Matthew Leitch, educator, consultant, researcher
SERVICES
OTHER MATERIAL
Working In Uncertainty
The way ahead for risk management and internal control in organizations
Contents |
We all face uncertainty — a consequence of our limited control and knowledge — all the time. We deal with it, but not always, and sometimes not very well. In organizations, various factors can make this more difficult. Some spectacular failures, among other things, have prompted people to introduce more organized and focused efforts to improve our performance under uncertainty. Two such efforts have been called risk management and internal control. Various approaches to these have been devised and promoted, often through influential guidance documents, standards, regulations, and contract terms.
Most people want what these efforts at risk management and internal control aim to provide. We want our organizations to be more efficient, safer, more adaptive and responsive, and better able to take advantage of opportunities. Sadly, much of the guidance and requirements for risk management and internal control are not doing these things as well as we would like and the method that is most prominently advocated today for organizations — Risk Listing — will never satisfy us because it doesn't integrate into core management activities and has a narrow scope[1].
How can we get to guidance, standards, and requirements that promote better management in uncertainty? What should risk management and internal control in organizations look like in future? How can we look at these problems more realistically and start to boost the good practices that people already use instead of struggling to get them to do something new and unwelcome? How can we get to where we want to be from where we are now? In this article I'll elaborate on where we would like to be, then contrast it with where we are today, before suggesting a path forwards consisting of steps that are simple, achievable, and attractive to (nearly) everyone. With a little thought, many characteristics of the way forward emerge as inevitable.
The main conclusions are that successful approaches to risk management and internal control will involve varied, distributed changes to the way management is done, prompted and sustained by tangible changes to the environment in which people work. Lists of 'risks' will not be a significant part of this approach. This pattern of distributed change is typical of many corporate projects, including traditional internal control work, so involves no great novelty. For example, internal auditors can tackle this by expanding their ideas of what an 'internal control' is to include more intelligent features of management and then simply go about their work in their usual way.
The contrast between desire and reality
Where we would like to be
Most people with expert knowledge of 'risk management' and 'internal control' would like the two to be seen as one, with no duplication of guidance, regulation, staffing, and so on.
What almost everyone, traditionally, would like to see from all this is positive results. We want less bad stuff in our lives, whether it is unexpected or not. We want to see fewer people hurt and killed. We want companies to fail stupidly less often. We want our savings and investments to be secure and we want our insurance claims paid. We want our governments to do what they plan to do without spending much more than they planned to spend. We want the Olympics to cost no more than promised.
In recent years many have expanded their hopes beyond avoidance of bad stuff to encompass all the improvements that might be expected from dealing with uncertainty more effectively at work. We want our organizations to be more responsive, adaptive, efficient, competitive, and successful, as well as experiencing fewer failures and less collateral damage.
In addition to having hopes for good results we also have ideas about what it should be like to manage risk well, and these ideas reflect a desire for effectiveness and efficiency. We hope that the methods used for this will require little or no administrative overhead and that, by being natural and effective, they will provide permanent improvements throughout all management activities. Managers won't be doing risk management, but by managing well they will manage risk.
Put another way, we don't just want risk management to be integrated with internal control; we want both to be natural results of doing core management activities well[2].
That's what we would like.
Where we are now
Every organization is different but still there are some things we can say about the situation now that summarise issues felt by many.
Disappointing results
Despite a lot of talk about risk management and internal control, and despite at least two decades of energetic regulation and rule making, companies still fail for stupid reasons. The global financial crisis at around 2008 was widely seen as intensified by poor risk management by banks and others involved in mortgage markets. Government projects continue to under-deliver and over-spend, despite implementing the risk management and governance methods seen as good practice. The Olympics continues to cost more than expected (unless you forget your original budget and just focus on the latest one!). People continue to be killed on the roads, in factories, and on holiday. Abused children continue to be overlooked by social workers from time to time and doctors and nurses still make the occasional fatal mistake.
Too many core management decisions — the ones that matter — are made in similar ways to the past, unaffected by 'risk management' initiatives. Too much of existing guidance and requirements are not producing enough positive change.
Unsuccessful experiments with Risk Listing
Most organizations are not forced to operate risk registers or sophisticated mathematical risk models, so they don't. They are managed by people who try to do a good job and, to an extent that varies, they succeed in managing in a way that enables them to survive and thrive in a world that is hard to control and predict.
Other organizations, usually larger or pressed by laws or regulations, do much the same but also have one or more risk registers at the centre of a Risk Listing process. Maintaining this process involves having occasional meetings to discuss the 'risks' on the risk register. In most cases this does not have much impact on how most management is done, but it can lead to some decisions (or revisions of decisions) on matters that are mainly 'responses' to risk, such as insurance, fire safety systems, and credit limits. Rather confusingly, the Risk Listing process is referred to as 'risk management', even though in reality most risk is managed within core management activities in the same way as for an organization not doing Risk Listing.
Some of these organizations have appointed someone, or even a team, to run the Risk Listing effort and have even spent money on software to hold the information about 'risks' and produce reports. However, it's a tough job. The process is not loved by many and promoting it requires a lot of effort, persuasiveness, and cunning ploys. For example, to make risk register meetings more popular it helps to fill their agenda with other activities, loosely related, that are more useful, such as briefings on current strategies and performance. Risk managers tend to be either full of pride for having got Risk Listing procedures operating at all, or disillusioned by the lack of appreciation for that Risk Listing process despite years of operating it. The job title 'risk manager' raises expectations that cannot be fulfilled when, in reality, the job is to be the Risk Listing manager.
Problems with risk models
Other organizations, particularly banks, insurance companies, and organizations where scientists are involved, use sophisticated mathematical models held on computers to make probabilistic forecasts of the results of current and alternative plans. These tend to be more directly supportive of good decision-making and the forecasts are more informative than those coming out of Risk Listing. However, even here there are often profound problems.
Models are often systematically biased for technical reasons, usually towards giving narrower distributions than they should. For example, the usual test of 'normality' for a set of data assumes normality unless the data are clearly not normal, which builds in a bias towards a distribution with thin tails. Where a lot is at stake, reliance on these models can be costly.
Also, just as 'risks' put on a risk register by one person can mean little to another person (who sees the world differently and with different information, values, and decisions in mind), risk models created by one person can mean little to another person.
A risk model provides a probabilistic forecast of the future but that forecast depends on the information used in the model and how the information is used. These are chosen by the modeller or a regulator, or both. Consequently, the model's forecasts do not reflect the knowledge of the executives and others expected to use the model in monitoring and decision-making. Those users may be suspicious of the model for a variety of reasons and think that the model is not correct, or at least that it does not represent their views. Building models that implement regulatory rules often undermines their value for business decision-making. There is also confusion about what the 'probabilities' mean, with some thinking they are estimates of objective frequencies while others think they are numbers you could bet with. Most people don't even realise there is a huge issue here.
Little effective integration
While there are signs that regulators are starting to bundle risk management and internal control together, integration into core management activities is still a long way off.
Risk-listing is inherently a separate activity focused on 'risks', a new type of entity unconnected with normal management concerns. Its rituals of separate meetings, reports, databases, and baffling jargon (e.g. 'risk criteria', 'risk appetite', 'risk framework', 'risk culture', 'risk management process') serve to keep it separate. Most people regard it as alien and irrelevant, though they don't say that unless they know it is safe to do so.
Risk managers in financial firms have become quasi auditors, checking up on people and issuing reports. They often operate a system of limits designed to control trading and lending. Consequently, they find themselves in conflict with others in their business, usually having to argue against courses of action they or their models regard as too risky, while their colleagues are exasperated by the risk manager's apparent negativity. Matters are made worse when the risk manager also has to act as Risk Listing manager, giving people another reason to be unappreciative.
The gap summarised
That's where we are now. Clearly, there is a big difference between desire and reality. The technical methods tried so far, especially Risk Listing, have been disappointing and narrow in scope, leaving most management unchanged and, consequently, leaving results largely unchanged too. A different approach is needed.
The way ahead — overview
The obvious way forward, in principle, is to make changes to the way core activities are done so that they perform better despite our limited control and knowledge[4]. That's what guidance and requirements should promote. That's what corporate risk managers should promote. But how exactly do we do that if there is already an investment in Risk Listing? How do we change core management activities if people are not used to deliberate changes to their methods, or are fed up with being told to make changes?
Fortunately, we already know enough to deduce a lot about how this can be done. Many features of an effective approach are inevitable, given the task and the well-known realities of organizational life.
In this overview of the way ahead I will deduce characteristics of the way forward. Whatever approach you choose to adopt, it is very likely that your approach will work better if it has the characteristics identified below.
First, your approach needs to be both attractive and effective. It needs to be attractive because if people need a lot of convincing then it will be hard to get change underway and hard to maintain it. It needs to be effective for reasons that are even more obvious.
An attractive approach
What would make an approach attractive? Here are some important characteristics.
A mix of practicality and psychology
One characteristic is that it has to include the ideas that many people, almost instinctively, are now thinking they want to try next. Many have concluded that an approach focused only on following prescribed corporate procedures is not working and that something broader and more focused on human thinking, feeling, and behaviour is needed. Attempts to fill the gap with 'risk appetite' and 'risk culture' have seemed intriguing but are too muddled and vague to be anything more than debate about buzz phrases. But still, the idea that we need to go deeper into the minds of people is compelling. Psychology is important.At the same time, we know that unless an idea suggests a practical and effective course of action it won't make any real difference. What improvement, if any, will be achieved by exhorting people to change their attitudes or beliefs? How long will the impact of appeals for better behaviour last? How can we check that any of this has helped, and what will the auditors look at?
Somehow, changes to our thinking and resultant behaviour need to be prompted and supported, over the long term, in tangible, observable, persistent ways. Changes to the procedures, databases, forms, spreadsheets, and so on that people interact with every day will be part of the approach, but those changes will need to be psychologically effective.
Easy to get started
Another characteristic of an attractive approach is that it should not require a huge initial commitment. If you were offered a way ahead that involved spending a lot of money on software and consulting in a project lasting years that was not due to provide any advantages for at least a year, and where things were expected to get worse before they got better, would you be eager to get started? No.
It is much better to propose incremental change that involves a stream of rapid but small changes, focused so that resources are used efficiently[3] and the first benefits are enjoyed as soon as possible.
Familiar and straightforward
There's a certain buzz around doing something that is pioneering, but getting permission to try is often very difficult. People are naturally wary of betting on something they don't understand or have no previous personal experience of. It's easier to get started using familiar, straightforward techniques. You have enough novelty to get attention provided the techniques you propose are good ones that haven't been used in an energetic and focused way in your organization recently.
Proponents of Risk Listing like to argue that risk registers are simple and familiar, and that any alternative must be complicated and new fangled. This is all nonsense, but to counter this tactic it is a good idea to give examples of simple changes to working methods that will improve performance under uncertainty, involve using familiar management methods, and do not require advanced mathematics. For example, you could mention incremental projects, disclosure of the source of estimates, and asking people to think of alternative scenarios.
Makes no enemies
Another characteristic of an attractive approach is that it should not disadvantage people who can stand in the way. The focus should be on changes to working methods that provide some kind of benefit to everyone who has to agree. Ideological debates about management methods can often be avoided by suggesting sensible practical changes rather than proposing principles.
Summary of attractive characteristics
The closest we can get to this fantasy ideal is to use an incremental approach where each carefully selected step along the way delivers a change that is beneficial almost immediately and disadvantages nobody, and where each step is tangible but psychologically justified, and is simple, familiar, easy, and quick.
An effective approach
Two main activities
First, since we want risk to be managed as a by-product of doing core management well, and not as a separate activity, then the changes to do this must be distributed through those core management activities, wherever and whenever they occur. Therefore, risk management cannot be left to a separate activity with its own reports, meetings, and database. Any programme designed to bring about improvements will need to effect changes across an organization, crossing departmental boundaries, and reaching into the detail of how work is done.
This type of programme is not new. Old-fashioned internal control improvement programmes have these characteristics. Getting lots of people in different places in an organization to make many changes to the way they work is also a common challenge for legal compliance, marketing, customer relationships, branding and corporate identity, ethical codes, and so on.
Second, it is clear that ideas for improvements won't all surface in an initial planning phase but, instead, will continue to emerge as experience is gained and events unfold[3]. Also, with widespread changes it is common to find that work teams find change easier at some times than at others and so programmes have to be flexible enough to shift their attention to those parts of an organization that are able to change at any given time. Therefore, an ongoing, lightweight, flexible planning and focusing activity is needed that starts the whole programme but continues to guide and shape it throughout its life.
In summary, a risk management and internal control improvement and maintenance programme can be thought of as two activities: (1) a lightweight planning/focusing activity, and (2) streams of changes.
The roles
The main roles are also familiar and predictable. There will be people whose work will be involved in the changes, some of whom will be 'owners' of processes, systems, documents, models, etc. There will be a leader, or leading group, that wants to see the changes done and bring about improved management of risk. There may also be someone to whom the task of prompting changes, following up, and reporting progress is delegated, and that person might have a team to help.
In practice, the person to whom the programme is delegated tends to have a more sustained and intense interest than the leader(s), due to full-time involvement and, often, more specialist knowledge and interest. So, at times, that person becomes the main driver of work, sometimes having to take action to sustain interest at the leaders' level. That's the reality as many risk and control managers will confirm. It is also the reality for specialists driving programmes in marketing, customer handling, branding, legal compliance, and so on.
Where the programme has been delegated there is of course a need for progress reporting and monitoring. Typically that means regular meetings, a steering committee of some kind, and progress reports. You can think of this as a third activity or as just part of the planning/focusing activity.
Types of change
The types of change that are made are crucial. Fortunately, quite a lot can be deduced about the nature of the changes that will be part of an improvement and maintenance programme. We know from research[2] that this will not involve introducing risk registers in as many places as possible. The changes will be more varied, more intelligent, and more naturally part of each affected management activity. However, in the vast majority of cases they will be simple and familiar.
Expanding the scope of 'risk management'
If the organization has had Risk Listing operating for a while, or is working in a sector where Risk Listing is dominant (e.g. audit, construction projects), then there will be a need to expand the perceived scope of 'risk management' so that people do not focus exclusively on making lists of 'risks'. If this is not done then people in all the roles described above could fail to cover all the important opportunities for improvement.
In addition to new statements of scope it will help to use a descriptive name such as 'Risk Listing' to refer to the Risk Listing process. Other language in documents that refers to 'risks' and clearly has Risk Listing in mind can be revised to open up risk management to more possibilities[5]. At present, most documents about Risk Listing call it 'risk management', which is misleading since Risk Listing is only one suggestion for how to manage risk.
Here is a list of things to consider doing, including the items just mentioned:
Merge internal control and risk management so that the traditional approach of distributed internal control composed of many small changes to behaviour and systems can be expanded to include more 'intelligent' changes that involve explicit consideration of uncertainty, where worthwhile.
Rename Risk Listing from its usual preferred name of 'risk management' to something more accurate, such as 'Risk Listing' or 'risk register system.'
In documents about 'risk' and the approach to risk management, replace the risk jargon with more familiar, plainer words that focus on probability and value. Remove Risk Listing language and replace it with more open language that does not push readers towards Risk Listing.
Change internal audit programmes to direct them towards the changes that should be improving core management activities and to reduce the focus on Risk Listing.
Expand progress reporting about risk management so that it reflects the full scope of work being done to get people managing risk better, not just progress with risk registers.
Using a balanced set of objectives
A very common challenge for organizations is to develop and maintain a system of objectives (in the broadest sense) that covers everything that matters and then pay attention to the full set at all appropriate times. The objectives might have various other names, such as success factors, goals, themes, and KPIs.
This is related to management of risk because risk management failures have often been due to focusing on one subset of objectives at the expense of others (e.g. budget variances rather than safety).
If there is any doubt that an organization's current system of objectives adequately reflects such matters as safety, control of fraud, accidental waste, money laundering, and so on, and at the right level, then a review would be helpful. It might also be helpful to compare any existing risk register material with current statements of objectives to find important measures of results that are missing from the objectives.
Also, if there is any doubt that all relevant objectives are properly considered at all times when they should be, then there is the opportunity to review the current situation and perhaps make improvements. Simply thinking through the occasions where people should use the objectives will reveal a further set of potential changes that may be worthwhile.
All this is familiar and straightforward. Many organizations will already have objectives to minimise the impact of unplanned, unintended bad stuff. It is just a matter of doing, properly and consistently, what we already know should be done. In summary, items to consider include the following:
Identify sets of objectives in use: They exist at different levels (e.g. group, company, division, department, team), and for different activities (e.g. design, planning, individual decisions).
Fill gaps in objectives: Build on what is already in place. Typically there are objectives about money and about changes, but fewer about non-financial results and maintenance. People tend to think of about half the objectives that matter if they are not prompted, so provide prompts. Consider all the factors driving results and use cause-effect drawings. Make up a checklist. Perhaps compare objectives with the contents of risk registers.
Make it easier to work with multiple objectives: Public sector managers are familiar with the challenge of chasing many conflicting objectives and tend to feel that this is a problem created by their political masters. It isn't. Multiple objectives are a help, not a hindrance. They are a natural result of using subsidiary objectives as a guide. Multiple objectives can be made easier to deal with by structuring them into a causal model. In some cases objectives can be put into a value model (i.e. a mathematical formula that values every possible combination of outcomes on every objective and summarises them all into one overall number). Conjoint analysis is useful for establishing the values. A simpler but less accurate approach is to use linear combinations of objective values, which is still better than unaided judgement in most cases. A simple matrix format (an 'impact estimation table') helps with thinking about the effects of several courses of action on a set of objectives.
Get all relevant objectives considered on all relevant occasions: These occasions include monitoring/situation-assessment and decision-making (including selecting between given alternatives, planning, and design).
Monitoring and situation-assessment: If something is an objective it probably should be measured, or at least judged, periodically, summarised, reported, monitored, and responded to. Putting reports in front of people reminds them to think about the objectives involved, which is helpful if people tend to forget those objectives.
Selection: Choosing between available, given alternatives (e.g. suppliers, employees, investments, clients and client assignments, technologies) is a classic type of decision. Objectives are taken into account when people forecast what could happen under each course of action under consideration, and how performance against each objective would be affected, and then value those effects. Just predicting the direct consequences for cash flows is useful but not enough. What about safety? What about security? What about indirect effects involving customers or competitors? Thinking through indirect effects, including safety incidents and operational mess-ups, can reveal indirect routes to considerable and important costs and windfalls.
Planning: From long-range whole-business planning to daily diary-filling, planning should take into account all the relevant objectives, not just some of them. Planning involves sets of related decisions, so the way objectives are taken into consideration is again by predicting and valuing the effects of alternative courses of action under consideration.
Design: This is a broad range of vital management activities and includes design of products, price schemes, the organization, its processes and systems, premises, training programmes, and many other things besides, not just a logo and a uniform for low paid workers. Often a design task is linked with the planning needed to implement the design. As before, all relevant objectives should be considered at all times, and forecasting and valuation are the way to do so.
Encouraging open-minded management
Another desired result from risk management is that people should deal with uncertainty more effectively, allowing them to manage good luck as well as bad. This is not a direct logical consequence of having a balanced system of objectives and using them, so we need to do more. The usual tendency is for people to think too narrowly about what might happen, what might have happened in the past, and what might be happening now. Instead, we tend to think we know more than we really do know, and tend to think we have more control than we really have. Consequently, we tend to be more surprised than we should be and getting older does not always teach us the required lesson.
In addition to cognitive biases that affect an honest person thinking under uncertainty alone, there are pressures that come into play within an organization that bias us much more. For example, to get our proposals accepted by our bosses and customers we tend to understate the costs, overstate the benefits, and pretend to be more sure of our predictions than is really justified.
These 'mental blinkers' reduce our ability to diagnose our problems, leave us vulnerable to unreliable management 'information', and damage our decision-making, including within design and planning.
Unless a lot of work has already been done to counter this, there will be scope for improvements. Happily, almost everyone recognizes that this kind of open-mindedness is a good thing. Occasionally we forget, but in principle we mostly agree.
Find the occasions where open-mindedness is useful: There are lots of these. Every time we try to work out what happened in the past, what is going on now, or what might happen next, we can benefit from being more open to possibilities.
Reduce conflicts of interests: There may be opportunities to do this by changing incentives and by separating roles. A common issue is that people see career progression in getting their ideas approved and supported, not in analysing business ideas objectively. It may be helpful to separate development of business ideas from assessment and presentation of them for approval.
Provide helpful instructions: Instructions to be objective, focus on evidence, and avoid advocacy can be helpful. It can also be helpful to make it clear that revealing uncertainty is not itself a bad thing; some uncertainty is inevitable and failing to recognize it and respond is the real mistake.
Implement debiasing techniques: There are many techniques that can reduce bias. The wording used to ask for estimates is crucial. The way a group of people is asked for an estimate is crucial because of the problem of anchoring. The formats used in forms and spreadsheets to support estimates can make a huge difference to bias. Scenario planning techniques can be helpful because they usually force people to consider possibilities just a little outside what they would have thought plausible, and because the story-telling step makes those scenarios seem more likely (correcting our natural bias to some extent). Sensitivity analysis is helpful but can be taken much further using large numbers of scenarios. The simple request for a range rather than a best-guess is a great step forward and can be developed into more sophisticated distributions for uncertain amounts. There are also simple technical solutions to problems coordinating estimates across multiple scenarios. Most of these techniques are easy to learn and to do. Some simple question formats can be used in ordinary meetings and take less time than a futile and biased debate would, initiated in a more familiar way.
Require disclosure of sources: Management information, estimates, and assumptions should not be presented without a stated source, even if that source is just the name of the person whose opinion is being quoted. Users of information should know the quantity and quality of evidence involved, and can also be helped by more specific statements about measurement uncertainty. With these disclosures made it is easier for everyone to understand when more information gathering might be worthwhile. Many people think that explicitly disclosing 'assumptions' is a good practice. It is better than hiding them, but not as good as analysing the uncertainty around those assumptions. Consultants who provide calculations based on stated assumptions but do not provide any further information about those assumptions are only doing the easy part of their job, not the useful part.
Reward objective, rational, thoughtful management: People should know, and be reminded often and at the right time, that they will be recognised and rewarded for good management. Their boss is looking for diligence and objectivity, not for passionate advocacy.
Changes to reduce other dysfunctional management behaviour
Mental blinkers are not the only type of dysfunctional behaviour that reduces the effectiveness of management and management of risk. We want managers to be fair, honest, and willing to think hard and use evidence. We don't want them to focus on their personal interests only, to lie, and to be mentally lazy[6]. If there have been any problems in these areas in the past then improvements might be sought.
This is a big topic and one where more research is urgently needed. Here are some suggestions to give a flavour of the steps that could be taken.
Revising incentives to make rewards for performance depend on behaviour as well as results (because results are often partly luck), to make them more long term, to eliminate rewards based on comparisons with obsolete targets, and to avoid bonuses given for achieving a target level. It is better to make the link between performance and results reflect the true value of a person's contribution rather than set up artificial thresholds that trigger very big changes to rewards. A realistic linkage encourages sensible decisions more aligned to the interests of the organization.
Clearly communicate that everyday lies, such as exaggerated confidence, are unethical and not acceptable. Our tendency as a society is to ignore these behaviours and even reward them as effective advocacy.
Put timely reminders of ethics in place.
Clarify rules to reduce the fudge factor that allows people to cheat while still seeing themselves as honest.
Adjust staff evaluation criteria to emphasise objectivity, honesty, and fairness.
Hire more people for those qualities.
Changes that act in more than one way
There are several other management techniques that make a huge contribution to good management under uncertainty and have multi-faceted effects. The best I can do at present is include them in this 'miscellaneous' category but that does not mean they are unimportant. In practice many of the most important changes will come from this category. Such methods include the following:
Involving people so that their knowledge is available and used.
A system of rules that constrains the decisions that each manager can take (e.g. spending approval limits).
Controlling the ratio of fixed to variable costs in a business.
Checklists for complex activities where were know what to do but there's a lot to remember and mistakes would happen otherwise.
Incremental/EVO project delivery, providing value to stakeholders at frequent intervals and maintaining a rolling, adaptive plan.
Rigorous inspections, potentially on a sample basis, against quality rules.
Pre-emptive maintenance, with monitoring of signs of damage.
Portfolio management.
Cheap experiments, with controls where possible.
Information graphics to boost learning from data.
Multiple layers of defence/control.
Designed-in redundancy.
Process control monitoring, presenting data from controls using suitable information graphics.
The obvious steps here are to:
choose the methods likely to be good for your organization;
identify the very best situations to apply them; and
set up the first (selective) policy for default use in these situations and develop from there.
Clearly, knowledge of the methods is important in picking out the ones that fit an organization and will give most benefit. Although that is obvious, I suspect the main reason the above methods are not used even more than they are now is that many people don't think of them.
Asking for changes
Programmes of distributed, varied changes typically combine different approaches to asking for (or demanding) changes. They combine central control with distributed, local control. You don't want to prescribe something that is a bad idea for some people and you want to leave everyone feeling empowered, but at the same time all that thinking is hard work and people sometimes prefer just to have it done for them and to follow some rules. There are also times when people have failed to make changes that clearly would be worthwhile, so they need to be helped, or pushed.
The most prominent method of pushing forward risk management and internal control has often been for auditors or 'risk managers' to conduct independent reviews of the way some work is done and write reports that highlight issues and make recommendations. The reports are discussed then actions are agreed and logged for later follow up.
However, this mechanism can be quite slow, labour intensive, and pressured. At least three other mechanisms also make a substantial contribution though it may not be as obvious. First, risk control specialists and others also act as official or unofficial consultants, making positive suggestions that are not included in official reports. Their suggestions can go as far as quite detailed design work. Second, the specialists sometimes have their own resources to use to introduce tools that can be used by others (typically software and databases). Third, larger programmes of change to systems and processes (e.g. a big systems project) often include important changes that will improve management under uncertainty.
All these mechanisms could be useful.
Following up on changes
Inevitably, agreed changes will need to be followed up systematically because not all of them will take place, others will be done badly, others will introduce new problems, and still others will be forgotten later or circumvented. For example, changes might be made to a forecasting spreadsheet to give ranges rather than just a best estimate. This is progress, in principle, but the ranges are too narrow and do more harm than good, the spreadsheet contains technical errors, and at the start of the next financial year a new version is introduced by someone else who knows nothing about the range idea and drops it. I hope you recognize this as just normal office life!
As with requests, follow-up can vary in scale from a quick phone call to an independent audit review.
The way ahead — further practical details
The following subsections are mostly for people with day-to-day responsibility for managing a programme of changes.
Lightweight planning/focusing
Planning needs to be effective and convincing, but also quick and easy enough that people are happy to go back to it and rethink from time to time. There is no point investing time in very detailed planning far into the future for this kind of change programme.
A good way to do this is to think about the distinctive characteristics of the organization and everything connected with it, and deduce from these the shape of a high level design that shows:
which types of change to focus on;
which changes will need most time and attention, and be most important; and
what work packages to create, what types of expertise they will need, and what other resources they will need.
This should go beyond elaborating the objectives and exploring the challenge. It needs to identify the types of change (i.e. characteristics of the solution) or the rest of planning is just wild guesses.
Using distinctive characteristics
Distinctive characteristics are the things you would tell someone else if they asked for a short statement describing your organization. They are the points that are important and that are also a bit different from many other organizations. For example, you probably would not bother to say that an organization has employees and offices, but if its business is to own and run a pier at a seaside resort and it is based on the pier then you would probably mention those points. They are distinctive.
Lots of things can be distinctive characteristics. Size, location(s), type(s) of products or services, age, legal form, style, and past performance and mistakes are all candidates.
From such obvious facts it is possible to deduce a lot, if you think and have some relevant knowledge. For example, a UK government department will have had a lot of pressure exerted on it to run a Risk Listing system with numerous risk registers. So, expect more than usual opposition to extending the scope of risk management to more important matters, much of it based on intellectual confusion and a vague sense of defensiveness. To give another example, a manufacturing company is quite likely to have an existing investment in quality management techniques and to employ people who know about those techniques. That's a good basis for working better in uncertainty so might suggest the idea of refining and extending those methods rather than introducing new language and techniques.
As the inferences build up, a picture emerges of the main areas of work and the expertise and other resources needed. Do you need software expertise? Lawyers? Ergonomists? Are there certain people who will be very important to progress? Are there some important but infrequent management activities that will take a long time to change simply because they don't happen often? Is there a crucial, one-off event fast approaching that you need to plan for urgently?
How you think about this and what you deduce will be largely the result of your knowledge and thinking patterns.
If you think that an organization currently performs badly at something then of course you can expect to have to make a particular effort on it. For example, an organization that has suffered a series of deadly disasters due to putting budgets ahead of safety clearly needs to look at its objectives and how they are thought about. An organization that has been a national monopoly for decades but now has been privatised and lost its monopoly will need to think more open-mindedly about the future because now it has competitors and customers have alternatives. An organization that is planning a large number of changes over the next few years should look for default methods that will be suited to the change projects involved, such as incremental delivery of benefits to stakeholders. An organization that has the opportunity to conduct systematic trials of alternatives (e.g. web pages on a busy website) should do so.
As you can appreciate from these examples, thought is required but it's not rocket science.
Strategies for dealing with existing Risk Listing
One problem likely to be common for listed companies, larger public sector bodies, and organizations doing a lot of projects, is the ongoing drive to implement Risk Listing methods. Organizations today sometimes find that regulations, rules, and even some laws appear to require Risk Listing and it has been standard practice to call Risk Listing 'risk management', and treat the two as equivalent. (This is like someone offering you a bowl of cold cabbage soup made without stock and calling it 'delicious food'. Delicious food and risk management are the aspirations, but what is truly on offer is just cold cabbage water and Risk Listing.)
In addition, professional risk listers spend a lot of time defending and promoting Risk Listing because it is not naturally attractive. They are often highly practiced, good at getting their way, and determined to because they feel that keeping their job relies on it.
Here are some suggested strategies for tackling Risk Listing and its promoters:
Be tolerant: Don't attack Risk Listing. Adopt a 'live and let live' attitude. This reduces the stimulus to risk listers to raise objections and encourages them to be tolerant towards other activities under the 'risk management' umbrella. It's harder for them to justify intolerance of other initiatives if you are tolerant of theirs. Tolerance is not the same as support, so do not support expansion of Risk Listing (e.g. more registers, more detail, more meetings).
Require honesty: Though it is important to be tolerant of Risk Listing it is also important to prevent risk listers from using unfair tactics and arguments to promote their methods or denigrate others. They should not be allowed to describe their method as if it is equivalent to risk management. Instead, they should have to say they are suggesting risk registers as a way to manage risk. They should not be allowed to maintain that Risk Listing is simple, popular, traditional, or standard. These claims are false but, more importantly, they are just appeals to social proof or authority and are unfair debating tricks. Risk listers should not get away with suggesting that all alternatives must be untried, unconventional, complicated, or expensive and time-consuming. The trick being played here is to hint that the only alternative is top-end risk modelling and then exploit some widespread misconceptions about risk models and the common fear of being asked to do difficult mathematics.
Offer a way out: Most risk listers suffer inner conflict because their basic beliefs are more compatible with an integrated approach than with Risk Listing. They don't like having to defend their work all the time. However, they have to defend their work so often that it becomes habitual and, to some extent, unconscious. Be understanding of this issue and give risk listers an attractive role in a wider approach to risk management. Give the risk lists a modest role in creating progress. Suggest that the current set of objectives be compared with the risk register to find objectives that perhaps should be added. Suggest mapping the risk register to the management decisions and other core management activities where each 'risk' is actually thought about in context. This gives risk listers a chance to switch to supporting other contributions to risk management and to see these as a process of integration. In time, the risk registers will seem less important and perhaps begin to look like an earlier stage of evolution.
Help the auditors: Internal and external auditors have been pushed hard to promote Risk Listing and will often be looking for it and recommending it. However, auditors still recognize good, integrated management of risk when they see it and, as individuals, they prefer it. Help them see what you are doing as meeting the requirements they have been told to audit against. Help them turn what you are doing into the language they are used to so that they can give you ticks on their audit programme.
Wait then help: One consequence of enthusing people about changes to management that make 'risk management' a by-product of managing well is that they increasingly see the risk lists as pointless. (Most people will express this sentiment immediately if they feel safe to, but be patient.) If people want to drop Risk Listing, then help organize an orderly reduction or even elimination, on condition of having good stuff in place already that makes the Risk Listing redundant. The last ditch defence of risk listers is that a risk register is 'better than nothing'. That's debatable, but there's no need to have the debate because it is easy to have something else in place that is not only better than nothing but also better than Risk Listing.
Obey the rules imaginatively: Do not break rules that appear to require Risk Listing, but do think of imaginative ways to interpret the language that allows superior risk management methods to be offered in satisfaction of the rules. For example, a rule requiring a list of 'principal risks' can be met by listing the variables in your business planning model that have the most important uncertainty attached to them. If you already have a probabilistic forecasting model to assist with business planning then running off the tornado chart from this is just a few clicks on your laptop. Those items are as much risks as anything else and you even have solid reasoning behind your choice and the judged importance of each 'risk'. Not only are the rules satisfied but they are better satisfied this way.
Good levers to pull
The high level planning activity should also help to focus on types of lever. Again, the types that you think will be the best way to spend time and other resources will vary with your circumstances and personal preferences. I suggest the following as types of lever that should be near the top of most lists.
| Lever | Explanation | Advantages |
|---|---|---|
| Template Tweaks | A lot of management work involves documents (including spreadsheets) and many of those start with a template or with a copy of something similar done in the past. Those official and unofficial templates are a mass of prompts guiding our thinking. Think of presentation slides for board meetings, meeting agendas, management accounting templates, boilerplate text for business cases, client proposals, design projects, standard emails giving advice to people presenting to the board, and so on and on. Most of these can be tweaked in ways that will promote better handling of uncertainty, and many of those tweaks will meet no resistance if well designed and properly suggested. |
Long lasting influence on behaviour. Seen at the relevant moment to be influential. Usually no cash cost. |
| Selective Skill Investments | Training large numbers of people in anything is costly, especially when their time is taken into account, and tends to result in everyone taking a break from their real work but no lasting behaviour change in any one individual. Selective skill investments involve individual tutoring or deeper education for just a handful of people very well placed to make a difference. It can also involve recruiting or promoting people specifically to do something that nobody in the organization is currently able to do. Examples include coaching the chairperson of a key committee to ask particular questions and to encourage some types of thinking and discourage others, teaching an accountant to use a modelling tool or to produce better information graphics, and teaching a sales director to spot and correct mis-selling by sales people. |
Only the most worthwhile investments are made. Can create change where prompts are not enough. Can convert people who previously said something could not be done. Can reward people for being receptive to improvements. |
| Cleaning up Incentives | Bad management is sometimes driven by incentives that are any of the following: (1) short term, (2) for individual performance rather than team performance, (3) based purely on results, (4) based on achieving a target, or (5) based on a target that is out of date. If any of these faults are present it would be good to correct them. Unfortunately, getting anything about incentives changed can be very hard because of personal interests and the ideology of the experts advising. However, most people are happier being judged partly on results and partly on behaviour, and most people would prefer a smooth relationship between their pay and performance to an all-or-nothing bonus triggered by a single target. Many would prefer to be judged against what actually happened rather than against what was imagined at the start of a year, and would prefer to be paid for their economic contribution, which is easier to calculate objectively, rather than the more subjective basis of how they performed. Consequently, there may be some reforms that can be agreed easily, so it does no harm to at least make some suggestions and explain how they would improve the incentives to manage well under uncertainty. |
High impact if faults are present and corrections are made. |
| Worst Case Policies | Some policies you might like to introduce would be refused if suggested at their most cost effective level of rigour. The idea here is to suggest a much more selective application of a policy that will be accepted. For example, rigorous inspection of documents is a worthwhile activity at all stages of software and other technology projects, as demonstrated by many quantitative studies. However, inspections feel very slow and intuition is that they cannot be worthwhile. Suggesting comprehensive inspection for all deliverables on projects in an organization that does not use inspection at all will not work. However, restricted to particular documents on particular projects in particular circumstances, inspection can become acceptable. In time, and with accumulated evidence of value, inspection can be extended more widely. |
Gives good techniques a start. Focuses improvements on the best opportunities. |
| Conversational Competence Models | These are patterns of question and statement that people can learn to use in conversations. The user learns patterns and individual sentence frames, and when to use them. This could be used to encourage people to ask questions like, 'What would we do if...?', 'What's just outside our mental blinkers?', and 'If customers liked this much less than we expect, where would that leave us?' | Very specific behaviours but with wide uses; more effective than general encouragement. |
General guidelines for sequencing changes
What we need to do is identify the easy, uncontroversial actions that can be taken first that will start to produce positive change immediately, incrementally, and build a platform for more ambitious change later. Typically we want go for changes that are easy ways to help people do things they already think they should be doing all the time.
Exactly how fast you can go depends on how large your organization is, how much opposition you encounter (if any), and how much power you have. Here are some rules of thumb:
Size: If your organization is very large then even a seemingly simple idea can involve talking to a lot of people, so keep your incremental steps small by doing them within a narrow scope at first and then adding to that scope. For example, you could start with just smaller projects, or just one small project, or with just one business unit, or just one central support function.
Opposition: If you find that some people object on principle, intellectually, or for selfish reasons, and oppose your modest changes then adjust your scope temporarily to avoid your opposition. Work with people who welcome your proposals.
Power: Even if you have the formal authority to demand major changes without delay it may be better to start small, get people used to some small but important shifts, measure the results and the effort needed, and then build from there.
In some cases it may be helpful to focus initially on changes that broaden the perceived scope of 'risk management'. If Risk Listing has dominated conversations about risk and all the high profile documents about risk management are in Risk Listing language and promote only Risk Listing methods then just learning to speak and write without continuing to push Risk Listing is a challenge. Good early steps will be to revise those documents to make the language more open, remove most of the risk jargon, and make the nature of integration explicit.
Asking for changes
Sooner rather than later it is time to ask people to make changes. Those might be changes to objects (e.g. documents, software, office layout) or changes to behaviours. Those changes might be agreed in an informal conversation between work colleagues or perhaps effected by changes to written contractual terms. Often, the person being asked will want to think about the impact on others concerned. For example, a management accountant asked to provide financial forecasts in a slightly different format might need to confirm that users of the forecasts have no objection.
Some requests will involve much more work than others. Here are some types that can be expected:
Quick and easy: There will be many simple requests that will be agreed to because the change is easy to make, has no apparent downside, and the request is made to someone who is supportive and in a position to decide. Many changes will fall into this category but that doesn't make them unimportant. The changes to focus on are the ones that are easy and have a big positive impact.
Involving negotiation: Some changes involve extra work for someone, at least in the short term, or at least allow them to claim that they will be put to extra work. They will take the opportunity to ask for more resources, more payment, or other favours. Negotiation is then required to refine the details of what is done to minimize the extra work and maximize the benefits, and to agree any extra resources they should fairly receive.
Trialling and development needed: Some changes need careful design and the only way to find out if they really work and how much effort they really require is to try them and see. Trials should be kept as small as possible while still giving a viable trial.
Here are some other suggestions to help with successful requests for change:
Ask yourself first. Do changes that are within your personal authority. It gives you something easy and quick to start with and shows others you are sincere.
Get social power behind you. Get a clear mandate from important people in your organization and make sure people know about it. Show that others are cooperating.
Get agreement in principle. Explain and emphasize the overall goals and approach, which most people will think are very reasonable and a good idea, and ask for support in principle.
Make reasonable requests: Suggest only reasonable changes and be prepared to discuss and refine details; sometimes people don't realise there is an easy way for them to comply.
Help: In particular, be prepared to help with design details. For example, if someone agrees to a change to their document in principle but is unsure of what to say instead, suggest some words to make their life easier.
Be patient: Be willing to spread changes over time, or do them in bundles if others prefer, but let people know the bigger picture. Don't surprise them by coming back for more after they have agreed to some small changes. This is an unfair tactic even though it works.
Check with users: Sometimes it is best to find out what users think before asking owners.
Find benefits for others: Look for changes that will benefit the person who agrees to them. For example, if someone complains that they are struggling with getting people to comply with something, perhaps your change will help them with that.
Reinforce good practice: If someone does something right sometimes, suggest a change that amounts to them doing the same thing more often, perhaps always.
Ask in plain language: Do not ask in risk speak.
Staying productive
Aim for several changes put in place every week. Avoid getting stuck by:
generating lots of ideas for worthwhile changes so that there is always something else you can do while you wait for people to agree to make a change, or do what they have agreed;
avoiding protracted battles with people and, instead, focusing on people who are receptive and effective;
having relationships with many people who can help, so that you are pushing ahead on many fronts;
exploiting opportunities that arise because other people decide to make changes to something they control and become, temporarily, more receptive to suggestions; and
exploiting opportunities that arise when things go wrong and people become, temporarily, more receptive to suggestions for change.
Summary
This article has clarified the main elements of any programme designed to improve management of risk in an integrated way. Once you understand that it involves making a large number of varied changes to the way management is done, and that such programmes are already familiar and common, a lot of the rest is obvious. If you have a good knowledge of internal control and risk management already then you will probably find it easiest to think of the programme as a modernised form of internal control uplift programme, where more of the 'controls' involve intelligence.
Further reading
Results of a survey on corporate programmes to improve 'risk management'
Working In Uncertainty: A perspective on management, risk, and control
What is 'risk culture' and how can 'risk culture' be changed?
Made in England