Having worked with many clients over the years in implementing, maintaining and developing their risk management systems you learn what works and, on the other hand, what does not.
The following are my top 10 KEYS to success – get these right and you will have a risk management function that is seen as critical as any other management function in the value it adds.
With any developing discipline, there is a tendency to invent new words and use big words that sound smart but no one understands. Risk management is no exception with a myriad of fancy words and acronyms.
This can be a major impediment to organisational wide understanding and engagement – a sure recipe for failure.
Keep the language around risk simple and real. Consider the language relevant for your audience and use it. Which language will they best understand and relate to? What words “switch them off?” The simple word “Risk” and “Risk Management” to some people can put them on the defensive. A challenge for you is to carry out a risk assessment and never use the word “Risk” – and yes, it can be done! Read: Having an (ERM) has become a MUST.
Following from the above, we can get bogged down in too much detail. Risk can be complex, it is many and varied but if you try and manage all of it you will not manage any effectively.
Pareto’s analysis, better known as the 80:20 rule is crucial in risk. It is better to manage your top 20% of risks well than manage all of them poorly.
The same applies to complexity. If we insist on being technically correct in risk, we will often lose our audience. It is better to compromise technical correctness for ease of understanding.
Human’s respond to incentives. Do not force risk management and compliance onto the business because you “have to”. Look for the value add or the “what’s in it for them” before you engage with the business.
Once the business sees the value to them, miracles happen. We should be looking to provide better information for decision making, reduce uncertainty on the business around the achievement of its objectives, protecting the business from hurtful risks and supporting the business in pursuing more opportunity and higher levels of inherent risk “because we can manage it”.
The business often sees risk management as “them”, the limiters, devil’s advocates, preventers etc. This fails to see that as risk is the “effect of uncertainty on objectives”, risk management must be the “management of uncertainty on objectives” which is the same as objectives management. We are therefore on the same team so it’s just “US”. The lines of defence model, even though important for independence, does not help the them and us problem.
A key way of reducing “them and us” is to realise that good risk management is just good management. Given that management are primarily focussed on the achievement of objectives and risk management is the management of uncertainty on objectives, they are one and the same. Work at making risk management part of the day to day, embedded in each process, in each person’s role and as part of each decision made.
Over time, “risk management” might disappear! This is true success when risk management is no longer talked about as a separate concept – it’s just part of management.
One size does not fit all in risk management. Risk management must be tailored. Each business is different, its people, processes, products, risks and maturity are different. It is critical that your risk management framework is moulded in a fit for purpose way. Take care of consultants or software providers with a methodology to sell you. You need providers who understand uniqueness.
Risk management is a young discipline in its current form. The discipline is developing rapidly and we still have a long way to go. Don’t let your risk management framework become stagnant. Ensure you have an ongoing continuous improvement plan. Make sure you stay current with what is happening in methodology and technology. Ensure your risk management system provider is reinvesting heavily into development and have a look at their future development plan.
Due mainly to the perception of the typical human that risk is bad (gained mainly from your parents and the media !) we consider that risk management is mainly about defending against this evil force. The traditional 3 lines of “defence” model reinforces this. This does however forget that risk can also be good. Risk and reward are also bedfellows – get rid of risk and reward disappears too! Risk management is not called risk minimisation for a reason. Management means the balance between risk and reward. Should risk management also therefore be a line of attack? This may include risk management challenging the business that we are taking too little risk!
Most organisations rely on people. People have beliefs, have fears, have greed and this manifests itself in their decisions and behaviour. This is culture. I don’t believe there is a risk culture different from general culture. This is because culture is manifest in behaviours that come from decisions that are made and all decisions should be made based on reward and risk.
Risk is a critical element to make people make better decisions which then influences culture. Read our post about Risk Culture.
I believe that the ultimate focus for good risk management is to empower the organisation and all its employees to make better decisions. Good decision making comes from weighing up the expected level of reward with the level of risk. Risk must be present at every decision.
Ultimate success is therefore when risk management is not considered and “after the event” exercise but a critical function involved in the day to day decision-making and management of the organisation.
Author of 'A Short Guide to Operational Risk', David Tattam is an internationally recognised specialist in all facets of risk management, particularly at the enterprise level. His career includes many years working with PwC, as well as two Australian banks. His achievements include the creation of the Middle Office (Risk Management Department) for The Industrial Bank of Japan in Australia and the complete implementation of all Australian operations, systems, procedures and controls for Westdeutsche Landesbank (WestLB).