Is your approach to risk “value creating”?
One of the most important decisions that an organisation makes is its attitude to risk and its approach to risk management. It is a strategic decision that sets the tone for how the organisation will protect and create value.
And yet the language of the risk management industry is replete with words such as:
- Control
- Mitigate
- Manage
- Reduce
- Limit
- Avoid
- etc
….none of which sound strategic!
Australia and New Zealand were the first countries in the world to produce a standard on risk management (AS/NZ 4360:1995 – updated in 1999 and again in 2004). While the standard was not prescriptive, I think it would be fair to say that it was adopted and/or adapted by the vast majority of Australian organisations and their advisors very quickly who wanted to demonstrate minimum acceptable standards in the way they approached risk management.
While a great start, the standard was very ‘process’ focused. Organisations became very focused on demonstrating that the process steps were in place, sometimes to the detriment of the more important questions such as:
- What is the quality of the risk information we are getting from this process?
- How objective is the information we are generating about risk?
- What is the link between risk and strategy, business planning and organisation performance?
- How does our understanding of risk drive behaviour throughout the organisation?
- How does the risk information help us to make more “conscious and informed” decisions on running the business better?
- Is this an important part of the way we do business or is it a tick the box exercise to satisfy the requirements of third party?
The disjoint between these important issues and the language and approach of the risk management industry suggests to me that the industry would benefit from a make-over.
In November 2009, the AS/NZ 4360 standard on risk was superseded by an international standard AS/NZS ISO 31000 Risk Management – Principles and Guidelines.
This standard is a welcome addition to the thinking around risk management for two reasons:
Firstly, it has updated the definition of risk. It defines risk as: “the effect of uncertainty on objectives”.
This definition, it seems to me, acknowledges that not all risks can be ring-fenced, controlled and mitigated out of existence. Many of the risks that affect our organisations today are driven by external factors and we have to be prepared to react to these issues that may well be outside of our direct control.
Secondly, the standard makes the risk management ‘process’ subordinate to the ‘principles’ of risk management. These principles recommend that, among other things, approaches to risk management create and protect value, explicitly address uncertainty, are based on the best available information, and take into account human and cultural factors. In fact, the Risk Management standard goes as far as to state that adherence to these principles will determine whether an organisation’s risk management is effective.
I look forward to these Principles encouraging a real dialogue within organisations about the quality of their risk management approach, and the activities that they are resourcing. Over time, we may hear more people describing risk management in their organisations as value adding, fundamental to delivering objectives, excellent return on investment, and delivering information that is high quality, timely, reliable and inextricably linked to strategy and business performance.
Now that would be refreshing!
If your risk management approach and supporting activities are not creating and protecting value, then you might be resourcing ‘tick the box’ activities that are not contributing to the quality of decision making……..clearly an opportunity lost.