Risk management – what’s so tough? Intellectually risk management (at least the non quant based stuff) is simple. Create an assessment of the risk faced at present before you do anything about it. Do this by assigning some measure or assessment of impact and then assess likelihood for all of the upside and downside things that could occur flowing from your objectives. This is the gross risk. Then consider your ability to influence the outcome. Either by reducing the impact (say financial through insurance or portfolio techniques) or the likelihood (say financial risk, through putting management approval mechanisms in). You then have a net risk. It is then left for you to decide whether this is tolerable against your risk appetite. Yes or no. If yes, do nothing further except get assurance that your risk mitigation actions are real and occurring. If no, redesign controls, change your risk appetite or change your objectives. If none of these are possible, think about what you would do if it occurred; plan a contingency.
So why then do organisations find this so difficult? Simple. It is hard and constant work. At an operational or project level it is detailed, quick moving and constant (almost issue rather than risk management). At a strategic level it is difficult to link grand strategic objectives to who and where the risk could and is actually managed. At a tactical level it is really hard as it is both quick moving, but also has elements of being organisationally cross cutting and divorced from organisational reality.
As organisations specialise around technical divisions of labour, and the joining processes (those designed to make the organisation work as a whole) actually institutionalise and enforce these divisions – think planning by department, or budgeting, or performance monitoring, or risk managing, or brand etc then real risk management (that splatters sideways across the organisation) are impossible to manage.
Add to this that most organisations oscillate between a draconian risk bureaucracy and a hollow vestige of this system until it is next enforced or events go awry, thus prompting a renewed interest in risk management. The simple truth is that risk is not manageable, at least not in the scientific, control obsessed, way that risk management professionals think. Humans issue, not risk, manage. We overestimate our control and badly underestimate risks’ likelihood of occurrence. What is needed are people who think about risk, are experienced enough to recognise past risks, but not so experienced that they cannot imagine new ones.
There is a need for something agile, light, ‘human scaled and structured’ that is somewhere between nothing and everything, and fits within day to day management activity. Having meaningless risk registers in triplicate is no less unacceptable than having nothing. Yes it needs to be embedded, but not so embedded you can’t see it. Have you ever seen something human scaled that really works? If so, let me know!