So I’ve been thinking about risk. I had the pleasure of attending a course on risk hosted by Norman Marks and Richard Anderson. Norman has a great blog NormanMarksBlog. Richard is a trainer and general risk guru AndersonRisk. I’ve also given my annual assurance opinion, which requires me to opine on risk management systems. We’ve also had a new head of risk start at my client organisation and all of these are making me think afresh about what good risk management looks like.
So I’ve been working hard over some period of time to advance my risk thinking with my audit team, my client organisations, and my professional audit colleagues. In particular my view that risk is simply not bad. Risk is just a description of fact. Theoretically perfect, risk management is just a 100% accurate description of the world at a point in time. If we could imagine how the perfect information world would be, we would understand the full factors impacting the uncertainty of the achievement of our objectives. This is the aim scientific risk management, quant risk management, aims for.
For most organisations outside of banking, and most risks, are not prone to cost effective mathematical modelling, so we make do with judgements. These judgements are those that the management team does every day. So what then is the difference between risk management and just management? Well I think it the difference is between the natural tendency of managers to focus on the here and now, to solve issues. Real risk management is designed to allow risks and uncertainty to be more easily foreseen and addressed, so that issues and proximate risks do not occur. So in a way, busy, issued-focused management is a failure of risk management.
So why is risk not bad if we try to avoid it so much? Well risks flow from objectives. If you or your client organisations are not sufficiently ambitious enough then they are likely to yield poorer performance. This can be financial, but could be social. So a charity campaigning for diversity and against discrimination is unlikely to be successful unless it pushes itself to challenge the status quo, to stimulate and create change. Risk is not bad then – we need risk management to be successful overall so that our objectives are achieved.
Getting organisations to see risk and its crystallisation as a good thing takes time; for all ambitious organisations take on risk, and some of it will, inevitably, crystallise. We, as auditors, are partially to blame for risk aversion. We code our risk based reports with colours equating risk as bad, ‘red’. Yet my greatest audit achievement is to get an audit committee to celebrate and endorse a red risk report. Yes risk was high, the likelihood of achieving objectives was highly uncertain, and no, I could not give positive assurance, for the outcome was so uncertain, how could I? Yet I said red was fine. Red was where the organisation wanted to be. Red came with it high costs and likelihood of failure, yet it also came with high rewards. In this case, the saving of millions of people’s lives. So it was good risk. Good risk to take.
Sure, risk at that level across the whole organisation is bad, for the whole organisation could fail. Yet how many businesses do take massive risks? Apple has the majority of its profits arising from one single product line, the iPhone. So each update carries with it massive risk. Will we look at Apple in ten years as the Blackberry of the future? Possibly. This risk could, however, be the source of their further success.
So we as auditors are not there to stop organisations taking risk. We are there to enable them to take more risk. To help and assist build risk management intelligence and capacity. We are there to make organisations more conscious and capable of handling and handing off risk. For a good risk management system surely allows more and more complex risk to be taken?
The key point for audit is to ensure that objectives, the risks that flow from those objectives, mediated through appetite, lead to a sensible allocation of risk management resource and capacity. For where any single of those elements is out of kilter, then organisational failure occurs. Our role is not to take pseudo executive responsibility for what risk is good or bad. We should point out where risks are not properly governed, well resourced to be managed, well understood or analysed. The only time, in my view, risk is bad, is if it breaks the law (the law is not a risk based judgement) or if it threatens the very existence of the client organisation you are working with.
So how will you celebrate risk with your clients?