What is risk management?

The GRC PunditWritten by
Published onDiscussionLeave a Comment on What is risk management?

Risk management is maturing, but as a result needs to be understood correctly and reminded that it does not rule the roost.

I have three teenage boys (19, 18, and 16).  At times my boys get to big for their britches and need to be reminded what the pecking order is.  It does not mean they are less loved or less valued – they just need to understand context and where they fit.  As with any child becoming an adult they like to challenge authority:  to think that they are in control and operate as the center of the universe.  After all, they know more than Mom and Dad.

My concern with risk management is that many (not all) risk professionals are trying to redefine risk management to make it something broader than it actually is.

There was a great article on risk management published by Harvard Business Review in June 2012, “Managing Risk: A New Framework” written by strategy guru and balanced scorecard co-creator Richard Kaplan and his colleague Anette Mikes.  The argument is that there are fundamental differences between traditional risk management focused on preventable risks and risk management for strategy and external risks.  What caught my attention was the concluding paragraphs, which stated:

  • “Managing risk is very different from managing strategy. Risk management focuses on the negative—threats and failures rather than opportunities and successes. It runs exactly counter to the “can do” culture most leadership teams try to foster when implementing strategy. . . . Moreover, mitigating risk typically involves dispersing resources and diversifying investments, just the opposite of the intense focus of a successful strategy. . . . For those reasons, most companies need a separate function to handle strategy- and external-risk management. The risk function’s size will vary from company to company, but the group must report directly to the top team. Indeed, nurturing a close relationship with senior leadership will arguably be its most critical task; a company’s ability to weather storms depends very much on how seriously executives take their risk-management function when the sun is shining and no clouds are on the horizon. Risk management is nonintuitive; it runs counter to many individual and organizational biases. . . . Active and cost-effective risk management requires managers to think systematically about the multiple categories of risks they face so that they can institute appropriate processes for each. These processes will neutralize their managerial bias of seeing the world as they would like it to be rather than as it actually is or could possibly become.”

For the record, I completely agree with these statements from Kaplan and Mikes. Risk management is maturing and the organization needs to make a proper place for it.  Just as my sons are looking to the future and going to college – I fully support them and want to see them fulfill what they have been called to do and contribute to society.

There are three lessons that I think risk management needs to learn:

  1. Risk management does not equal strategy management.  I posted an excerpt of the HBR article to several LinkedIN groups to seek perceptions.  The response from some was that “strategic management = risk management.”  This is a mistake. Strategy management is broader than risk management.  Yes, risk management is part of strategy management but it does not equal strategy management.  My fear is that we are putting the cart before the horse.  To keep it to an equation “strategy management > risk management,” that is strategy management is greater than risk management.  The two are not synonyms, though good strategy management will contain risk management.
  2. Risk means there is a downside.  In order to have a risk there has to be potential for a less optimal outcome.  That is where I think that ISO 31000 confuses many on the subject of risk and strategy management.  ISO 73 and 31000 defines risk as the “effect of uncertainty on objectives.”  A more accurate understanding is that risk is an event or condition that creates a state where undesirable effects may be possible.   Risk management is the act of managing processes and resources to address risk while pursuing reward.  I am all for simple and straight forward definitions but in this case I think ISO simplifies the definition too far.
  3. Strategic risk management requires different paradigms.  Much of the confusion on risk management is that risk in many organizations was buried in the bowels of the organization.  It was not an executive function.  It has been focused on insurable risks, threats, and hazards.  It was focused on preventable risks.  With growing awareness that we need formalized strategic risk management many have leapt to think that how risk is managed in the depths of the organization is how strategic risk is managed.  They are different – and require different mindsets.

At the end of the day, we need to understand that risk management is maturing.  But risk management from the top-down is not the same as how we have historically understood risk management. How we manage threat and hazard risks is different than how we manage strategic risk.  We have always managed risk as part of strategy – but it is becoming more formalized and needs a real seat at the strategy table.  However, this does not mean that risk rules those gathered at the table.  It is simply part of it.

I am anxious to hear your thoughts on the subject, though before you grill me – I would encourage you to read the HBR article.

Leave a Reply

Your email address will not be published. Required fields are marked *