I have written about this phenomenon before, the difference between leaving a risk unmanaged then becoming, in due course, an issue. I am beginning to join up the dots on this, though as it has occurred to me that it is simply not human, and thus not human-created organisational, nature to manage risk.
One of the great themes of risk management is embedded risk management. Some internal auditors simply never really do anything meaningful to address or understand this in their audits. I have seen many audit firms produce risk management audits, they gave the ‘systems’ clean bills of health. I can tell you though, that none of the clients’ systems they audited had any form of embedded risk management, not even close.
If you want evidence of the issue management nature of humans and their organisations let’s consider wider than just audits. Think about UK government. Westminster policy talks about being long-term, evidence-based and planned. Yet it isn’t. Policy is issues based, short-term and focused on the day in question. Think about political funding, no long-term plan, just short term reviews based on questions over donations or political lobbying issues. ‘Ah but what about manifestos?’ I hear you say. Well most manifestos are so vague and rarely commit to deliver anything, waiting to ‘deal with the situation at the time’.
Yet the more I audit, the more clients I deal with, the more experience I gather, the more I am increasingly convinced that managing risk is not even a goal of many managers. In my experience managers can be also extremely bad at it. Not only do they fail to identify and assess risk, they are particularly poor at managing risk, that is, identifying how to mitigate risk. I lose count of the number of times I have clients with green, yellow, amber, orange then red, risks. Eventually dealing with issues.
This is normal across all functions and specialists. Take marketing, for example. They would rather argue over the format of brochures, the pantone colours of letterheads and websites, organising events and ‘PR’. Very rarely do you find a clear marketing plan or brand management plan (except as a schedule of advertising). It is easier simply to deal with the tangible, the now, the current, rather than deal with the future, the unknown, the challenging and the difficult.
A guy called David Apgar, an academic, wrote a very persuasive book on risk management in about 2006, Risk Intelligence, in it he makes the point that any risk (expect commodity prices) can be understood and managed with effort. He uses the example of the piece of buttered toast and the risk of it landing buttered side down. He says, with effort and understanding of the influences on the toast you can calculate which side it will land. The question then is the cost and benefit of understanding it.
Take another example, finance. The seeds of financial destruction of company at a macro level are sown and clearly understandable way before most organisations react and do something about it. Take some recent and public business failures. The care homes business, Southern Cross, it is not a difficult business to understand, how then can it fail without senior managers being aware? Take Game, the computer games sales business, into administration last week. Games software sales must have been poor over a significant period of time, also it costs are predictable and able to be managed. The seeds of its financial destruction came from the increase in on-line downloading of software direct into devices. So why has it not reacted?
Can you, as a CAE to your clients, say that they really risk manage? Do they have a clear and granular and assigned-to-officers of the company, plan to actually proactively manage risk? Do they assign any resources to it? Do they have a risk management department? Do they analyse data, have an informed narrative of the legislative and competitive position of the company? Does the board avoid ‘issue management’ and really look to long-term risk issues?
I suspect, like I have seen, it is a case of a more, or less, complex risk management systems, a risk register, not linked to management activity at all. We all know real management is about dealing with issues, don’t we?