Grant Purdy, Roger Estall: Shedding the ‘risk management’ millstone

Grant Purdy and Roger Estall have recently published a book on decision-making called Deciding. Written to help decision makers (they call them Deciders) to make ‘even better decisions’ it goes directly to the two big challenges for every Decider – ensuring that each decision will contribute to (rather than detract from) achieving the purpose of their organisation, and being sufficiently certain that the outcomes that result from the decision, are those they intend.

If ‘risk management’ isn’t helping Deciders to consistently and competently apply the universal decision-making method, then for those organisations that are on the ‘risk management’ path, it makes sense to simply shed that millstone and focus on consistently achieving sound decision-making. But how to do that, especially if
there has been substantial financial, cultural and emotional investment in the ‘risk management’ edifices?

Irrespective of how far the adoption of ‘ risk management’ has proceeded, the follo”ing generic steps can be used to dismantle the ‘risk management’ edifice although each organisation “ill have to have regard to its own particulars:


1. Make the decision in principle to discontinue application of ‘risk management’.
2. Prepare an inventory of all aspects of the organisation’s ‘risk management’ architecture.
3. Identify any direct connections between elements of the inventory and other aspects of the organisation’s management and governance activity (for example, monthly reporting, recruitment, delegations, strategic and operational approval procedures, audit activity, compliance obligations).


4. From 2. and 3. above, apply the universal method to tentatively identify the specific actions needed to eliminate each aspect of ‘risk management’ architecture (which, particularly in large organisations, could include dis-establishment of positions, albeit with associated HR implications) and a tentative timeline and success measures. The monitoring arrangements incorporated in this plan should allow progress to be tracked, variances identified and unforeseen issues to be resolved.

Communication and consultation

5. Develop a succinct explanation of the purpose and scope of the changes for use in internal and external communication.
6. Using the output from Step 5, consult those likely to be affected by various aspects of the changes. This will include both individuals within the organisation and internal functions such as IT and Human Resources support and, if ‘ risk management’ activity is needed to satisfy compliance obligations, the relevant agencies or parties.

Refinement and execution

7. After considering feedback from Step 6, finalise Steps 2 , 3 and 4 and obtain any approvals that may be required (e.g., approval of the Board to amend policies, or regulatory agencies to obtain acceptance. of the changes).
8. Communicate the implementation plan to internal and external stakeholders and conduct briefing and training for members of the governance structure (e.g. directors) and management.
9. Monitor progress against success measures and against any changes in context over the period of implementation.

Buy on Amazon or read free on Kindle Unlimited


RISK-ACADEMY offers online courses


Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!


ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.


Advanced Risk Governance

This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.


One thought on “Grant Purdy, Roger Estall: Shedding the ‘risk management’ millstone

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.