• Categories: Risk
  • Author: Graeme Nahkies
  • Published: Dec 20, 2021
  • share on linkedin
  • share article

Earlier this year we shared Norman Marks’ excellent critique of the typical risk register. In Moving from ‘Doom Management’ to Effective Risk Management, Marks now offers a perspective that should prompt most boards to fundamentally rethink how they approach risk management.

 

In most organisations, risk management is based on compiling and periodically reviewing a list of the things that could go wrong. As most boards and their management teams are mainly focused on achieving organisational success, it is not surprising that executives struggle to see how periodic attention to a risk register is anything more than a compliance exercise.

Their boards don’t help. Too often board engagement with risk management is superficial. The inclusion of a risk register in the board pack and the occasional tweak to estimates of probability or impact give a false sense of having discharged this aspect of their duty of care. In extreme cases (as we reported in relation to Boeing’s 737 Max disasters in our last issue) not even mission-critical risks are in full sight.

Marks begins by pointing out that we don’t typically make decisions using only a list of what could go wrong. We try to identify both the pros and cons and weigh those before making an informed and intelligent decision. This is an inherently integrated process. In contrast, in many, if not most, organisations we separate consideration of what could go wrong from the assessment of what needs to go right and call it ‘risk management’. It’s not just a separate process but often also a separate function, one that is frequently matched at the board level (‘risk committee’).

Marks’ article is a call for a change from risk management that avoids failure to risk management that helps achieve success. There is a need, he says, to enable an organisation to:

 

  • set the right objectives and strategies for achieving them
  • make informed and intelligent decisions
  • take the right level of the right risks, given the potential for reward and the effect on achieving enterprise objectives
  • understand the likelihood of achieving its objectives and act where that likelihood is unacceptable.

It is not only about managing and mitigating potential harms, but also about anticipating what might happen so as to be able to set and execute strategies, make informed and intelligent decisions, take the right risks, and achieve objectives. Put simply, it is about directing and managing the business to achieve ‘success’.

Traditional risk registers often feature a colour code system to distinguish between different levels of risk. In his article, Marks offers a very different kind of ‘traffic light’ analysis (see table below). It starts by listing key business objectives, then estimating the likelihood of achieving them. Objectives that are behind schedule, and/or seem likely to be significantly underachieved, are ‘red lit’.

The aim is to focus on these, drilling down to identify which risks and opportunities drive the performance assessment, and then to determine the actions needed to improve the likelihood of success. A table like this not only highlights areas that require attention but also enables a comparison of their severity. Attention paid to risk is in the context of achieving objectives rather than as a separate effort to stop something bad from happening.

In comparison to the kind of risk registers that most boards rely on, this approach seems to make it far easier to spot and address the inherent risk/reward trade-offs.

Marks does acknowledge that, for periodic reporting review and ongoing monitoring, there is also value in identifying the more significant risks and opportunities that merit individual attention. These might include risks that, for example, can affect multiple objectives to an unacceptable extent. He uses the example of a cyber breach that would affect both revenue targets and compliance obligations. Again, however, he emphasises that this should be from a business perspective. It would mean paying attention to how a breach could affect the business, rather than to the fact that multiple ‘information assets’ are at high risk or have drawn the attention of regulators or the media.

While earlier in the article he has a tongue-in-cheek tilt at ‘list management’, Marks does allow for a listing of individual or groups of risks. However, this is only insofar as these supplement rather than be the primary risk report that features in most traditional risk management processes.

Marks finally proposes that boards should receive formal assurance, at least annually, from the chief executive, the chief risk officer (CRO) and the head of internal audit on three things. That:

 

  • daily decision-making is informed and intelligent
  • more significant risks and opportunities are being addressed as part of the everyday running of the business, and
  • any risk management activity is enabling the quality decisions that lead to success.