Disrupt the function that is supposed to help with disruption

Once risk management was something used to deal with complexity. Now risk management has itself become complicated. It’s time for us to make clear choices, says Bryan Whitefield.

We can’t predict the future with accuracy. However, with the advancements of technology, the impact of climate change and the geopolitical forces that may come into play, we are going to experience unprecedented growth in complexity over the next decade.

Those organisations that learn to lead through that complexity will thrive while others will be overwhelmed. Complexity creates uncertainty and risk management is the process humans have been using through evolution to manage uncertainty, some better than others.

Risk management is the simple process of considering options, considering the consequences of those options and estimating the likelihood of different scenarios taking place and then choosing a path to follow. Simple.

So why is risk management failing in organisations?

There are many reasons that risk management is not strong and prevalent across the business landscape. The oldest and most entrenched reason is because of the perceptions of risk management as something negative. That risk management is a handbrake on business, or a wet blanket taking any of the fun out of it. We now have nicknames across the profession like the ‘Fun Police’ and ‘Business Prevention Officers’.

Why has this perception persisted?

In part it’s because of the professional disciplines that picked up the risk management mantra. In the industrial space it was the engineers who are traditionally both technical and have a need for accuracy. This can lead to confusing technical terms and even more confusing equations. The result: staff and entrepreneurial managers could not relate. All they saw and heard was complexity and gobbledygook.

In the finance (and many other) sectors, it has been the audit firms who have led the way. The urge for improved governance, including risk management, came through audit committees. The result has been, to a large extent, an audit mindset about risk. That risk management is about mitigating risk rather than harnessing uncertainty to take calculated risks. The result: staff and managers outside of audit and finance thought risk was about compliance and that audits need to hassle you to assure others that risk was being managed.

We once had a simple process used through evolution for challenges called ‘fight or flight’. As we evolved, we used it for decisions like when to cross the road safely, when to invest or divest, hire or fire, insource or outsource. A process that was designed to help us handle the uncertainty created by complexity was made complex. The result: boards all over the world had risk registers reported to them containing 400 risks. The reporters were looking for a pat on the back. Board members looked at the list and asked, “So what does it all mean?”

And what about the language of risk?

Not only did the profession make risk complex, we created our own language. Risk Speak. We put ‘risk’ in front of or after perfectly normal words like conduct, appetite and reputation. We then set about creating a whole new world around it and separated it out from the world of business.

What can you as an EA do about a situation like this?

When the boss groans when the topic is brought up, ask them why? Is it because it is too hard and complex? Is it because they can’t understand the risk people when they talk? Or is it because they have allowed their old perceptions of what is actually a good process to cloud their judgement?

If the latter, ask them to open their eyes. If they find the risk process being fed to them is too complex or too difficult to understand, suggest they change that. It does not have to be that way!