What if we just abandon “risk management”?
Earlier this year, Marco Nutini asked this challenging question in a newsletter he shared on LinkedIn.
He starts with:
Calm down, I don’t want to ruin my source of daily bread, let alone create a fuss.
Several internationally recognized authors have already addressed a recurring theme in the Risk literature: if a company does not manage risks, but manages decisions, why use the term “Risk Management”?
For example, Grant Purdy and Roger Estall devoted an entire section of their book, Deciding (2020), to propose the temporary eradication of the term. Grant was a nominated expert to the working group that wrote ISO 31000 and ISO Guide 73. Both standards were inspired by AS/NZ 4360:2004, to which Grant was a key contributor. So, I guess he is in a privileged position to give his opinion.
Marco quotes Grant and Roger’s argument that the terms “risk” and therefore “risk management” have multiple meanings and that means they really have no meaning. Therefore, we should stop using the terns.
This is not a view I ascribe to, although I do dislike the four-letter word “risk” because it sparks a negative reaction from most business executives.
Instead, Marco suggests:
“…what we now call ERM (Enterprise Risk Management) is a tangle of three distinct, yet interconnected fields of knowledge, something like modes of Risk Management:
- Strategic Assumptions Assurance: A set of tools developed to assess an organization’s chance of achieving its goals and honoring its performance forecasts. It is supposed to support the strategy execution and monitoring processes.
- Risk-Informed Decision Making: This mode has a diffuse, broad scope. As the name implies, it aims to ensure that the organization’s decision-making processes gather and use intelligently the necessary information for decision making under uncertainty. This mode is called Sufficient Certainty by Grant Purdy and Roger Estall, also the name of their consultancy from Australia.
- Risk Control: A mode that has a transactional and compliance scope. It seeks to design and maintain a control environment that keeps residual risks at the planned levels. It is analogous to the “routine management” of Quality. Many people think that this is what Risk Management is all about.
This resonates more with me (see my last blog post).
The first of the three seems very similar to my idea of top-down risk management, which focuses on whether there is an acceptable likelihood of achieving each of the enterprise’s objectives.
The second is what I referred to decision-based risk management.
But I see the third as a subset of the first two. Some might say that this is how an organization responds to, manages, or mitigates risk.
The problem is that it overlooks the positive aspect of risk: opportunities. We need controls to ensure that they are taken as and when appropriate.
Marco’s newsletter/LI post is quite long, and I will let you read the rest. The only comment I will make is that he makes everything seem complicated, whereas I always seek (but don’t always find) simplicity.
Please share your comments here as well as against his post.
P.S. Happy belated birthday, Marco!
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Thanks for opening this for comments.
Well, I guess what needs to be changed are the activities of those supporting line managers in managing uncertainties. May be an overhaul of this so-called second line to move into first-line and work with Executives and Process owners. They spent a lot of time writing frameworks, and documents that struggle to find their way into the things that Managers and Executives do on a daily basis
I have been talking about monitoring strategic assumptions and supporting informed decision making as integral aspects of ERM for many years. My view is that if ERM doesn’t do both, then its value contributed is questionable in the eyes of a CEO. The whole idea behind ERM, IMV, is sustaining the culture of an early mover when it comes to seizing market opportunities and responding to emerging risks.
By now, I think we have agreed upon principles and approaches to identify, assess, and then take risks to increase the likelihood of achieving objectives. However, I haven’t seen much talk on the same about risk controls outside the domain of internal audit function.
Internal Audit is not responsible for any controls. Can you explain what you mean?
Bingo, Norman! The earlier we get rid of the notion that IA is somehow “responsible for any controls” (except of course in its own activities) the better.
Absolutely. The first line makes decisions and runs the business. The second line identifies risks that may impact the business and proposes mitigation plans – controls – to address the risk. The third line advises on the decisions, the risks, and tests the controls.
Yes, Richard, although I prefer the first line to identify and evaluate the risks – with assistance from the second line.
Norman, I suspect this one will run and run! I despair that in the interest of designing a better mousetrap, we constantly redefine and redesign risk management, some (cynically) might say to keep consultants and software firms in business…..
Risk management should always have included strategic, tactical and project threat and opportunity management. Anything less than this is, to my mind at least, a subset of ‘proper’ risk management. So, ERM and related three letter acronyms, are just ‘risk management done well’ but using over-complicated jargon. Likewise, risk management limited to the use of, say, insurance or engineering solutions, are subsets, as is that curiosity called by bankers ‘operational’ risk management – tell me, is strategic risk included in the market, credit or operational ‘buckets’?
And yes, risk management is synonymous with decision management. I use both terms, with whatever works best with the organisation or team I’m talking to at the time…. Not pure I know, but pragmatic. Let’s focus on what we do and what we can achieve, avoiding ‘terminology wars’ at all costs. That way, people will value, nay admire, what we do,
Steve
Norman, thanks for your kind review of the article and my birthday! I really have a tendency to overcomplicate things, you are not the first one to say that.🤓 Will try to keep it simpler and with sharper focus.
I understand your point of view that risk control is a subset of strategic assumptions and decision making, but there is a whole body of knowledge about process control that kind of makes it exist by itself.
Since the “risk” of anything runs from 0.0001% to 99.9999%, knowing where any action/decision ranks towards achieving tactical and strategic objectives is critical.
One point to make, however, is all too often, the “other” risk management objective of protecting net worth is either the Risk Manager’s contribution to the organization (risk transfer-focused Risk Managers) or totally downplayed (Capital Allocation focused Risk Managers). (Norman is correct that this is a portion of the second “mode” – Risk-Informed Decision Making.”)
The three modes offered by the article’s author do form a good triangle of Risk Management functions. Yes, each can be more fully explained, but I assume what was written was kept simple for brevity’s sake.