It is amazing how the Risk Management profession continues to display its lack of cohesion.
I recently noted a question posted by a Risk Manager, who I hold in regard, in which he sought feedback on an alternative for the term “Residual”. It highlights how the Risk Management profession continues to send messages of uncertainty to others. It isn’t uncommon for members of the profession to criticise Risk Management methodology, techniques, and in some cases, a complete recant of any benefits from the process at all.
Everybody respects the right of opinion, but it is obvious that many of the criticisms raised are actually blatant attempts to drive individual agendas. I confess, in writing this blog I am guilty of the same – my agenda is to promote the benefits of Risk Management.
It is perhaps the use of the word “Risk” in Risk Management that causes the problems. Perhaps we would be better to simply refer to it as management. After all, we all know that it is the business that owns the risks, and management’s day job is to ensure the effectiveness of controls to both prevent and mitigate those risks.
Or perhaps it’s the word “Management” in Risk Management that is causing the confusion. Again, if managing the risks of the business rests with the business, management is simply the discipline and practices that are undertaken to manage the business. Again, day job.
But perhaps it’s the confusion created by the many consultants in the Risk Management space who have never been at the coalface of a Risk Management function. Experience tells us that the reality of being in the role differs widely to the theoretical interpretation of many consultants. For example, it doesn’t much matter what terminology is applied (within reason), rather it is important there is a consistent understanding of what that terminology means. A glossary is useful in this respect.
It would, be helpful, of course, if the Risk Management profession did have, and apply, a consistent methodology, and indeed there is such a document that does provide the definitions that are adopted in the ISO 31000 standard. But, it is not definitive, and this leaves the need to find definitions for the many commonly adopted terms, such as residual risk in the above example. This would go a long way to helping those out of the profession gain a greater understanding of Risk Management.
But does it really matter? No, not really. Good Risk Management practitioners, and the organisations they work for / are engaged by understand the importance of a bespoke approach to Risk Management. Whilst the concepts of Risk Management vary little, the individual requirements and how they are delivered must be specific to the organisations culture, its objectives, values, etc.
Risk Management is largely about providing framework, resources, process, structure to the management of risks, both threats and opportunities. It’s about ensuring the risks are understood, providing support to decision making capability, and empowering the business to “get on with it”. It identifies the areas of focus in control effectiveness needed to both protect and create value. It’s not exactly complex – in spite of the efforts of many to make it so.
ABM Risk Partnership focuses on developing a Risk Management framework, capability and culture that aligns to organisational needs, values, and objectives. This bespoke solution is delivered within well defined bookends, the largest challenge being driving organisational change. A pragmatic approach to Risk Management, and the experience of having developed and implemented risk frameworks that deliver real value, is paramount. At ABM Risk Partnership we are helping organisations prove that from risk comes opportunity.