I had this question thrust on me recently, “do you think the list of failed projects that have been delivered, natural catastrophise in different regions and a rampant global pandemic are beyond the current level of risk management knowledge and application to deal with?”
I had to admit that this is likely the case and decided to put this “out there” through this Blog and welcome anyone giving their views. I went back to basics to define the problem. These are two of the largest problems that came up.
Problem Statement 1; Enterprises tend to focus on primarily meeting regulatory compliances, and miss the opportunity to use insights from adopting risk-based methodologies to run/grow their business.
Problem Statement 2; Most of the operations run within functional silos, unable to identify, share, study and correlate interdependent risks, mostly subjective rather than objective.
The idea is that if you know the problem, there will always be the solution.
In my experience the solution to problems is about using good techniques rather than lots of effort. Risk Management has the foundation for identifying and evaluating the risks and deciding which solution is the best value for money while posing the least risk on the organisation, stakeholders and projects.
Problem Statement 1 gives a pointed message in comparing subjective to objective, meaning that organisations should rely more on scientific approach than an emotional one. I wonder if my peers would agree that following a credible risk process removes bias or emotional judgements and sometimes the optimum solution is more straightforward, “why didn’t I think of that before”.
There are obviously often challenges facing risk managers in gaining the ear of top management to put the risk management solution on the table when there are alternative business improvement options being promoted by others.
We risk managers can win the day when we take good quality information about risk and provide that to top management, who in turn make better decisions on business strategies and demonstrate that risk management is a valuable partner in assisting them achieve their corporate objectives.
It’s time to set the right vision and have risk management positioned as a strategic tool for the board, CEO and executive management. It’s time to have an aligned and integrated approach to risk management and governance that combines different risk programs to work together and by implication, that they evolve and mature to more accurately measure risk exposures and the controls that are best placed to manage risks.
Are we ready for such an approach? I can think of some of the risk programs that are candidates for this; Strategic Risk, Business Risk, IT / Cyber Risks, Business Continuity, Project Risks, Compliance. But then you may say, we already do this. My response is that what is taking place in the marketplace is perpetuating a siloed and fragmented approach.
Risk management and governance needs a more agile, adaptive way that can readily embrace a roadmap to maturity that is not disruptive to the business(es).
If the approach advocated above is possible, it then leads to risk management and governance being integrated with and aligned to support the strategic plan. Then top management will have the best of all worlds to use risk management for what it’s designed to do, quoting from ISO 31000: “The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.”
The net has been cast! Let’s see whether you agree or there are other thoughts on what is needed for risk management to step up in these challenging times.
Click here to register for Corprofit’s webinar and join Ian on Tuesday 22nd February 2022, 6AM GMT.