Working In Uncertainty

Matthew Leitch column: Embedded risk management should be easier

by Matthew Leitch, first published 2004.

(This article first appeared under the title ‘The Matthew Leitch Column: Strip away the mystique: embedded risk management should be easier’ in Emerald Insight's publication ‘Balance Sheet’ , volume 12 number 1, 2004.)

When you hear someone say ‘We need to embed risk management into the organisation’ do you groan inwardly at the thought of more of those interminable workshops? If so you are not alone, but it doesn't have to be that way. Embedding should be easier, faster, and better.

There are two main interpretations of ‘embedding’ . One holds that risk management is the thought process you go through in a control risk self assessment or risk management workshop, where you identify risks, assess their possible impact, and say what you are doing, or plan to do, about the ones that seem important. Embedding risk management means taking that process and repeating it more often at more levels of an organisation. Consequently a project to embed risk management involves defining the one true pattern of thinking and rolling out training.

All this is very easy to do but persuading people it is a good use of their time is not. People who attend the workshops often enjoy the experience and say it was useful. It can be a safe opportunity to air issues and concerns. But that is not the same as saying they would rather do that than something else.

The other interpretation of ‘embedding’ holds that risk management is something almost everyone does very often, in different ways at different times. A lot of risk management already is embedded so a project to embed risk management should:

  • identify the risk management activities already operating;

  • improve and refine them where possible using whatever techniques are most appropriate; and

  • ensure they create evidence of having operated and of their effectiveness.

The last point is important for this is how you can reduce the overhead of audit and control risk self assessment.

Embedding involves expanding our concept of an internal control to include more intelligent, risk-based patterns of thinking, and involve managers, not just accounts clerks. Here are some examples to make things clearer.

Credit control

Though there are spectacular exceptions, most companies manage the risk that their customers will not pay. They have credit risk management procedures, often supported by computerised controls, which involve some intelligent, risk-based decision making, monitoring of risk factors, and layers of corrective action. They monitor the effectiveness of their credit risk management using statistics reported at least monthly. They review and improve their methods from time to time.

These elements – multiple procedures forming a system, risk-thinking, and continuous monitoring of effectiveness – are characteristic of efficient embedding.

Strategic marketing

In contrast, the theory of marketing has hardly been touched by risk management and good management of risk and uncertainty in strategic marketing planning is rare. This is dangerous as the risks involved can destroy a company.

Embedding risk management here involves identifying the risk management that's already embedded, like product portfolio management and test marketing, then working on the gaps. For example, there are simple techniques that take a few minutes to apply and work during planning to direct planning effort, then inform the plan itself. SWOT analysis can be made more forward looking. Estimates of revenues and profits can include uncertainty explicitly. There are also some sophisticated analytical approaches that may be of use to very large companies.


Somewhere in the middle ground lies project management. Increasingly, project managers hold workshops and maintain risk registers, but a lot of the risk management action is in estimation, plan structuring, feasibility studies, and continuous horizon scanning.

Rather than seeing risk management as a list of individual responses to individual risks it is easier, quicker, and more effective to see controls as an organised system designed to deal with uncertainties ranging from very specific, known worries to more general unknowns.

Considering areas of risk in more detail is a way to refine that system, shaping it more exactly to the demands of particular projects and programmes.

Shorter workshops

Risk workshops still have a place. They can be used to anticipate areas where internal controls work is going to be needed, they can give people a safe opportunity to air concerns, and they can be useful for identifying risks and actions.

However, they can be easier and faster. Many workshop and risk register designs suffer from a huge bias towards risk analysis and away from controls and actions. Time is consumed by listing more detailed risks and impacts than necessary and debating meaningless ratings of risks. It is controls and actions that should be prioritised, not risks. Besides, for the vast majority of risks and actions it is obvious if the action is worthwhile so it should only be necessary to look more closely at expensive actions whose value is unclear.

Being open minded about possible outcomes and thinking about their impact is important, but time must remain for discussing controls and potential control improvements.

Even if the workshop is primarily for control risk self assessment it makes sense to give proper attention to controls. As an auditor I often found controls that appeared to be operating and meeting a risk were too badly designed to be effective. For example, a finance director who insists on authorising all journals personally and therefore has to give more signatures than he can possibly have time to consider properly, or a numerical comparison that is too approximate to show up the errors it is supposed to detect.

Here are some tips for shortening workshops:

  • Ask for ‘areas of uncertainty’ instead of ‘risks’. These are what people usually give anyway and helps avoid getting bogged down in details. Unpack the area if you want more detail.

  • If you need to rate an area of uncertainty then rate the probability that its impact is more than a pre-specified amount. Do not rate likelihood and impact, which is illogical and confuses people.

  • Start with a generic model for a control system and use analysis to tailor it. This makes it easier to think of actions and tends to close down unnecessary debate of risks.

Words © 2004 Matthew Leitch. First published 2004.