Isn’t it time our ideas on risk maturity grew up?
Today, I am going to share a guest post by my good friend and, in many ways my mentor, Grant Purdy. I have great respect for my learned friend. Not only has he served with distinction as Chief Risk Officer for one of this world’s largest companies, but he was influential in the development of Australia/New Zealand’s standards for risk management – and later in the development of the ISO 31000:2009 global risk management standard.
Please consider this post. I have a few comments of my own, which follow his reflections.
Isn’t it time our ideas on risk maturity grew up?
Grant Purdy, Associate Director, Broadleaf Capital International
The confected expressions ‘risk maturity’ and ‘risk management maturity’ (which typically are used interchangeably despite having entirely different meanings) have gained currency with apparently little thought as to their meaning or inherent validity.
Used variously as both a descriptor of a desirable state of affair and as an arbitrary continuum for use as a measure of what ‘good’ risk management looks like, the question is whether these expressions, and their related dogma and systems, are actually helping or hindering organisations achieve their objectives through better decision making – which, of course, is the sole purpose of risk management.
We all deal with uncertainty, every day, as an intuitive part of making decisions before we act. Some of us are better at it than others and most of us could improve – if we knew how.
In organisations, decisions are always made in the context of the organisation’s external and internal environments and so inevitably involve some uncertainty as to the actual effect of any decision. The effect of that uncertainty on the organisation’s objectives is what is commonly described as ‘risk’. Detecting, understanding and (if beneficial to do so) modifying ‘risk’ (and having the intent and capacity to do so) is what, by habit, we call risk management.
Risk management – concerned as it is with both consideration of uncertainty and with the organisation having the intent and capacity to do so – is something that organisations either do well or not so well; they can do it intuitively or deliberately and either always or sometimes.
As with income and expenditure data, production figures, and other organisational performance measures, it is helpful for organisations to be clear about how good is their ‘risk management’. Otherwise, they cannot enjoy the confidence of knowing that decisions will lead to the intended outcomes which, after all, is the basis of good governance.
However, as with other types of organisational performance measures (such as considering actual against budgeted revenue), it is necessary to know what ‘good’ risk management looks like before organisations can understand their shortcomings and plan improvements.
The proponents of ‘risk maturity’ concepts envisage that ‘good’ = ‘mature’. But is that valid? If ‘maturity’ is used just to characterise ‘good’ then, in itself, it adds nothing and it would be better to use the normal word ‘good’ instead.
Defining ‘good’ risk management is, in fact, quite simple because, if its ultimate purpose is to enhance decision-making, it must deliver three key things:
- When decisions are finalised, the ‘risk’ associated with the decision is fully understood.
- The type and magnitude of that risk is acceptable, i.e., optimal, taking into account those aspects that facilitate objectives and those that might detract from them.
- Changes inside or outside the organisation that occur after a decision has been made, and are of a type that could have the effect of modifying the risk, are detected, the resulting risk assessed and, if warranted, the decision is amended and the subsequent actions are revised.
These three criteria for ‘good’ need to be satisfied for every decision because, as with the links of a chain, it doesn’t matter that the risk associated with 99 decisions meets the criteria if there is one decision in which an unacceptable risk went undetected, was misunderstood, or was not modified to ensure it was acceptable. This is very similar to the preparation of a profit and loss statement that comes down to similar matters of fact: (1) were all elements of expense and revenue captured and, (2) are the arithmetic and accounting treatment of each item correct?
In summary, ‘good’ risk management is only concerned with its universal application to decision-making and its consistent, technically competent application and, as can be seen, such criteria, like the links of a chain, do not lend themselves to measurement using arbitrary scales or matrices.
If risk management is not satisfying the above criteria of ‘good’ then the organisation should remedy any specific shortcomings in:
- the organisation’s intentions (i.e. whether or not it intends to consider the effect of uncertainty on its objectives of its decisions throughout the organisation), and;
- its capacity to give effect to those intentions (e.g. individuals having clear instructions, skills and relevant tools and there being a system of performance measures).
Remedying shortcomings in intent or capacity in an efficient way requires very specific and tightly constrained remedies such as revised instructions, improved explanation, targeted training, improved tools and improved surveillance.
So ‘good’ has nothing to do with ‘maturity’ but all to do with being ‘effective’, which has the ordinary meaning of ‘having the effect intended’.
George Orwell wrote:
the slovenliness of our language makes it easier for us to have foolish thoughts
Isn’t it about time we abandoned using the slovenly expression ‘maturity’ as an expression of ‘good’ and instead use the simple and accurate word ‘effective’? And, at the same time, avoid the deceptive use of any form of maturity scale. Instead, shouldn’t we just focus on the selection and implementation of actions that, quite simply:
- monitor and test the application of approaches that discover, understand and, if necessary, modify uncertainty as part of decision-making;
- monitor and test the technical adequacy of such activities;
- design and monitor remedial actions?
 George Orwell: Politics and the English Language, Horizon, London, 1946.
I understand and agree, to a large extent, with Grant’s views. I too write about effective risk management enabling better decisions, at all levels of the extended enterprise.
I have sympathy for Grant’s position that we must be clear when we talk about mature, effective, or good risk management.
I divert from Grant’s stated position (although it may be more a matter of semantics) when it comes to what constitutes an acceptable level of risk management – what I would refer to as ‘effective’. (I don’t know what ‘good’ risk management is and don’t talk about it).
My position is that the risk management capability, including framework and processes, can only provide a reasonable level of assurance that the desired level of risk will be taken. Incorrect or misguided, even misinformed decisions will still be made. Perfection is not achievable.
What I say in World Class Risk Management is that risk management can be considered world-class when the likelihood and extent of a failure to manage risk at desired levels is acceptable. Please see the book for a detailed explanation of this new concept.
So, what do you think?