There are many well used, almost clichéd phrases in the English language that contain powerful messages for the risk manager. Some that come to mind include:

Every cloud has a silver lining:  If we suffer a risk incident, we can usually find value, especially if we manage the incident really well and learn from our past mistakes.

What doesn’t kill you makes you stronger: Failure is good, as long as we fail within our risk appetite, fail fast, fail with minimal damage and most importantly, learn from our failures. This will only make us stronger in the long term.

And my favourite…

Prevention is better than cure: It is better to practice proactive, preventive risk management rather than reactive firefighting risk management. 

I am currently working in Istanbul and on arriving in mid-July, there are many Turkish flags flying around the city to mark the one year anniversary of the attempted coup that was successfully quashed. 15 July 2016 saw a short but violent and disruptive civil unrest which caused disruption to the workings of the city and the people and organisations that operate here. One year later and it is evident that there is a renewed focus on business continuity and disaster recovery planning in the wake of those experiences. This reflects the first two clichés and should end up making businesses in Turkey more resilient. However, it does bring "prevention is better than cure" into focus in that if we were practicing good preventive risk management, we should already be ready for incidents that arise.  

Often in risk management, we need a major event to wake us up and to get our house in order. This arises from a common human trait of not adequately assessing or managing risk until it happened to us. A favourite Australian saying “she’ll be right” is often used when we want to do something and someone mentions a risk and we downplay it and go ahead with the activity anyway.

These incidents we suffer can have value as implied by the first two phrases “Every cloud has a silver lining" and “What doesn’t kill us makes us stronger”. However, I think if we practice excellent risk management the last phrase is the most powerful “Prevention is better than cure”.

If we can understand the risk BEFORE we suffer an incident and we manage that risk early on to prevent it from happening in the first place, this must be better than waiting for an incident before we act and learn.

If we are to move our risk management practices to be proactive, we need to:

  1. Understand the lifecycle of our risks very well, especially their root causes and early drivers. The use of Bow Tie analysis can be very useful here.

  2. We need to understand the different types of control that can be used to manage the risk: Preventive, Detective and Reactive and understand that Preventive is better than Detective which is better than Reactive. We can then assess whether we have an optimal set of controls for each risk. Read: Integrated Controls Assurance – Maximum Assurance, Minimum Effort

  3. We need a risk management framework that focusses on early management of risk. This will include Risk and Control Self-Assessment, Stress Testing and most importantly leading Key Risk Indicators.

If we practice this early understanding of, and intervention in, our key risks, could we get to a stage that incidents do not happen anymore? Maybe we will not eliminate all incidents but I believe we can substantially reduce the number and size of incidents that many businesses are experiencing by being much more proactive than we currently are. 

If we can achieve this, we do not need to experience “clouds” and “things that nearly kill us” in order to harness learnings and value. We can be smarter and prevent the things before we need to cure them.

Protecht Demo Recording Banner.png


ASIC Report Whitepaper: A Regulatory Spotlight on Non-Financial Risk

A Regulatory Spotlight on Non-Financial Risk

Download Now

Related Articles

feature image
Risk Management Risk Manager Risk Professionals Protecht.ERM

Common IT questions around Risk Management Software

If you are reading this article it is likely that you are facing one of these two scenarios: You are a risk manager that is looking for a risk...
Read more
feature image
Risk Culture Risk Management Training

Risk Management Training to Improve Your Business

As a business seeking to maximise your return on employee investment, there’s hardly a better choice than to educate staff at all levels with risk...
Read more
feature image
Risk Management Risk Professionals Protecht.ERM

Dynamic Risk Profiling

At the end of last year I had the opportunity to do a workshop at the Annual Risk Leaders Conference organised by the Institute of Risk Management...
Read more