Since 2013 I have spoken to many people about risk management, from operational staff to board members.
Based on those conversations I'd like to share two secrets:
- Value. People often don't understand – and sometimes don't believe in – the value of risk management for the organisation.
- Relevance. People often don't see the relevance of risk management for them.
Quite possibly you'd suspected this. This article takes a quick look at these claims and what we can do if they are true.
For more help with the secrets see Value-based risk management: three lines of attack.
For my articles and those from three leading risk management gurus see Risk Olympians.
Why people don't speak upthe reality of risk (secrets)
Of course the two secrets are not usually articulated openly:
- Risk management is presented to the outside world – especially to regulators – as 'rigorous, robust and integrated'.
- Few would speak up and admit doubts in a board meeting – and such doubts certainly wouldn't be minuted.
- To admit doubts over the value of risk management to your boss can be confused with not caring about risk.
- There's a risk management gravy train driven by... well you know that.
There's an understandable reluctance to speak up: the emperor's new clothes revisted.
But the beliefs get articulated. Not in the questions at conferences, where influential people can see who asked the question, but over coffee afterwards. Or indirectly when a board member groans about the lastest multi-coloured risk pack, while the strategic reality is that the company is on the road to oblivion.
If you're not sure about your people and the secrets why not ask them, off the record:
- What do you see as the value of risk management to us? Scary answer: it keeps the regulator happy, or helps the board sleep easier at night.
- What do you do differently as a result of our risk management? Scary answer: the person updates a risk register or events log every month.
How to put things righta road to recovery
If you think people in your organisation share one or both of the secrets I recommend:
- Accept there's a challenge
- Talk to a few trusted people within your organisation
- Take some initial steps to recovery. Value-based risk management: three lines of attack suggests improvements
You won't need new risk universes, frameworks or appetites – too much of this 'risk talk' may have caused those secret beliefs.