with
making real world decisions and managing their organisations.

The assumption was that only the ‘experts’ understood ‘risk management’. However, the fatal flaw with that assumption, reasonable as it might have seemed, was that while they may have believed they understood their answer, few understood the question!

A further effect that turbocharged the above interactions (i.e., between aspirations for good governance, codification and consultants) was the emergence of ‘risk management’ compliance obligations. These created imperatives for organisations to seek ‘expert’ guidance – either to avoid penalties for non-compliance or to remediate shortcomings.

This was perfect for the ‘risk management’ consulting sector and further explains their dominant role in the creation and perpetration of the ‘risk management’ edifice.

The desire of some for evidence of ‘compliance’, led to a further development whereby, with often vociferous encouragement from the consulting sector, some of these standards were configured as what ISO calls ‘management system standards’ (known as ‘shall’ standards, as distinct from mere ‘guidance’ or ‘should’ standards).

Management system standards often require compliance with the standard to be independently certified by third party consultants (a service also provided by some national standards bodies) and hence are written in a way to necessitate this. This created further opportunities for consultants to fulfil that role – not just once, but
repeatedly, to meet periodic re-certification obligations!

So: more consulting work preparing for certification; more work certifying; and more work helping with remedial actions where the client fell short. While not a virtuous circle, certainly a lucrative one!

Buy on Amazon or read free on Kindle Unlimited


RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.