Explaining risk management in plain English
I have been saying for a while that one of the reasons for the disconnect between senior executives and risk practitioners is the latter’s language.
Leaders of the organization speak in plain English about the achievement of corporate objectives such as earnings, profits, and projects.
Leaders of the risk management function talk about risks, impact or consequences, and sometimes in technobabble about terms that only risk practitioners and statisticians understand, such as ‘risk capacity’, ‘alpha’, and ‘residual risk’.
The traditional way of explaining the risk management process is (per ISO 31000):
- Establish the context
- Identify risks
- Analyze risks
- Evaluate risks
- Treat risks
- Communicate and consult (throughout the above)
- Monitor and review (continuously)
Can this be translated into plain English, without using the ‘R’ word?
How about this?
- Anticipate what might happen
- Analyze the possibilities
- Is there a problem? Can we do better?
- What are the options? Can we improve them?
- Which is best?
- Decide
- Act
- Review/monitor/learn
I especially like the work ‘anticipate’. It’s better than talking about ‘uncertainty’, another word risk practitioners understand (I hope) but executives find difficult.
Isn’t risk management all about anticipating what might happen between where we are and where we want to be?
I welcome your thoughts.
Can we practice risk management in plain English and help leaders make intelligent and informed decisions without even knowing that this is ‘risk management’?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Great topic for discussion and a recurrent discussion in companies. We in Risk are not always good explaining what we do and what we expect, and more important what is happening or may happen. Problem increases when we add internal terms to the ‘professional’ language
I couldn’t agree more Norman. We have been using a set of questions like this for many years, with a very important first question: What do we want to achieve?
Since moving towards more plain english in our reports, it has helped us communicate more effectively. So undoubtedly agree with the thrust of your post Norman. But in regards to the “disconnect”, would have thought there is another factor to be considered. Do all boards and managenent want their risk functions to communicate effectively?. Rgs
Norman,
A very good point.
Boards and analysts live (and die) by deterministic budgets and forecasts, and are very uncomfortable explaining and putting values to future uncertain events.
In my experience, whenever “ISO” is mentioned at this level, it is translated as “compliance”. I have the “post-it note” size is best to explain processes, such as “identify, assess, manage” for risk and it’s management.
It may be my imagination, but there seems to be many who want to make up confusing jargon and processes in order to supply services.
I think you are heading in the right direction, but your 8 points won’t fit on my post it note yet!
Cheers,
Peter
I see Risk explained in a quantitative to augment decision making.
I have spent most of my career assessing and explaining risks to management and students, so I found your post intriguing. My own views regarding how to explain risk phenomenon is that great care must be taken to explain the jargon of the discipline so as not to contaminate the message. For example, since the new ISO standards on risk were published, I have watched many risk managers fling definitions about with great authority, but without any understanding of the operationalizations that are required to advance descriptive definitions. Thus, if by “plain English” one means that all analysis ends at the descriptive definitions, then no, plain English is not enough. However, I do believe very strongly that the ability to explain how risk is operationalized in plain English is a valuable skill set that does invite support and cooperation from management. But my previous caution still applies. Beware of those who view risk management as a descriptive discipline rather than probability science. Just my thoughts…
In reference to the comment above, from my perspective communicating to my management and board in plain english means this to me. I will communicate using language that effectively gets the message across (whether this language conforms to terminology in some standard or whatever is from a practical perspective irrelevant to me). eg I used to say there was a high likelyhood of a risk occurring and the impact could be very high. I would now say it like this. Given such and such circumstances, a business issue may arise which may lead to the business having to do xxxx. I used to say the kris relatimg to this risk indicate it is increasing in likelihood. I would now say circumstances are changing giving rise to this aspect becoming a more important matter that management should address. Using tables or lists of risks under headings “risk”, “impact”, “likelihood”, trend with arrow up and down, “controls”, “action plans” etc are now out of my reports. Advising management where we are in terms of progress against performance and outlook going forward at an objective and then key risk level are in. Rgs
More RM is made easy to understand by all, ALL will do it!
Norman I agree with you that a paradigm shift in creating a more simpler risk management will trigger change in the mind-set. The wordings if made to look simpler taking away the heavy handed risk is a good idea worth following.
Great post Norman. Your challenge — “explain risk management without using the word risk” — is a great way to start a larger conversation around what we are really trying to accomplish from a broader business perspective.
Simplicity would gel well in terms of positively influencing management!! Risk practitioners might be seen as overtly vocal sometimes as the world of RISK itself triggers that and being on the same page in absolute terms might not be possible but a general agreement can be reached for a better business outcome!!
Nice one sir, we should certainly try plain English
I wholehearted agree. I have just changed the name of my team, dropping the term ‘risk management’ from the second line team. How can we explain that the first line team is responsible for risk management, when that is the name of the second line team?
Our language doesn’t make it easy for business leaders, and we need to be much more conscious of this.
I agree with you Norman. To be saleable, language can act as a bridge between risk managers and management. Sometimes, I feel, the usage of risk words are more to showcase you’re something and then it may create a disconnect between risk and management functions.
Plain English won’t work!
1. By definition, Risk is a Statistical event (probability/likelihood/frequency). That is why there is an accepted mathematical formula for defining it.
2. Top management has a limited budget , so they need to know exactly where to spend it to achieve the best results!
If you can’t tell them where to start, you are doomed!
3. Most ISO Standards tried to use these “generic / plain English terms” to their disadvantage.
4. Let us stick to the tried & tested definition of Risk for the sake of uniformity!
Both things are combinable, plain english is more than helpful to increase awareness and risk culture (both basic for a strong risk framework) and technical language for professionals
What’s wrong with plain: Plan – Do – Check – Act? Identifying possible outcomes and thinking through consequences and mitigating actions sits with Plan. I’ve always found the simplicity of this cuts across management, technical and discipline boundaries.
If explaining the process simply, provides more value to those that “you” serve, isn’t it of benefit? Perhaps, there could be 2 versions – the simple and the technical.
I see value on both sides and like both. As a CPA with the ARM designation, I am trained in technical but try to explain in simple terms.
Kudos, Norman, for initiating conversation.
Some plain language examples:
A risk is a barrier to achieving an objective. It is something that can go wrong and interfere with meeting a goal. Link it to the objectives to make it real for the executives.
It can be a specific event (e.g., competitor price cut) or condition (e.g., low data quality).
There are four major categories: Strategic (scope of the business), operational, financial reporting, and legal/regulatory compliance.
Risk management involves three activities: identifying risks, prioritizing them, and responding to them (identify, prioritize, respond).
Thank you Mr. Marks for reminding all of us to bring communication skills to all conversations. Each professional discipline has it’s “words and acronyms” and the balance of (us) need to learn these new languages on the fly rather than the subject experts truly communicating to (us). This wastes time and money while potentially hindering collaboration. Risk management is like playing the card game Pinnocle…there is an up front strategy and then an evaluation of a play and counter play…a series of if-then(s). In the manufacturing world a PFMEA (Process Failure Mode and Effects Analysis) comes to mind. Probability, Severity, Risk.
I pity the exec who does not understand uncertainty. In my experience, it’s there number one word.
Ok, well I am reviewing the COSO draft now and it defines uncertainty as a lack of knowledge. How do you use the term?
incomplete/imperfect information; lack of knowledge works too. I think folks at most levels (and certainly all executives) understand the basic concept. That’s is their number one job–make business decisions in the face of uncertainty.
Sure simple English presents opportunities for more useful discussions/solutions instead of being stuck in technical terms
Interesting thought, in particular as the word ‘risk’ seems to have a negative image.
I think the standard risk management process from ISO 31000 has value for risk professionals and those familiar with the discipline, but I agree that it is of limited value when introducing the subject to those not already familiar with it. I explain the risk management process to new clients as follows:
At every level of your business, be that your strategic business plan, a major new initiative or project, a particular client or a routine daily business decision, you start with goals and objectives. The risk management process builds on those goals and objectives, and asks the following questions:
What are you trying to achieve?
What might go wrong? or
What unexpected opportunity might present itself?
What might cause that?
What would the potential impact be?
What are you doing about it now?
Is that enough? or
What more should you do?
Then, develop strategies to reduce negative uncertainties while you maximize opportunities, generate profits and reduce losses.
Finally, monitor and review the strategies and adjust as required, and your environment for new uncertainties.
Rinse, and repeat.