Working In Uncertainty
Views on current risk management guidance and standards
I am a reformer. I want to make the world a better place by improving the way risk is managed by as many people as possible. If you look over my websites, look at consultation responses I have written, or meet me in a guidance drafting committee you will soon realise that I'm working hard to make improvements come about.
Thanks to all the people who have participated in my surveys over the past several years, I now know that what I'm pushing for is wanted by most people. I'm not a maverick with wild, bleeding edge ideas. Far from it. I'm quite conservative and happy to recommend some methods that have been around for 50 years or more. This page explains the key points on which I am working today.
1. Many prominent standards and guides on risk management for organizations are too narrow and prescriptive.
No one method is the best in every situation. There are many good methods — good at least in the situations they fit well.
The documents that need to take a broader, more inclusive, approach in their next edition include ISO 31000:2009, BS 31100:2011, COSO's frameworks for internal control and enterprise risk management, and the FRC's guidance on risk management for listed companies in the UK. Just setting out some sensible objectives, general guidelines, and leaving people to think of their own technical solutions would be more effective than the restrictive approaches currently described.
2. Risk Listing is promoted too strongly by some prominent current standards and guides for risk management in organizations.
It is common to present Risk Listing as the only acceptable approach to risk management. Some even define risk management as Risk Listing. (Risk Listing is simply the method of making a list of ‘risks’ and then deciding what to do about each one. A more complete explanation is given in The Risk Listing School.)
The reality is that there are many common situations at work where it is easy to suggest alternative methods that most people prefer over Risk Listing. These methods are usually rather traditional management methods, or just common sense. Most people see the alternatives as being a more integrated part of the activities where the risk is being managed and prefer this to holding separate workshops to debate risks. Survey evidence shows this to be true.
The Risk Listing method is quite specific. It is not a generic model for risk management and, even with an effort of imagination, is not consistent with traditional decision analysis, with mean-variance methods, with scenario planning, or a variety of other well-established methods.
The offending documents and the way to improve them are the same as for point 1 above.
3. Risk Appetite exercises are also promoted too heavily.
Again, it is easy to suggest alternatives for particular situations that most people find more self-explanatory, logical, and appealing. People find the phrase Risk Appetite, and the other language that goes with it, vague, misleading, and confusing. They do not agree that there is a level of risk that they should choose regardless of the rewards involved. They also recognize, without much prompting, that many other factors drive our risk-taking decisions.
Guidance that currently promotes Risk Appetite should be withdrawn and replaced with guidance that simply sets out sensible objectives for controlling risk-taking decisions and asks people to think of their own methods for doing so. This would result in better outcomes.
4. Risk Culture exercises are also promoted too heavily.
Yet again, it is easy to suggest alternatives that most people find more appealing and think more likely to be worthwhile. Most people prefer ideas for promoting better behaviour that focus on specific behaviours (good and/or bad) or focus on a particular set of virtues for thinking and behaviour at work.
5. Evidence should be considered on the effectiveness of risk management methods suggested for organizations, compared to clearly identified, reasonable alternatives.
Comparing a method to doing nothing is not reasonable, unless doing nothing truly is the only alternative. More often there will be a choice of methods that could be used instead of doing nothing, so the methods should be compared with each other.
For many methods of risk management promoted in prominent guides and standards there is no reliable evidence of effectiveness at all. Nobody has tested if the methods are even applicable to the range of situations the guidance is claimed to cover. Nobody has tested if the methods perform better than simply giving people the same resources and asking them to manage risk better without saying how. Bear in mind that if the only tool you gave somebody was a sheet of blank paper they would still achieve something and, over time and repetitions, would improve their skills.
Methods work best in some situations and may not work at all in others. It is crucial to be clear on where a method is the best-known choice.
6. Senior people in powerful positions should be much more skeptical of the ideas and text they are being offered concerning risk management.
Instead of passively accepting and promoting bad ideas and narrow rules they should apply logic and good sense themselves. Regulators should focus on outcomes. Senior people leading organizations should act on their own personal logic and ask their own organizations for what is sensible.
Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.
Made in England
Words © 2016 Matthew Leitch.