Working In Uncertainty

Embedding risk management: easier, faster, better

by Matthew Leitch; first appeared on in October 2003


Outside the financial services sector, formal corporate risk management activities usually involve a pattern of behaviour that will be familiar to most readers. Workshops are held at which people think of ‘risks’, rate them, and write down what they are doing or plan to do about the ones that seem important. The results are written up as a ‘risk register’.

The same behaviour occurs in the public sector, where it has been adopted as good practice.

People in many organisations feel this activity adds little value. Their reaction has been to involve the minimum number of people and do it no more often than is necessary for compliance.

Knowing this, regulators and other givers of guidance typically say that risk management should be ‘embedded’ in an organisation. It should not be something extra done to comply with their regulations, but part of normal management.

So what does ‘embedding’ really mean, how do you do it, and does it work? In this article I'll explain how the workshops arose, what the real issues are, and what embedding has to mean if we are to see risk management make the impact it should.

How the workshops began

The workshops are both an audit and a management exercise, which is why a lot of the problems arise.

First, the audit influence. A common regulatory requirement is to evaluate your internal controls regularly (e.g. Sarbanes-Oxley Act s302 and s404 from the USA, and the Combined Code in the UK). Conventional internal auditing involves detailed reviews of specific areas of an organisation and typically covers a small proportion of its activities in one year. How do you cover a whole organisation every year, and perhaps even every half year or quarter?

The answer that emerged was control risk self assessment i.e. people audit themselves and sign off their conclusions to create a file of reassurances that directors can rely on. This can be done with paper forms or by entering information onto a database, but from the beginning it has often been driven by workshops. These workshops were designed to follow the leading thinking in audit, which is that audits should be risk focussed. The format was a direct result of audit thinking: list risks, look for controls, report gaps.

A second influence was the realisation that internal control systems (i.e. the many procedures organisations have to make sure that things happen the way they are supposed to) must be adapted frequently to meet new challenges. This comes through strongly in the influential ‘COSO framework’, written by auditors Coopers & Lybrand for the Committee of Sponsoring Organisations of the Treadway Commission in the USA. Again the focus was on identifying risks and you could say that the influence of auditors is strong here too.

What's wrong with the workshops and risk registers?

As an audit approach the workshops have a lot to offer, though they can lack objectivity. People are very aware of the answers they are expected to give.

As a risk management tool the workshops are not ideal because they tend to look at the current situation rather than looking ahead to identify where new work on internal controls will be needed. They are also let down by a number of common technical flaws that tend to undermine risk identification and assessment. Far more time is typically spent thinking about risks and their effects than about the controls. Finally, it is risks that are prioritised, instead of actions, which reflects the lack of attention to actions. Since the relationship between risks and controls is many-to-many this is a major technical fault.

It's not surprising that people often feel they only do formal risk management for their auditors.


Regulators advise ‘embedding’ risk management to encourage organisations to do something more effective than have an annual meeting at a senior level to produce some shelfware. They also advise it to argue that they are asking for something efficient that organisations should already be doing.

One interpretation of ‘embedding’ risk management is that you can do it by repeating the workshops more frequently and at more levels in an organisation. As it becomes a regular event doesn't that make it part of normal management?

The theory is that the thought process of the workshops (i.e. objectives – risks – controls) can be applied usefully to anything at any level. Enterprise wide risk management is sometimes described in just these terms.

A more realistic view is that there are many different techniques and ways of thinking about and managing risk and uncertainty. Embedded risk management is where the right techniques are applied where appropriate, in the right strength, and in a way that generates evidence of operation and effectiveness.

At its simplest this can mean elementary internal controls such as performing bank reconciliations to combat various risks related to faulty accounting and theft. More sophisticated examples of controls involve more risk thinking.

In effect, embedding risk management involves expanding the concept of an internal control to include more sophisticated management processes which involve an element of risk thinking. Here are some examples.

Credit management

Though there are spectacular exceptions, most companies manage the risk of not being paid by their customers. They have credit risk management embedded already, though perhaps it could be done better.

They have established procedures and computerised controls that cover assessing the risk of default, granting credit progressively, monitoring for possible default, and following up. Sophisticated methods may be used to assess credit worthiness. These methods are often reviewed and attempts made to improve them. Credit management procedures are documented and generate evidence that they have been carried out, i.e. they leave an audit trail. Typically there is monthly reporting of credit risk management performance.

These elements – multiple procedures, intelligent decisions, an audit trail, and frequent measurement and reporting – characterise embedded risk management.

Risk and uncertainty in strategic marketing

In contrast to credit risk management, risk and uncertainty are rarely managed well in strategic marketing planning. This is a pity because these plans involve huge uncertainties and are sometimes indistinguishable from the strategic plans of the whole enterprise. They can get a company into the sort of deep trouble that leads to ruin and, occasionally, false accounting.

An embedded risk management process here starts early, ideally before people tie their personal credibility to particular ideas. Reviewing major areas of uncertainty frequently helps guide the research and analysis that goes into creating these plans, as well as introducing risk and uncertainty management into the plan itself. There are some very simple tools for thinking about risks and risk factors, and more complicated analytical methods for estimating results.

Project risk management

A large organisation can easily have 100+ projects running at any time. The risks are considerable.

Workshops to try to identify specific risks and plan responses are increasingly common but they are just a small part of project risk management.

Different organisations have different habits on projects but typical activities include: tracking project risk factors, structuring projects to reduce the risk profile (e.g. incremental deliveries or a portfolio structure), continuous monitoring of new information for emerging risks, feasibility studies and other research, Monte Carlo simulation to support estimates, and independent audits.

It is not necessary for a risk management approach to be standardised to be embedded. A more efficient approach is to have a generic scheme which people are encouraged to flex as appropriate to meet the specific needs of their project.

The process of embedding

If embedding is interpreted as holding the same type of workshop at more levels and more frequently then the process of embedding looks very simple: define the thought process and way of documenting it then train as many people as possible to do it. The difficult part is to convince people that this is a good use of their time.

If you accept that embedding is more complicated than this the process of embedding becomes:

  • Identify risk and uncertainty management activities (a.k.a. controls) already operating, recognising the wide range of different techniques and thought processes that can be used.

  • Improve and refine them where appropriate.

  • Ensure the activities generate evidence of having operated and of their own effectiveness (e.g. performance metrics, independent reports) to minimise the need for audit and control risk self assessment.

At the top level it is helpful to have executive leadership (i.e. not normally the Audit Committee) that anticipates the need for work on controls and directs resources to it in good time.

The ultimate test of embedding

Sometimes it seems that whatever procedures we invent people find a way to manage risk badly anyway. This is not an illusion. In many situations people actively fight good risk management. Perhaps risk management should only be described as truly embedded when this fight is over.

That may be idealistic, but by understanding why people fight it we can perhaps begin to see how to change the psychology of risk management.

First, psychological studies show that we tend to have an overly narrow view of the future. We think we can predict and control it more than we really can. Second, everyday experience should confirm for you that we experience many pressures from other people that tend to reinforce this.

For example, imagine your boss suggests an idea. You think of a significant risk to it but he seems enthusiastic about his idea. Do you point out the potential problem? Imagine this time you have an idea and you want approval to go ahead. Your plan is based on some assumptions but as you list the advantages of your proposal to your boss do these even cross your mind let alone get into the conversation? We feel that a show of confidence, i.e. certainty, is important for making our case. If someone suggests a sensible risk management action for your plan would you be inclined to accept it or reject it? Many people reject such suggestions because acceptance implies they have doubts.

Target setting and incentives also play their part. If you are running a venture and believe that it could do better than expected do you say so and risk having your targets raised? If you fear it may turn out worse than expected do you say so now or stay quiet and hope that things get better so you never have to mention your concerns?

This is called uncertainty suppression and it is the enemy of good risk management. For example, a consulting company introduced a new idea for managing risk in bids. People had to estimate the expected profit, but also estimate the level they were 90% confident of beating and the level they believed they had a 10% chance of exceeding. This is technically good but actual estimates were far too narrowly spread with a strong bias towards upside risk!

It's too early to say we know how to combat uncertainty suppression but here are some suggestions:

  • Leaders should show that they dislike uncertainty much less than its concealment and will reward responsible discussion of risks, both upside and downside. Most subordinates assume their boss is less enlightened than this so it is worth showing it often.

  • In activities like new product development it may help to avoid linking individual managers with individual ideas, while making it clear that wise choices are more important than getting your pet idea accepted. Start talking openly about uncertainties as early as possible.

  • Include upside and downside risks in formal risk management. Often it is best to start by simply asking people to identify ‘areas of uncertainty’ rather than ‘risks’. A purely negative focus tends to be demotivating and unpopular.

  • Remove management systems that use fixed targets and incentivise people to minimise variances between actual results and the target. Case studies of large companies that have done this show it can be done with good effect. It encourages people to plan for a realistic variety of futures rather than assuming that the target is what will happen.


To embed risk management begin by accepting that you already have a lot of risk management embedded and find it. Then go after the many opportunities for risk experts to facilitate changes throughout an organisation that:

  • improve risk management; and

  • improve the evidence of its operation and effectiveness, through audit trails and performance reporting, and so reduce the overhead of audit and control risk self certification.

Words © 2003 Matthew Leitch. First published October 2003.