Working In Uncertainty

‘So embedded it's disappeared’

by Matthew Leitch, 8 November 2004.

Is it possible to really embed risk management without it becoming invisible and then just fading away, forgotten?

If risk management isn't represented by dedicated documents and databases how can we verify it is operating? Is there anything we can do that's more convincing than just asking managers ‘Do you consider risk in all your planning and decision making?’

Yes. To see how it can be done we need to form a clear and detailed picture of what embedded risk management looks like. Certain characteristics are testable objectively.

In practice most organisations will have both types of risk management occurring to some extent.


The analysis below suggests the characteristics of genuinely embedded risk management, and the scope for objectively testing that risk management is truly embedded. The outstanding source of evidence, and the first thing to look at, is the extent to which the organisation's management information is accompanied by information about its uncertainty.

If ‘risks’ are conveyed by separate reports and other management information can be reported as if exact and reliable even when it is not, then risk management clearly is not embedded in any meaningful sense.

Detailed analysis

Not really embeddedTruly embeddedPotential for assessment
Runs on a calendar schedule (e.g. monthly, quarterly, semi-annually, annually). Timing driven by events and project plans. Limited because many risk management activities are not identified separately as such.
Infrequent. Very frequent – even daily for some people. Ditto.
Takes between hours and weeks to do. Takes between minutes and hours to do – though it is often hard to say how much as it is interleaved with other activities. Ditto.
Discrete activity. An activity interleaved with others. Ditto.
The process moves through (up or down) layers of management in sequence. Operates concurrently at all levels. Ditto.
Rolled out from a central source. Developed from what is there already in each activity of the organisation. (With help from central team.) Good. But activity of central support team does not directly indicate activities of everyone else.
Innovation occurs centrally only. Innovation locally. Not so good.
Looks the same wherever done. Looks different in different places because of adaptation to different needs. Good, but involves identifying RM activities by studying documents or observing behaviours across different areas and activities.
Driven by a specialist function and a system. Driven by the desire of managers/executives to excel. (Though with help from specialists.) Not easy to assess.
Carried by procedure documents. Also carried by education, training, and coaching of people to develop their personal management skills. Good, but evidence of training etc is not proof of change to everyday behaviour.
Core ideas
‘Something we do’ ‘The way we do things’ Not practical to assess.
A corporate process. A personal skill revered and desired by management/executives. Ditto.
Success is seen in complete documentation. Success is seen in the mental outlook, skills, and habits of managers/executives, and in the rate of appropriate use of risk-smart techniques. Good, but requires study of documents and perhaps observation to identify use of risk-smart techniques.
Employees are rewarded for following the risk management procedure. Employees are rewarded for excellent management of risk and uncertainty, including their conversational skills and ethic of openness. Some potential if formally listed as an evaluation criterion, but might easily be ignored in practice.
Driven by compliance. In conversations managers and executives can talk openly about what needs to be documented versus what is best not mentioned for fear of alarming the auditors. Awareness of uncertainty is a professional matter. Concealment of uncertainty is a serious ethical failing. You could not suggest or admit it to a colleague without a feeling of guilt. Not something that can be assessed unless somebody is actually reprimanded for concealing uncertainty.
Few techniques – sometimes just one. Many techniques – as natural as possible. Good, but requires survey of techniques actually used.
Lots of checking, documenting, and authorising. Lots of risk-smart planning, learning, anticipating, and modelling. Ditto.
Mainly a check of current risks versus controls, or evidencing operation of controls. Mainly planning and doing control changes to meet anticipated and newly arising risks. Ditto.
Emphasis on checking the work of others and documenting things that should be happening already. Emphasis on skilful handling of risk and uncertainty in management decision making and planning means that for managers and executives the emphasis is on ‘my’ work. None.
Risk is considered when decisions are made, if at all. Risk/uncertainty is considered throughout the development of plans and decision options, and used to develop those ideas and direct research and analysis. Some potential for assessment, but only where consideration of uncertainty is documented.
Communicated by forms and/or databases. Communicated by conversations and e-mail. Not easy. Could survey e-mails for evidence of risk management.
Risk information is conveyed by separate systems, documents, or sections of documents. Risk information is presented along with other information, since it is considered wrong to present uncertain information without its uncertainty being clearly presented at the same place and time. Excellent potential. Risk information should be virtually ubiquitous and indirectly gives evidence of a lot of other risk related thinking.
Risk information is communicated upwards by one, or a very small number, of document channels. Risk information is communicated upwards and downwards in almost every channel of communication, written and oral, so there is evidence of explicit consideration of risk in most documents. Ditto.
Arises separately from the more routine activities of internal control. An extension of the intellectual top end of a traditional internal control system, so that managers and executives perform controls too, including thinking that identifies and manages risk and uncertainty. None.
What is really embedded are certain risk responses only. Risk responses and the thinking that leads to them are embedded. None.

Words © 2004 Matthew Leitch. First published 8 November 2004.