Is “Risk Avoidance” Really “Risk Management”?
A quick google search gives you the definition of risk management as being about “mitigating” risk. This is how, in practice, risk management most often works in the corporate world. It is rare to see a Risk Manager say, “Hell ya, bring on more risk!”
Ironically, those with the word “risk” in their title (e.g., Risk Manager, VP Risk, Risk Consultant) are typically the most risk-averse in your organization.
As someone who has risk in my company name, I’d like to challenge this definition, lightly and all in fun, of course. For one, mitigation and management are not the same. Mitigation is about avoiding. Management is about controlling.
While I agree that risk management gives us an opportunity to step back and look at what can go wrong, too much focus on “the sky is falling” is dangerous. Risk management programs can miss out on the fundamental concept of risk vs. reward.
What Is Risk Management About? Balancing Risk Vs. Reward
If we and our organizations want more reward (money, opportunity, sales, customers, products), we need more risk. Risk professionals don’t have to be Debbie Downer at the party or the tattletale in the schoolyard who is always killing good ideas or ruining the fun. They can be standard bearers and beacons for strategy and tactics that balance the goals of the organization with a pragmatic assessment of the consequences.
If risk management isn’t risk avoidance and if it’s about rewards as well as problems, then what is it? In a nutshell, I would say that risk management is more about “reporting” than “controlling.”
Like financial reporting, health and safety reporting, or ESG (Environment, Social, and Governance), risk management is an exercise in tracking and monitoring an area of business with the goal of understanding, controlling, and improving it.
Here’s my informal definition: Risk management programs give organizations a process to identify, rank, track, and monitor their risks. These programs are about facilitation, information collection, and results that give transparency to the risks facing an organization and the discussion about what to do about them.
Like other forms of reporting, risk management is about applying metrics to concepts that can be concrete, arbitrary, or even elusive at times, and committing these metrics to paper. In doing so, risk management makes the invisible, visible.
Understanding the 5 Risk Models – and Debates About What Works Best
There is more than one way to skin a cat, as they say. There is also more than one way – in fact five – to run your risk management program.
The first three models all rely on how well your organization complies with policies, requirements, rules, controls, or processes.
1. Compliance-Centric, which evaluates how your organization conforms to a policy, rule, law, objective, or requirement.
2. Control-Centric, which evaluates how your organization conforms to a recognized control model or framework.
3. Process-Centric is a method that focuses on business processes assessing the controls in place around this process.
These three models offer the most rudimentary steps in risk management. As you may have guessed, they aren’t the most exciting to talk about or the most effective. But for the last two, there’s a juicy debate among risk professionals between the ever-popular Risk-Centric model and the bolder Objective-Centric model. Let’s explore:
4. Risk-Centric risk management, which has been the dominant approach in the industry for years, focuses on brainstorming to identify risks, risk mitigation strategies, risk registers, risk owners, and heat maps and then steps to monitor them.
5. Objective-Centric risk management is driven by the objectives of the organization, and continually monitors, evaluates, and takes action on the risk of not achieving the organization’s strategic objectives
So much of what I know about these different risk models comes from seasoned risk expert Tim Leech who owns a partner company of ours, Risk Oversight Solutions. For years, Leech has campaigned within the profession to move to the Objective-Centric model, arguing that it helps focus risk management and internal audit programs on the long-term concerns of the organization (like growth, technology, talent) and not peripheral issues (like access management, checklists, signoffs).
Leech also argues that the Objective-Centric model is aligned with the reward and motivation systems within organizations. Most people are not paid to manage risk, but they are compensated for achieving the organization’s objectives (or not).
I encourage you to check out Tim Leech’s work, specifically his powerful framework to help assess whether the risk of not achieving your objectives is acceptable or not, or whether you need to take further steps.
For now, think about which model you are using, and which one supports your organization’s needs. If you are using the Risk-Centric model or an element of it (which you probably are), how can you better tie your risk management program to your strategic objectives and the risks of not achieving them?
4 Principles to Reimagine Your Risk Management Program
Finally, to drive more value out of your program, you need to look beyond the slew of tools that tend to dominate the risk management discussion – like matrices, PowerPoints, models, software, or heat maps – to refocus on your underlying goals. Here are four principles I rely on when trying to ensure a risk management program is useful, engaging, and meaningful.
1. Risk Management is about action.
Risk management shouldn’t be an exercise in techniques and pretty presentations. It’s about ongoing action and steps (even baby ones) to move your organization forward. Even for my smaller clients with minimal resources for GRC programs, I have used simple (one-page) risk management reporting to hold team members accountable for taking small actions every quarter.
2. Risk Management is about connection.
Your risk management program is about giving team members the opportunity to tell you what’s on their mind or keeping them up at night. Just like your internal control or audit programs, risk management should be about open dialogue – from workshops, to interviews, to surveys, to conversations over coffee – with people from all areas and levels across your organization.
3. Risk Management is about documentation.
Because documentation is my passion, I have the tendency to see business from this perspective. (Ok, I know it’s nerdy.) Your documentation culture and your risk culture are tied at the hip and this connection manifests in many ways.
In general, organizations – or teams or departments – that are more risk averse have better documentation (e.g., for fear of failing regulatory requirements, compliance, etc.). That said, I have seen many risk-averse teams who avoid writing things down altogether for fear of being exposed. For example, more risk-averse Boards tend to maintain minutes that are minimalist at best. On the other hand, Boards, Management teams, or team members who are more likely to “stick their necks out” are less afraid to commit their ideas and opinions to writing.
4. Risk management is not about risk elimination.
Finally, let’s temper expectations. Risk management is not about having a crystal ball. Even the biggest and most expensive risk consultants, models, and programs that I know did not predict the impact of COVID-19, especially on certain industries like airlines.
Your risk management program will only take you so far. It’s not a perfect process. But taking some measures to manage your risk is better than leaving your organization completely to chance.
It’s our job as risk managers to do our part in managing risk reasonably, while not spoiling all the fun.
*********
If you are looking for more information on Governance, Risk, and Compliance (GRC) perhaps that I didn’t share in this series, please reach out to me. I’d love to help.