Recent insights underscore multiple issues with common risk management approaches. Roger Estall and Grant Purdy conclude in their book ‘Deciding’ that risk management is a millstone hanging around the neck of organizations that should be abandoned.
First of all, what are we talking about when using the word ‘risk’? Unfortunately, there is no universal definition. The business model of ISO is standardization. It is striking that they use more than 40 different definitions of risk in their own documents.
In COSO IC (2013), COSO ERM (2004) and for that matter also in common parlance 'risk' refers to something negative. Something that can cost you money, be bad for your health or discredit you. On the other hand, the ISO 31000 Risk Management Guidelines (from the start in 2009) and COSO ERM (2017) use a neutral risk concept. It concerns both positive and negative effects on the achievement of objectives.
This change comes with far-reaching consequences. Originally, COSO used four so-called risk responses: Accept, Avoid, Reduce and Share. COSO added Pursue as an extra option in 2017: ‘accept increased risk to achieve improved performance.’ It is more in line with the common concept of balancing risk and return.
The fact that ‘risk’ has very different meanings implies that simply using the term is already a source of confusion. The traditional focus is on what can go wrong. This is by no means holistic. When you start investing, you are not only concerned with possible losses, but also with potential returns. Success is dependent on both benefitting from opportunities and reducing threats. Alternatively, if you use the neutral definition, implying both upside and downside risk, you lose most people in your audience right away. For them 'risk' has a negative connotation.
Because of this confusion several thoughtleaders suggest avoiding the ‘R-word’. ‘Uncertainty management’, ‘success management’ or ‘expectation management’ are already better terms. The same goes for ‘value management’. After all both COSO and ISO indicate that the purpose of risk management is creating and protecting value. It also takes into consideration that different stakeholders value different things, such as safety, financial return and punctuality.
One of the artifacts of conventional risk management is the ‘risk appetite statement’. It refers to the types and amount of risk that organizations are willing to take. However, how do you express the ‘amount of risk’? There is no unit of measure for risk. With risk profiles it is suggested that you can aggregate different risks for convenience purposes. If you try to do so based on monetary value, you will soon discover that what you value most in your life is difficult to monetize.
There is no science called 'riskology'. What we do have is a self-contained risk management world with all kinds of consultant-recommended practices. Those working methods must then be integrated into the existing management system. Unfortunately, the chance of encountering success stories is pretty small.
What we may not always realize is that ‘opportunities’ and ‘threats’ are our mental images of possible future events, changes in circumstances and trends. These images are strongly influenced by our personalities, knowledge and experiences. Above all, we humans suffer terribly from biases as Daniel Kahneman and others have pointed out.
Assessing risks is often done qualitatively in practice. Scores are awarded to estimated likelihoods and effects using values on ordinal scales (for example, from 1 to 5). This type of scales is applied in opinion polls and to rate the quality of hotels using stars. One cannot simply multiply ordinal values in order to come up with ‘risk ratings’.
Risk quantification is highly dependent on the quantity and quality of the available data and the assumed parameters in the model. If the assumptions used are no longer valid, the value of the model expires. Moreover, they remain just models; a map is not the area that it represents.
Many executives see risk management primarily as a compliance matter. To them effective risk management means above all that they don't get into trouble with their external or internal supervisors. Due to their role, supervisory authorities are hardly interested in the 'upside' of risk. It is their duty to minimize the downside.
Risk consultants try to escape from this compliance focus. In rapidly changing times, they state, business people like helmsmen must effectively navigate turbulent waters. Understanding and managing risks is therefore imperative for effective leadership. Hence, the business case for implementing risk management.
During training, Board members are taught to ask about the top ten risks. That is apparently a sign that management has thought carefully about the organization’s vulnerabilities as the basis for taking suitable actions to mitigate them.
It is remarkable, however, that one very rarely encounters entrepreneurs, line managers or project leaders at risk management training courses, webinars and conferences. This is quite striking as standards promise that risk management enables them to better achieve their objectives. Most of these individuals are not stupid. If it really would help them, wouldn't they all sit in the front rows eager to learn how to take advantage of it?
Reality is that risk management has become an accountability tool. That is quite different from a tool for trying to achieve your goals under uncertainty. To which extent do the usual risk management practices really help decision-makers deal with their dilemmas?