Home > Risk > Insight into effective risk management

Insight into effective risk management

I don’t know Christopher Burt of Halex Consulting, although we are connected on LinkedIn.

But I need to draw your attention to a provocative piece by his firm (presumably by him): The risks of risk management. (My thanks go to Tim Leech for tweeting about it.)

While he doesn’t reference either World-Class Risk Management or this blog, what he says is very much in line with my core message:

  • The periodic review of a list of top risks is not effective risk management. It actually has very little value in leading the organization to success.
  • Organizations need to obtain confidence that there is an acceptable likelihood of achieving enterprise objectives. (Some prefer to talk about certainty in achieving objectives; it’s the same concept but I don’t like talking about certainty or uncertainty – it’s confusing.)
  • Its not about managing risk. It’s about achieving those enterprise objectives. Chris talks about performance management whereas I say this is simple effective management.

You will see how Burt’s language is consistent with mine. For example, he says:

  • In many businesses, there is a tendency towards ‘risk listing’, with the primary focus on documenting, assessing and prioritising lists of risks. Sadly, in most cases this approach adds little value, leading to page-turning discussions around the top 10 or 20 risks whilst diverting attention away from the real value of risk management – helping the business deliver its strategy through achieving its objectives.

In the end, the thing risk listing is most successful at is convincing the board and senior management that they are dealing with risk in the same way as other organisations, since this approach is endemic across UK and international businesses.

  • The purpose of risk management is not to manage risks per se. The purpose of risk management is actually to help the business deliver its strategy through focusing on achievement of its strategic business objectives.
  • Moving the focus away from risks and onto business objectives, or key goals, is also more natural and engaging way to consider risks. In effect, it puts risk in the context of reward and focuses senior management and Board attention on the objectives that the organisation is trying to achieve, and what they need to do to increase the certainty of achieving them. It should also lead to a more forward-looking mind set, increased focus on priorities and greater responsiveness to unexpected events.
  • The third line [of Defense] (Internal Audit) remains responsible for providing independent assurance over all aspects of the organisation’s activities, including looking at the ERM system and the work of the second line. A brave Internal Audit function may even opine on whether management has fairly stated the certainty of it achieving its business objectives.

I welcome your comments.

Advertisements
  1. John Fraser
    July 3, 2019 at 11:09 AM

    While a list of key risks to objectives is only one aspect of risk management, i.e. it is just a point in time view of issues that may require attention, I do not consider the exercise useless or harmful, but rather a necessary piece of the puzzle/process. I regard a periodic list of top risks to be similar to producing periodic financial statements, by themselves they are useless or even misleading but provide data to help conversations by management and the board. Financial statements are obsolete by the time they are produced but not many people would wish to run a business without them.

  2. July 3, 2019 at 11:19 AM

    There should be a clear linkage of a key organizational objective/metric, risk statement(s), and action plans. A left-to-right org chart template in PowerPoint with the objective at the left, key risks on the next vertical level, and action plans on the next is a good way of visualizing the concept.

    I think lists of risks works just fine for financial reporting and legal/regulatory; the above is primarily for the operations and strategic risk.

    For analyzing business model / disruption risk, I also think everyone should read Peter Drucker’s article “The Theory of the Business” to help identify the key assumptions about customers and markets underlying the business and check that management is evaluating those assumptions.

  3. July 3, 2019 at 12:11 PM

    ‘A brave Internal Audit function may even opine on whether management has fairly stated the certainty of it achieving its business objectives.’
    I think should read, ‘An Internal Audit function must opine on whether management has fairly stated the certainty of it achieving its business objectives.’ Otherwise it’s not earning it’s salaries.

    • David Griffiths
      July 3, 2019 at 12:14 PM

      Sorry, ‘its salaries’. I blame auto correct.

  4. Tom Wong
    July 3, 2019 at 12:30 PM

    I agree with Norman’s position that organizations to focus on more strategic business/organizational goals and objectives. I work in government as an internal auditor and completely agree that this focus is needed in that environment. I will add that organizations and departments need to take more of a strategic big picture view of how a process or function is operating, and to understand that all the pieces of process-components and sub-components- work together in unison in order to generate an output to their internal and external customers.

  5. Ross Liston
    July 3, 2019 at 1:24 PM

    You rightly state that risk management should essentially be “simple effective management” by the business; but couldn’t you argue the same about HR, H&S and other corporate support functions? A good line manager doesn’t abdicate these responsibilities to the central functions, but rather leverages their specialist capabilities and directs them to provide the support they need to be effective – and so should it be the case for risk. However the nebulous and ever evolving nature (read ‘repackaging’) of risk management (partly driven by the risk fraternity) is not helping to correct things, but rather lengthening the rite of passage to simple effective management.

  6. July 3, 2019 at 4:09 PM

    Certainly, achieving the business objectives is paramount, and any deviations from the risks already been identified, assessed and managed, esp. those high and very high risks would need clearance from decision-makers, otherwise, the value of RM losses its purpose.

  7. July 4, 2019 at 6:04 PM

    From my understanding of risk management, listing, prioritising, assessing and managing risks is a KEY component to achieving the Organisation’s strategic and operational objectives. What I understand from this article is that the author is of the view that, risk management is simply listing the risks identified and doing periodic review and in his opinion this is ineffective. May I point out that a part of risk management is to identify new emerging risks as the business environment changes. There is no problem in documenting the risks identified and doing periodic reviews to see if the risks are still present or have decreased and how any new emerging risk may threaten the achievement of the organisation’s objectives. There is no point in saying something is not effective when someone dissect it from a whole. Listing the risk and doing a periodic review of same is only one aspect of the whole process of risk management. I therefore do not agree with most of the views in the article as I do not see the rational behind same.

  8. August 12, 2019 at 1:49 AM

    Thank you for sharing such useful information. I really enjoyed while reading your article and it is good to know the latest updates. Do post more.

    Risk Management Services

  9. John Fraser
    August 12, 2019 at 4:27 AM

    I went to the doctor and he said “There are some issues here that you need to address regarding your health, e.g your heart and your blood sugar are…”. At this point I stopped him and said “Actually Doctor I am not interested in these things, what I want to know is how I am doing in meeting my objectives in life, e.g. I wish to visit Australia next year, I wish to live to 90 and I wish to play in my club’s tennis tournament next month.” So he looks at me and says “OK, you have a 20% chance of getting to 90, a 50% chance of getting to Australia, and a 80% chance of playing in the. Tournament but a 50% chance of finishing it.” So I say “Wow, thanks Doc, that’s all I need to know.” Boy, I’m glad I read this article and changed my way of thinking.

  10. Norman Marks
  1. July 6, 2019 at 4:23 AM

Leave a Reply to David Griffiths Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: