Working In Uncertainty
The way ahead for risk management and internal control in organizations
We all face uncertainty — a consequence of our limited control and knowledge — all the time. We deal with it, but not always, and sometimes not very well. In organizations, various factors can make this more difficult. Some spectacular failures, among other things, have prompted people to introduce more organized and focused efforts to improve our performance under uncertainty. Two such efforts have been called risk management and internal control. Various approaches to these have been devised and promoted, often through influential guidance documents, standards, regulations, and contract terms.
Most people want what these efforts at risk management and internal control aim to provide. We want our organizations to be more efficient, safer, more adaptive and responsive, and better able to take advantage of opportunities. Sadly, much of the guidance and requirements for risk management and internal control are not doing these things as well as we would like and the method that is most prominently advocated today for organizations — Risk Listing — will never satisfy us because it doesn't integrate into core management activities and has a narrow scope.
How can we get to guidance, standards, and requirements that promote better management in uncertainty? What should risk management and internal control in organizations look like in future? How can we look at these problems more realistically and start to boost the good practices that people already use instead of struggling to get them to do something new and unwelcome? How can we get to where we want to be from where we are now? In this article I'll elaborate on where we would like to be, then contrast it with where we are today, before suggesting a path forwards consisting of steps that are simple, achievable, and attractive to (nearly) everyone. With a little thought, many characteristics of the way forward emerge as inevitable.
The main conclusions are that successful approaches to risk management and internal control will involve varied, distributed changes to the way management is done, prompted and sustained by tangible changes to the environment in which people work. Lists of 'risks' will not be a significant part of this approach. This pattern of distributed change is typical of many corporate projects, including traditional internal control work, so involves no great novelty. For example, internal auditors can tackle this by expanding their ideas of what an 'internal control' is to include more intelligent features of management and then simply go about their work in their usual way.
The contrast between desire and reality
Where we would like to be
Most people with expert knowledge of 'risk management' and 'internal control' would like the two to be seen as one, with no duplication of guidance, regulation, staffing, and so on.
What almost everyone, traditionally, would like to see from all this is positive results. We want less bad stuff in our lives, whether it is unexpected or not. We want to see fewer people hurt and killed. We want companies to fail stupidly less often. We want our savings and investments to be secure and we want our insurance claims paid. We want our governments to do what they plan to do without spending much more than they planned to spend. We want the Olympics to cost no more than promised.
In recent years many have expanded their hopes beyond avoidance of bad stuff to encompass all the improvements that might be expected from dealing with uncertainty more effectively at work. We want our organizations to be more responsive, adaptive, efficient, competitive, and successful, as well as experiencing fewer failures and less collateral damage.
In addition to having hopes for good results we also have ideas about what it should be like to manage risk well, and these ideas reflect a desire for effectiveness and efficiency. We hope that the methods used for this will require little or no administrative overhead and that, by being natural and effective, they will provide permanent improvements throughout all management activities. Managers won't be doing risk management, but by managing well they will manage risk.
Put another way, we don't just want risk management to be integrated with internal control; we want both to be natural results of doing core management activities well.
That's what we would like.
Where we are now
Every organization is different but still there are some things we can say about the situation now that summarise issues felt by many.
Despite a lot of talk about risk management and internal control, and despite at least two decades of energetic regulation and rule making, companies still fail for stupid reasons. The global financial crisis at around 2008 was widely seen as intensified by poor risk management by banks and others involved in mortgage markets. Government projects continue to under-deliver and over-spend, despite implementing the risk management and governance methods seen as good practice. The Olympics continues to cost more than expected (unless you forget your original budget and just focus on the latest one!). People continue to be killed on the roads, in factories, and on holiday. Abused children continue to be overlooked by social workers from time to time and doctors and nurses still make the occasional fatal mistake.
Too many core management decisions — the ones that matter — are made in similar ways to the past, unaffected by 'risk management' initiatives. Too much of existing guidance and requirements are not producing enough positive change.
Unsuccessful experiments with Risk Listing
Most organizations are not forced to operate risk registers or sophisticated mathematical risk models, so they don't. They are managed by people who try to do a good job and, to an extent that varies, they succeed in managing in a way that enables them to survive and thrive in a world that is hard to control and predict.
Other organizations, usually larger or pressed by laws or regulations, do much the same but also have one or more risk registers at the centre of a Risk Listing process. Maintaining this process involves having occasional meetings to discuss the 'risks' on the risk register. In most cases this does not have much impact on how most management is done, but it can lead to some decisions (or revisions of decisions) on matters that are mainly 'responses' to risk, such as insurance, fire safety systems, and credit limits. Rather confusingly, the Risk Listing process is referred to as 'risk management', even though in reality most risk is managed within core management activities in the same way as for an organization not doing Risk Listing.
Some of these organizations have appointed someone, or even a team, to run the Risk Listing effort and have even spent money on software to hold the information about 'risks' and produce reports. However, it's a tough job. The process is not loved by many and promoting it requires a lot of effort, persuasiveness, and cunning ploys. For example, to make risk register meetings more popular it helps to fill their agenda with other activities, loosely related, that are more useful, such as briefings on current strategies and performance. Risk managers tend to be either full of pride for having got Risk Listing procedures operating at all, or disillusioned by the lack of appreciation for that Risk Listing process despite years of operating it. The job title 'risk manager' raises expectations that cannot be fulfilled when, in reality, the job is to be the Risk Listing manager.
Problems with risk models
Other organizations, particularly banks, insurance companies, and organizations where scientists are involved, use sophisticated mathematical models held on computers to make probabilistic forecasts of the results of current and alternative plans. These tend to be more directly supportive of good decision-making and the forecasts are more informative than those coming out of Risk Listing. However, even here there are often profound problems.
Models are often systematically biased for technical reasons, usually towards giving narrower distributions than they should. For example, the usual test of 'normality' for a set of data assumes normality unless the data are clearly not normal, which builds in a bias towards a distribution with thin tails. Where a lot is at stake, reliance on these models can be costly.
Also, just as 'risks' put on a risk register by one person can mean little to another person (who sees the world differently and with different information, values, and decisions in mind), risk models created by one person can mean little to another person.
A risk model provides a probabilistic forecast of the future but that forecast depends on the information used in the model and how the information is used. These are chosen by the modeller or a regulator, or both. Consequently, the model's forecasts do not reflect the knowledge of the executives and others expected to use the model in monitoring and decision-making. Those users may be suspicious of the model for a variety of reasons and think that the model is not correct, or at least that it does not represent their views. Building models that implement regulatory rules often undermines their value for business decision-making. There is also confusion about what the 'probabilities' mean, with some thinking they are estimates of objective frequencies while others think they are numbers you could bet with. Most people don't even realise there is a huge issue here.
Little effective integration
While there are signs that regulators are starting to bundle risk management and internal control together, integration into core management activities is still a long way off.
Risk-listing is inherently a separate activity focused on 'risks', a new type of entity unconnected with normal management concerns. Its rituals of separate meetings, reports, databases, and baffling jargon (e.g. 'risk criteria', 'risk appetite', 'risk framework', 'risk culture', 'risk management process') serve to keep it separate. Most people regard it as alien and irrelevant, though they don't say that unless they know it is safe to do so.
Risk managers in financial firms have become quasi auditors, checking up on people and issuing reports. They often operate a system of limits designed to control trading and lending. Consequently, they find themselves in conflict with others in their business, usually having to argue against courses of action they or their models regard as too risky, while their colleagues are exasperated by the risk manager's apparent negativity. Matters are made worse when the risk manager also has to act as Risk Listing manager, giving people another reason to be unappreciative.
The gap summarised
That's where we are now. Clearly, there is a big difference between desire and reality. The technical methods tried so far, especially Risk Listing, have been disappointing and narrow in scope, leaving most management unchanged and, consequently, leaving results largely unchanged too. A different approach is needed.
The way ahead — overview
The obvious way forward, in principle, is to make changes to the way core activities are done so that they perform better despite our limited control and knowledge. That's what guidance and requirements should promote. That's what corporate risk managers should promote. But how exactly do we do that if there is already an investment in Risk Listing? How do we change core management activities if people are not used to deliberate changes to their methods, or are fed up with being told to make changes?
Fortunately, we already know enough to deduce a lot about how this can be done. Many features of an effective approach are inevitable, given the task and the well-known realities of organizational life.
In this overview of the way ahead I will deduce characteristics of the way forward. Whatever approach you choose to adopt, it is very likely that your approach will work better if it has the characteristics identified below.
First, your approach needs to be both attractive and effective. It needs to be attractive because if people need a lot of convincing then it will be hard to get change underway and hard to maintain it. It needs to be effective for reasons that are even more obvious.
An attractive approach
What would make an approach attractive? Here are some important characteristics.
A mix of practicality and psychologyOne characteristic is that it has to include the ideas that many people, almost instinctively, are now thinking they want to try next. Many have concluded that an approach focused only on following prescribed corporate procedures is not working and that something broader and more focused on human thinking, feeling, and behaviour is needed. Attempts to fill the gap with 'risk appetite' and 'risk culture' have seemed intriguing but are too muddled and vague to be anything more than debate about buzz phrases. But still, the idea that we need to go deeper into the minds of people is compelling. Psychology is important.
At the same time, we know that unless an idea suggests a practical and effective course of action it won't make any real difference. What improvement, if any, will be achieved by exhorting people to change their attitudes or beliefs? How long will the impact of appeals for better behaviour last? How can we check that any of this has helped, and what will the auditors look at?
Somehow, changes to our thinking and resultant behaviour need to be prompted and supported, over the long term, in tangible, observable, persistent ways. Changes to the procedures, databases, forms, spreadsheets, and so on that people interact with every day will be part of the approach, but those changes will need to be psychologically effective.
Easy to get started
Another characteristic of an attractive approach is that it should not require a huge initial commitment. If you were offered a way ahead that involved spending a lot of money on software and consulting in a project lasting years that was not due to provide any advantages for at least a year, and where things were expected to get worse before they got better, would you be eager to get started? No.
It is much better to propose incremental change that involves a stream of rapid but small changes, focused so that resources are used efficiently and the first benefits are enjoyed as soon as possible.
Familiar and straightforward
There's a certain buzz around doing something that is pioneering, but getting permission to try is often very difficult. People are naturally wary of betting on something they don't understand or have no previous personal experience of. It's easier to get started using familiar, straightforward techniques. You have enough novelty to get attention provided the techniques you propose are good ones that haven't been used in an energetic and focused way in your organization recently.
Proponents of Risk Listing like to argue that risk registers are simple and familiar, and that any alternative must be complicated and new fangled. This is all nonsense, but to counter this tactic it is a good idea to give examples of simple changes to working methods that will improve performance under uncertainty, involve using familiar management methods, and do not require advanced mathematics. For example, you could mention incremental projects, disclosure of the source of estimates, and asking people to think of alternative scenarios.
Makes no enemies
Another characteristic of an attractive approach is that it should not disadvantage people who can stand in the way. The focus should be on changes to working methods that provide some kind of benefit to everyone who has to agree. Ideological debates about management methods can often be avoided by suggesting sensible practical changes rather than proposing principles.
Summary of attractive characteristics
The closest we can get to this fantasy ideal is to use an incremental approach where each carefully selected step along the way delivers a change that is beneficial almost immediately and disadvantages nobody, and where each step is tangible but psychologically justified, and is simple, familiar, easy, and quick.
An effective approach
Two main activities
First, since we want risk to be managed as a by-product of doing core management well, and not as a separate activity, then the changes to do this must be distributed through those core management activities, wherever and whenever they occur. Therefore, risk management cannot be left to a separate activity with its own reports, meetings, and database. Any programme designed to bring about improvements will need to effect changes across an organization, crossing departmental boundaries, and reaching into the detail of how work is done.
This type of programme is not new. Old-fashioned internal control improvement programmes have these characteristics. Getting lots of people in different places in an organization to make many changes to the way they work is also a common challenge for legal compliance, marketing, customer relationships, branding and corporate identity, ethical codes, and so on.
Second, it is clear that ideas for improvements won't all surface in an initial planning phase but, instead, will continue to emerge as experience is gained and events unfold. Also, with widespread changes it is common to find that work teams find change easier at some times than at others and so programmes have to be flexible enough to shift their attention to those parts of an organization that are able to change at any given time. Therefore, an ongoing, lightweight, flexible planning and focusing activity is needed that starts the whole programme but continues to guide and shape it throughout its life.
In summary, a risk management and internal control improvement and maintenance programme can be thought of as two activities: (1) a lightweight planning/focusing activity, and (2) streams of changes.
The main roles are also familiar and predictable. There will be people whose work will be involved in the changes, some of whom will be 'owners' of processes, systems, documents, models, etc. There will be a leader, or leading group, that wants to see the changes done and bring about improved management of risk. There may also be someone to whom the task of prompting changes, following up, and reporting progress is delegated, and that person might have a team to help.
In practice, the person to whom the programme is delegated tends to have a more sustained and intense interest than the leader(s), due to full-time involvement and, often, more specialist knowledge and interest. So, at times, that person becomes the main driver of work, sometimes having to take action to sustain interest at the leaders' level. That's the reality as many risk and control managers will confirm. It is also the reality for specialists driving programmes in marketing, customer handling, branding, legal compliance, and so on.
Where the programme has been delegated there is of course a need for progress reporting and monitoring. Typically that means regular meetings, a steering committee of some kind, and progress reports. You can think of this as a third activity or as just part of the planning/focusing activity.
Types of change
The types of change that are made are crucial. Fortunately, quite a lot can be deduced about the nature of the changes that will be part of an improvement and maintenance programme. We know from research that this will not involve introducing risk registers in as many places as possible. The changes will be more varied, more intelligent, and more naturally part of each affected management activity. However, in the vast majority of cases they will be simple and familiar.
Expanding the scope of 'risk management'
If the organization has had Risk Listing operating for a while, or is working in a sector where Risk Listing is dominant (e.g. audit, construction projects), then there will be a need to expand the perceived scope of 'risk management' so that people do not focus exclusively on making lists of 'risks'. If this is not done then people in all the roles described above could fail to cover all the important opportunities for improvement.
In addition to new statements of scope it will help to use a descriptive name such as 'Risk Listing' to refer to the Risk Listing process. Other language in documents that refers to 'risks' and clearly has Risk Listing in mind can be revised to open up risk management to more possibilities. At present, most documents about Risk Listing call it 'risk management', which is misleading since Risk Listing is only one suggestion for how to manage risk.
Here is a list of things to consider doing, including the items just mentioned:
Using a balanced set of objectives
A very common challenge for organizations is to develop and maintain a system of objectives (in the broadest sense) that covers everything that matters and then pay attention to the full set at all appropriate times. The objectives might have various other names, such as success factors, goals, themes, and KPIs.
This is related to management of risk because risk management failures have often been due to focusing on one subset of objectives at the expense of others (e.g. budget variances rather than safety).
If there is any doubt that an organization's current system of objectives adequately reflects such matters as safety, control of fraud, accidental waste, money laundering, and so on, and at the right level, then a review would be helpful. It might also be helpful to compare any existing risk register material with current statements of objectives to find important measures of results that are missing from the objectives.
Also, if there is any doubt that all relevant objectives are properly considered at all times when they should be, then there is the opportunity to review the current situation and perhaps make improvements. Simply thinking through the occasions where people should use the objectives will reveal a further set of potential changes that may be worthwhile.
All this is familiar and straightforward. Many organizations will already have objectives to minimise the impact of unplanned, unintended bad stuff. It is just a matter of doing, properly and consistently, what we already know should be done. In summary, items to consider include the following:
Encouraging open-minded management
Another desired result from risk management is that people should deal with uncertainty more effectively, allowing them to manage good luck as well as bad. This is not a direct logical consequence of having a balanced system of objectives and using them, so we need to do more. The usual tendency is for people to think too narrowly about what might happen, what might have happened in the past, and what might be happening now. Instead, we tend to think we know more than we really do know, and tend to think we have more control than we really have. Consequently, we tend to be more surprised than we should be and getting older does not always teach us the required lesson.
In addition to cognitive biases that affect an honest person thinking under uncertainty alone, there are pressures that come into play within an organization that bias us much more. For example, to get our proposals accepted by our bosses and customers we tend to understate the costs, overstate the benefits, and pretend to be more sure of our predictions than is really justified.
These 'mental blinkers' reduce our ability to diagnose our problems, leave us vulnerable to unreliable management 'information', and damage our decision-making, including within design and planning.
Unless a lot of work has already been done to counter this, there will be scope for improvements. Happily, almost everyone recognizes that this kind of open-mindedness is a good thing. Occasionally we forget, but in principle we mostly agree.
Changes to reduce other dysfunctional management behaviour
Mental blinkers are not the only type of dysfunctional behaviour that reduces the effectiveness of management and management of risk. We want managers to be fair, honest, and willing to think hard and use evidence. We don't want them to focus on their personal interests only, to lie, and to be mentally lazy. If there have been any problems in these areas in the past then improvements might be sought.
This is a big topic and one where more research is urgently needed. Here are some suggestions to give a flavour of the steps that could be taken.
Changes that act in more than one way
There are several other management techniques that make a huge contribution to good management under uncertainty and have multi-faceted effects. The best I can do at present is include them in this 'miscellaneous' category but that does not mean they are unimportant. In practice many of the most important changes will come from this category. Such methods include the following:
The obvious steps here are to:
Clearly, knowledge of the methods is important in picking out the ones that fit an organization and will give most benefit. Although that is obvious, I suspect the main reason the above methods are not used even more than they are now is that many people don't think of them.
Asking for changes
Programmes of distributed, varied changes typically combine different approaches to asking for (or demanding) changes. They combine central control with distributed, local control. You don't want to prescribe something that is a bad idea for some people and you want to leave everyone feeling empowered, but at the same time all that thinking is hard work and people sometimes prefer just to have it done for them and to follow some rules. There are also times when people have failed to make changes that clearly would be worthwhile, so they need to be helped, or pushed.
The most prominent method of pushing forward risk management and internal control has often been for auditors or 'risk managers' to conduct independent reviews of the way some work is done and write reports that highlight issues and make recommendations. The reports are discussed then actions are agreed and logged for later follow up.
However, this mechanism can be quite slow, labour intensive, and pressured. At least three other mechanisms also make a substantial contribution though it may not be as obvious. First, risk control specialists and others also act as official or unofficial consultants, making positive suggestions that are not included in official reports. Their suggestions can go as far as quite detailed design work. Second, the specialists sometimes have their own resources to use to introduce tools that can be used by others (typically software and databases). Third, larger programmes of change to systems and processes (e.g. a big systems project) often include important changes that will improve management under uncertainty.
All these mechanisms could be useful.
Following up on changes
Inevitably, agreed changes will need to be followed up systematically because not all of them will take place, others will be done badly, others will introduce new problems, and still others will be forgotten later or circumvented. For example, changes might be made to a forecasting spreadsheet to give ranges rather than just a best estimate. This is progress, in principle, but the ranges are too narrow and do more harm than good, the spreadsheet contains technical errors, and at the start of the next financial year a new version is introduced by someone else who knows nothing about the range idea and drops it. I hope you recognize this as just normal office life!
As with requests, follow-up can vary in scale from a quick phone call to an independent audit review.
The way ahead — further practical details
The following subsections are mostly for people with day-to-day responsibility for managing a programme of changes.
Planning needs to be effective and convincing, but also quick and easy enough that people are happy to go back to it and rethink from time to time. There is no point investing time in very detailed planning far into the future for this kind of change programme.
A good way to do this is to think about the distinctive characteristics of the organization and everything connected with it, and deduce from these the shape of a high level design that shows:
This should go beyond elaborating the objectives and exploring the challenge. It needs to identify the types of change (i.e. characteristics of the solution) or the rest of planning is just wild guesses.
Using distinctive characteristics
Distinctive characteristics are the things you would tell someone else if they asked for a short statement describing your organization. They are the points that are important and that are also a bit different from many other organizations. For example, you probably would not bother to say that an organization has employees and offices, but if its business is to own and run a pier at a seaside resort and it is based on the pier then you would probably mention those points. They are distinctive.
Lots of things can be distinctive characteristics. Size, location(s), type(s) of products or services, age, legal form, style, and past performance and mistakes are all candidates.
From such obvious facts it is possible to deduce a lot, if you think and have some relevant knowledge. For example, a UK government department will have had a lot of pressure exerted on it to run a Risk Listing system with numerous risk registers. So, expect more than usual opposition to extending the scope of risk management to more important matters, much of it based on intellectual confusion and a vague sense of defensiveness. To give another example, a manufacturing company is quite likely to have an existing investment in quality management techniques and to employ people who know about those techniques. That's a good basis for working better in uncertainty so might suggest the idea of refining and extending those methods rather than introducing new language and techniques.
As the inferences build up, a picture emerges of the main areas of work and the expertise and other resources needed. Do you need software expertise? Lawyers? Ergonomists? Are there certain people who will be very important to progress? Are there some important but infrequent management activities that will take a long time to change simply because they don't happen often? Is there a crucial, one-off event fast approaching that you need to plan for urgently?
How you think about this and what you deduce will be largely the result of your knowledge and thinking patterns.
If you think that an organization currently performs badly at something then of course you can expect to have to make a particular effort on it. For example, an organization that has suffered a series of deadly disasters due to putting budgets ahead of safety clearly needs to look at its objectives and how they are thought about. An organization that has been a national monopoly for decades but now has been privatised and lost its monopoly will need to think more open-mindedly about the future because now it has competitors and customers have alternatives. An organization that is planning a large number of changes over the next few years should look for default methods that will be suited to the change projects involved, such as incremental delivery of benefits to stakeholders. An organization that has the opportunity to conduct systematic trials of alternatives (e.g. web pages on a busy website) should do so.
As you can appreciate from these examples, thought is required but it's not rocket science.
Strategies for dealing with existing Risk Listing
One problem likely to be common for listed companies, larger public sector bodies, and organizations doing a lot of projects, is the ongoing drive to implement Risk Listing methods. Organizations today sometimes find that regulations, rules, and even some laws appear to require Risk Listing and it has been standard practice to call Risk Listing 'risk management', and treat the two as equivalent. (This is like someone offering you a bowl of cold cabbage soup made without stock and calling it 'delicious food'. Delicious food and risk management are the aspirations, but what is truly on offer is just cold cabbage water and Risk Listing.)
In addition, professional risk listers spend a lot of time defending and promoting Risk Listing because it is not naturally attractive. They are often highly practiced, good at getting their way, and determined to because they feel that keeping their job relies on it.
Here are some suggested strategies for tackling Risk Listing and its promoters:
Good levers to pull
The high level planning activity should also help to focus on types of lever. Again, the types that you think will be the best way to spend time and other resources will vary with your circumstances and personal preferences. I suggest the following as types of lever that should be near the top of most lists.
General guidelines for sequencing changes
What we need to do is identify the easy, uncontroversial actions that can be taken first that will start to produce positive change immediately, incrementally, and build a platform for more ambitious change later. Typically we want go for changes that are easy ways to help people do things they already think they should be doing all the time.
Exactly how fast you can go depends on how large your organization is, how much opposition you encounter (if any), and how much power you have. Here are some rules of thumb:
In some cases it may be helpful to focus initially on changes that broaden the perceived scope of 'risk management'. If Risk Listing has dominated conversations about risk and all the high profile documents about risk management are in Risk Listing language and promote only Risk Listing methods then just learning to speak and write without continuing to push Risk Listing is a challenge. Good early steps will be to revise those documents to make the language more open, remove most of the risk jargon, and make the nature of integration explicit.
Asking for changes
Sooner rather than later it is time to ask people to make changes. Those might be changes to objects (e.g. documents, software, office layout) or changes to behaviours. Those changes might be agreed in an informal conversation between work colleagues or perhaps effected by changes to written contractual terms. Often, the person being asked will want to think about the impact on others concerned. For example, a management accountant asked to provide financial forecasts in a slightly different format might need to confirm that users of the forecasts have no objection.
Some requests will involve much more work than others. Here are some types that can be expected:
Here are some other suggestions to help with successful requests for change:
Aim for several changes put in place every week. Avoid getting stuck by:
This article has clarified the main elements of any programme designed to improve management of risk in an integrated way. Once you understand that it involves making a large number of varied changes to the way management is done, and that such programmes are already familiar and common, a lot of the rest is obvious. If you have a good knowledge of internal control and risk management already then you will probably find it easiest to think of the programme as a modernised form of internal control uplift programme, where more of the 'controls' involve intelligence.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Words © 2014 Matthew Leitch