• Categories: Risk
  • Published: May 13, 2023
  • share on linkedin
  • share article

In an earlier issue we posed the question: What is wrong with a typical risk register? We were concerned that too many boards were satisfying their risk management responsibilities in ‘tick-box’ fashion, particularly using their organisation’s risk register as their primary point of engagement with risk. So we encouraged boards to review Norman Marks’ analysis of their shortcomings as a risk management tool.

Mark’s critique was compelling, pointing to the need for a more fundamental rethink of how boards engage with risk. We were, therefore, very interested to find in Grant Purdy and Roger Estall’s excellent book Deciding: A guide to even better decision making an extensive appendix titled ‘The 'risk management' millstone’. Complementing the main purpose of Deciding, it is a substantive essay that could well justify its own book. Its well-argued assault on the very concept and practice of ‘risk management’ should be compulsory reading for any board that commonly uses the term.

The pursuit of certainty

Purdy and Estall note that achieving sufficient certainty is a central motive in decision-making. They contend, however, that despite the investment and inconvenience involved in pursuing what is promoted as ‘risk management’, the practice does little to support greater certainty. They explain how the notion and belief in ‘risk management’ came about; why it doesn’t and can’t succeed; why it can’t be remedied; and why, therefore, it is best abandoned.

Over time, a range of spectacular corporate failures have prompted a variety of remedial ideas and practices to help decision makers consider uncertainty more consciously. From Purdy and Estall’s perspective, however, these have developed in a random and sometimes contradictory way. The specific focus of those seeking change typically has much to do with their interests, responsibilities and authority. The authors suggest that, initially, there were three broad categories of those who might want to prevent corporate failure:

  • those with a financial interest (such as insurers) or a fiduciary duty (such as the directors of a company)
  • those, such as governments and their regulatory agencies who were (or were perceived to be) accountable on behalf of the public for avoiding further incidents
  • those with an academic or altruistic interest in improving how organisations are managed.

Then, progressively, a fourth group of advocates emerged—external consultants and in-house ‘champions’ who recognised the commercial opportunity involved in providing ‘how to’ services. A persistent theme in Purdy and Estall’s exposition is that the self-interest of this group (which they later acknowledge they were once part of) led many to also become inventors and then advocates for their own methods. As they go on to explain, this has contributed significantly to what they now perceive are the problems of ‘risk management’.

It appears the label ‘risk management’ has become common as much by accident as design. Purdy and Estall suggest it emerged from the practice of insurers to refer to whatever was being insured as ‘the risk’. As the label, ‘risk management’, caught on, it became attached to many different ideas just as the word ‘risk’ inevitably acquired many meanings. A core concern for the authors is that:

This created the odd situation that the core word of an increasingly popular, yet ill-defined, expression was effectively meaningless—as was the expression itself! Hence, rather than being a descriptor of a solid foundation of tested academic endeavour, the expression ‘risk management’ has never been much more than an informal label for diverse, constantly changing and often conflicting concepts and methods that are vaguely related to uncertainty.

For Purdy and Estall, what lies at the heart of the problem is that the advocates of ‘risk management’ have driven ‘risk management’ rather than organisations and their decision makers. These advocates, they say, have:

…created a perception in those responsible for the governance of organisations that ‘risk management’ was ‘good’ and should therefore be adopted. And so, ‘risk management’ has been promoted as something that is both valid and indispensable; in effect, something to be believed in as essential to good governance.

There is no doubt that evolving corporate governance philosophy and practice has been a fertile environment for this growing belief in the importance (and validity) of ‘risk management’. ‘Risk management frameworks’ have been superimposed across many organisations, taking the form, for example, of board ‘risk committees’, ‘Chief Risk Officer’ positions and various ‘risk management’ structures, policies, and reporting requirements.

Despite the depth and breadth of the ad hoc and disparate mechanisms of ‘risk management’, Purdy and Estall contend that the purpose of establishing them is seldom transparent, explicit or understood. Referring to two recent high-profile corporate failings (the Boeing Corporation and the Australian banking, superannuation and financial services system) they point out that ‘risk management’ frameworks are seldom integrated with day-to-day decision making. The ‘risk management’ systems of both the entities involved, and their sector regulators, completely failed to detect and remedy problems that caused great harm.

To Purdy and Estall this was hardly surprising. They suggest belief systems inevitably start with the answer (which is the belief) rather than with a careful, objective definition of the problem. They go on to identify four primary drivers for the promotion of ‘risk management’:

  1. a genuine desire—or at least acceptance—of the need for responsible governance and avoidance of mistakes, and the assumption that anything called ‘risk management’ would achieve or at least contribute to this
  2. the emergence of consultants and in-house risk specialists claiming ‘risk management’ expertise and arguing that their approach is the key to organisational success
  3. attempts to give the impression of creating knowledge by codifying ‘risk management’ beliefs via national and international standards-setting organisations
  4. ‘risk management’ compliance obligations imposed on organisations by governments and quasi-government regulatory agencies. 

They conclude that these drivers had the effect of turbocharging and elevating the perceived importance and apparent validity of ‘risk management’ belief systems and their adoption by many organisations. And they interacted in a way that was ‘…not a virtuous circle, [but] certainly a lucrative one!’

So, why doesn’t ‘risk management’ work?

We were surprised that Purdy and Estall suggested that most organisations don’t even attempt to adopt any type of ‘risk management’ belief system, they say because of the complexity involved and the ill-fit with their own purpose and methods of operating. Our experience is that most organisations of any substance in New Zealand demonstrate at least a nominal regard for the need to undertake ‘risk management’. However, we do agree with Purdy and Estall that of the organisations that do buy into the belief system—or are forced to by regulators—few master its intricacies, or fundamentally change the way they operate. They propose several reasons for this:

  • ‘Risk management’ paraphernalia is complicated and unnatural. For example, the first ISO ‘risk management’ standard contained 29 labels that relate to either ordinary words given a special meaning, or to contrived expressions involving the word ‘risk’.
  • Much of what comes with ‘risk management’ is illogical and defies common sense, for example, the widespread but incorrect use of ‘risk’ and ‘opportunity’ as antonyms.
  • Fundamental to the ‘risk management’ belief system, is the contention that to be successful, organisations will need to somehow integrate the ‘risk management’ paraphernalia into their usual way of operating and making decisions. Because this is neither realistic nor valid, ‘risk management’ is usually applied (imperfectly) as an ‘add on’. 
  • Despite adopting some of the trappings of ‘risk management’—such as pronouncement of policies, references in the annual report and sporadic, but inconsistent, use of the jargon—little if any change occurs in the way decisions are made.
  • The ‘risk management’ edifice and its constructs like, for example, ‘risk registers’, [1] don’t make life easier or enhance decision-making. As a result, for most decision makers, ‘risk management’ doesn’t ‘pass the pub test’. It hinders rather than helps. 
  • A considerable cost is involved in replacing long-standing practices with a new approach across an organisation, but the returns are far from obvious or commensurate. 
  • There is little objective evidence to support the contention that adopting ‘risk management’ equates to enhanced organisational performance. 
  • There are fundamental problems with an increasingly popular practice purporting to measure ‘risk management maturity’ or to certify ‘risk management’ compliance. Apart from the use of the word ‘maturity’ as a proxy for competence, the measures used are arbitrary and fuzzy, lack validation, and relate to inputs rather than outcomes.

How, therefore, might an organisation dismantle its ‘risk management edifice’?

This may not be easily done given ongoing fear of regulatory recrimination and what may have been substantial financial, cultural and emotional investments in creating it. However, Purdy and Estall offer a detailed description of the steps an organisation may take. These start with a logical sequence of preparation, planning, communication and consultation, refinement and execution. They elaborate on each.

Unsurprisingly, as the ideas reviewed here come from a book on decision making, they also advocate that organisations invest in an improved decision-making process. [2] They say this is important in case decision makers might otherwise assume that risk registers and other ‘risk management’ activity will take care of uncertainty. They point out the need to deal with, for example, unwanted compliance obligations, by perhaps demonstrating equivalence to the regulator or constraining party. Even better, they say, is to demonstrate that without the risk management millstone round their necks it would also advance the regulator’s objectives.

We have reviewed this material because, like Purdy and Estall, Norman Marks (referred to earlier), and a growing number of others, [3] we feel it is a mistake to treat ‘risk management’ as both a task and a process somehow separate from, rather than integral to, the pursuit of corporate strategic objectives and improved decision making generally.

In thinking about an approach to managing your organisation's risks to ensure your organisation will be resilient, and adaptable to whatever the future throws at it, make sure it is directly relatable to your organisational objectives and that it will inform and improve your decision making.

 

NOTES
_________________________________________________________

[1] Purdy and Estall make the following main points about risk registers:

  • Risk registers are an artificial construct typical of those imposed by risk management belief systems.
  • They are created at a point in time but seldom record the prevailing context. Changes will inevitably invalidate the diagnosis.
  • The list of risks can only ever be a sample.
  • The practical task of filling out the register invariably distracts decision makers from achieving sufficient certainty that their decision will deliver the required outcomes. Thus, it is rare that the registers are used in decision making or are even accessible to decision makers.

 

Readers should also review Norman Mark’s critique of risk registers referred to in the earlier in this review.

 

[2] See also the lead article in this issue of Good Governance.

 

[3] For example, Sabrina Segal