Risk management and middle management, Part 2: Where you come in

Part 1 set out the basic reason to look at risk management for middle management.

This is where you come in.

I’m working on a how-to guide for managers. The guide is about risk in ‘business planning’ for the work unit within a large organisation. It’s a how-to guide, and a why-to guide, because the world is full of how-to guides that lost sight of the why. The guide is addressed to tiny work units just big enough to have ‘business plans’, through to large structures headed by a senior executive just below the C-level. The work unit manager in the audience will be responsible for some outcomes, not just for rosters and for making numbers.

A basic premise of the guide is that managers must deal with risk in ‘business planning’. Looking at it another way, organisational management of risk must include the work unit level of risk management.

So please tell me how it is for you, before I tell the world how to manage risk in annual work unit planning.

Seven distinct assumptions

These are the assumptions I am making.

  1. Middle managers must have annual ‘business’ plans, defining work unit objectives and outcomes for the year. These plans are separate from strategic planning, and from operations and systems design.
  2. Those annual plans must take into account the effects of uncertainty. In risk jargon, annual plans must be supported by risk assessment, and must include risk treatments. Without recognition of uncertainty, and a planned response to uncertainty, the annual plan will not be credible. What the manager does need not be called ‘risk management’, but it must include ‘risk management’ within the meaning of ISO 31000.
  3. Risk management for an organisation must include risk in annual work unit planning. The organisation also needs many other strands of risk management, and the same middle manager may be involved in more than one of those strands.
  4. The risk part of annual business planning often fails to make annual planning credible, and fails to contribute usefully to risk management for the organisation as a whole.
  5. ERM programs, and ‘frameworks’, are changeable and often ineffective, especially for middle managers. Specialist risk coordinators come and go, and they are not a sustainable solution. Regardless of those whims and contingencies, organisations still need to manage risk effectively at work unit level.
  6. The gap between changeable ‘frameworks’ and the fixed basic need can be reduced by a generalised middle manager guide. The guide empowers managers to respond to uncertainty in work unit annual ‘business’ plans.
  7. The guide must include tailoring of the risk management process to the specific work unit and to its place in the larger organisation.

You might think differently about each of these assumptions. Please let me know which ones don’t work for you, and why.

Part 1: What and why

Risk in work unit business planning: Start point for managers

Risk in work unit business planning: Start point for risk experts


  1. Your section called Uncertainty should really be called Risk, or at least your examples are examples of risk. Insurance companies know (or try to estimate as best they can) the likelihood of events and even weather forecasters will say what the percent chance of rain is. So maybe a sentence or two on the difference between risk and uncertainty would be helpful.

    1. Thanks Marcia, which page were you looking at? This post doesn’t have a section called Uncertainty. Happy to show your comment on the right page. Much appreciated, Roger

Leave a Reply

Your email address will not be published. Required fields are marked *