The House of Risk
Let me share a metaphor that illustrates my thinking about risk management – and how many only practice it partially.
Imagine a house.
On a regular basis, inspections are conducted to identify, assess, evaluate, and treat conditions found around the home.
For example:
- The cleanliness of the home is inspected and action taken to clean carpets, and so on
- Termite inspections are performed, as well as inspections for other pests
- The condition of equipment is checked, such as the filters and vents for the heating/air conditioning system, the safety of the electrical wiring, the condition of the plumbing system, and so on
- The cars are checked for fuel and oil levels, tire and brake condition, and so on
- The insurance policies are updated as needed, and emergency supplies are verified
A report is provided to and reviewed with the homeowners, who decide whether to make any repairs or other corrective actions.
That all sounds good. It is somewhat analogous to the traditional risk management activity, where risks to objectives are assessed, reports are reviewed with senior management and the board, and actions taken where the ‘risks’ are outside desired boundaries.
But is it enough?
Imagine the same house.
It is a place where people live. The family that resides there is changing the condition of the house all the time, using the equipment and possibly breaking it, cooking and possibly leaving crumbs around to attract pests, leaving toys on the stairs, making a ruckus and annoying neighbors, and so on.
People in the house are making decisions and taking actions that create or modify risk.
Risk needs to be understood and an integral part of the decisions made by the residents, whether grandparents or grandchildren.
So what am I saying?
The management of risk entails both periodic inspections and continuous practice.
Does your organization both inspect the house and live safely in it?
I welcome your comments.
Join me for a discussion about effective risk management. Details of webinars and in-person events are at RiskReimagined.com.
You can also read World-Class Risk Management.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
These are all downside hazard/depreciation risks. What about the house as an asset/business enabler. Use for business leverage perhaps the existing triple play technology, provide customer entertainment and use tax laws in place for many years. Business is virtual and digital. Think outside the walls!
Good point! I was not trying to make that distinction in this post
Mike, I would always define a risk as resulting in a loss when it occurs. So, in your example I would say that the householder has an objective of maximising the house’s value (in addition to the unstated objective of keeping the occupants safe). This brings new risks into play, such as ‘new business objectives are not identified’, ‘not all tax benefits are claimed’, ‘customers are bored and go elsewhere’.
David, I respect your view of risk but agree with Mike that risk is the effect of uncertainty on objectives. It is not limited to adverse situations.
I admit my view of risk is very narrow but I have taken this view because I think that describing a risk as ‘circumstances that threaten the achievement of objectives’ means more to managers than ‘the effect of uncertainty on objectives’. You have much more experience than I do of talking to managers so I must accept that I am ploughing (plowing) a lonely, incorrect furrow. I will amend my books accordingly at their next update.
David, I agree with you about this. My definition of risk is any potential obstacle between a person or enterprise and his/her/its goals. The definition of uncertainty on positive outcomes should still be centered on adverse possibilities; else, how does one reduce uncertainty on positive opportunities other than reduce the upside potential? I absolutely agree that it is much easier to wrap one’s head around the possibilities that can adversely impact the achievement of objectives. I say, “stick to your position.”
A good analogy. The only problem is that more often than not the house people are too engrossed with day to day running of the house that a all round check does not appear in the priority list. Even if somebody else does this reality check and presents the laundry list, the house people takes it as fault-finding and may not fix it until the roof starts really falling down.
Agreed, Varkey. The constant challenge of the in-house risk & compliance function.
I wonder though whether the activities described are really risk management related activities and not just control or small ‘c’ compliance related activities. That is that the level of risk (where the outcomes are uncertain and some of these involve loss) is not really that significant. Using the house analogue I humbly suggest that the range of outcomes being addressed is at the minor end of the spectrum and that the more severe end (house burning down) is not being considered; insurance, fire alarms and (yes not fire related but similar) whether the house is on a flood plane.
Graeme, are internal controls not an integral element of risk management? That is what COSO and ISO both say.
I would counter that the risk of an electrical fire, disease, tripping accident, or sewer backup are not trivial to homeowners.
Great analogy Norman. I think a major challenge for risk professionals in monitor and managing risk continuously is that risk data remains in silos. Breaking that down is going to be a major challenge for internal politics over the next few years (The technology is also not there to do this yet but that is a much easier problem to solve!)