Enabling risk management across the organization
Now, Ron does not have a background as a practicing risk officer so his knowledge and understanding of risk management is not perfect; but he makes an interesting point. Most of the time, the (as he puts it) “official risk management function usually only addresses the most critical [risks]”. But managers are facing and managing risks in the ordinary course of their business, on a daily basis.
He provides a few examples:
- Risks to projects
- Risks in staffing decisions
- Supplier risks
The article closes with these two paragraphs:
“Yet at the same time, one of the recurring themes for managers these days is the need to learn how to take risks, which may seem contradictory to the notion of managing them. But in many ways the thought processes for each are the same. To take risks effectively you need to anticipate the possible impacts of your actions, and then make a conscious decision about whether to go forward or not, or to go forward in a way that will reduce negative consequences.
“Perhaps one way of learning how to take risks is to be more conscious about the built-in risk management aspects of your job. If you improve your ability to identify and mitigate the ongoing business risks, it should give you more confidence in dealing with the personal risks required for innovation and working outside the box.”
This is consistent (in my opinion) to the ISO definition of risk management as “coordinated activities to direct and control an organization with regard to risk”, where ‘risk’ is defined as the “effect of uncertainty on objectives”. Some of the Principles in ISO 31000:2009 are relevant, including:
Risk management is an integral part of all organizational processes. Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
Risk management is part of decision making. Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
So where am I going with all of this?
If the management of risk is a daily activity by all decision-makers, they need to be trained. They need to understand the concepts, principles, tools, and techniques for considering and managing uncertainty so they can optimize performance and achieve objectives.
Where does that training come from? Is the consideration of risk something that is taught to every MBA student? No, it is not – unfortunately.
In my opinion, the most valuable activity for the risk management professional is teaching managers at all levels how to make risk-intelligent decisions. How they should understand and assess risk, evaluate it, select among risk treatments (or risk responses, if you prefer), and then continue to monitor.
What do you think? Is this the job of the risk officer and team?
Secondly, shouldn’t internal audit be commenting in some fashion if managers are not trained and therefore not equipped to address risk as part of their daily management activities?