What is risk management? What matters for management (Executives)

What is risk management? What matters for management (Executives)

The ‘Executive’ stream in this site is for people who actually make decisions and thereby manage risk. As an executive manager, you are managing risk on behalf of stakeholders. As a stakeholder, you are relying on the decision makers to look out for your interests.

This article assumes you have read What is risk management? (Everyone). That article covered the key points as concisely as possible. This one isn’t an ‘executive summary’, but further advice specifically for people who make real-world decisions (as distinct from specialist advisers).


Your roles as an ‘Executive’

The ‘Executive’ stream in this site is for people who actually make decisions and thereby manage risk.

I don’t limit ‘Executive’ readers to the senior management levels. Decisions are also made at middle management and team leader levels, and all levels manage risk.

I have two broad categories of decision maker in mind, regardless of management level. The obvious category is populated by managers with direct day to day executive control of activity and resources. To take an analogy with the arms of government, these people are in the Executive arm.The other category is for those not in direct control, but representing stakeholder interests and exercising critical influence through that role. For example, the senior user, financial, or marketing representatives for an ICT project are stakeholders in risk as managed by those making the day to day decisions. In the government analogy, these people are in the Legislature. As with the Legislative arm of government, the total legislature has a lot of power, though individual members may have little.

The interests of the direct decision makers (Executive) and influential stakeholders (Legislature) tend to overlap at higher levels of executive management.

Regardless of which category you are in, or your management level, you are already managing risk. You may not be doing it well, but you are definitely doing it – already. Risk management is not something new to add to your workload. Management is taking actions to achieve an outcome, and risk management is simply recognising uncertainty of outcomes.

If you have a new thing called ‘risk management’ pushed at you and it walks and talks like a waste of time (or worse), you may well be right. Even when the effort is worthy, defined risk management processes may well produce decisions and assurance that could be made more directly and reliably using other human faculties. Common sense and relevant experience are often good alternatives. Your first priority is getting the right things done for your organisation.

On the other hand, your current management of risk may not be sufficient. If you are unable to demonstrate a clear awareness of all the risks, and responsible action on them, you may be letting down your organisation and exposing yourself to career damage.

You may also want to think about whether you are comfortable with everyone you manage either ignoring the uncertainty of success, or making their own risk-based decisions without ever explaining them to you. Your superiors may feel about you the same way you feel about your people, only with more eyes peering over their own shoulders.

For those reasons, you must ensure that risks are managed so as to meet your actual responsibilities and concerns. If that isn’t happening, something needs to change.

Future articles will suggest specific ways make risk management work for you. There is no one best way. There are plenty of other sources, and I’ll refer you to the good ones that I know about.

For now, here are some test questions that you can use to distinguish the useful from the annoying.

Test questions for direct managers

As a manager, you are managing risk on behalf of stakeholders.

‘Managing risk’ making decisions about what happens, with more or less awareness of the implications for risk.

  • Is this helping to make better decisions than would have been made without it? A ‘better’ decision can mean a different course, the same course with some extra safeguards, or simply an improved ability to explain what was done.
  • What is the likelihood of the activity achieving success? What is the likelihood of a failure so bad that the activity would better not have been started? How often will bad things happen? How bad will they be? Is there a chance of something unexpectedly good coming out of this activity?
  • Can the ‘risk management’ activity actually answer those questions? If not, what good is it?
  • Do I have a clear idea of the actions are that were assumed to have been taken when these conclusions were reached? Have they actually been taken in the way assumed by the risk assessment?
  • What opportunities are being given up to reduce the exposure to disappointments?
  • If something goes wrong, can it be shown that the risk-based decisions were the right ones anyway? Or will the so-called ‘risk assessment’ be the first casualty?

These questions aren’t actually as helpful as they seem:

Test questions for stakeholder representatives

As a stakeholder, you are relying on the decision makers to look out for your interests.

You are the one directly exposed to risks in the activity. You don’t have direct executive control over the activity but you can query or object to what the decision makers are doing. You may even be in a position to kill the activity if you’re not happy.

  • Do the decision makers know what is important for me to get out of the activity, and the outcomes that I really want to avoid?
  • Can they explain how likely it is that I will be disappointed, and how badly?
  • Why should I trust what I’m being told about that?

Further Reading

Main article on What is risk management? (Everyone)

Recommended next articles:

Discrete risk management processes within an enterprise (Everyone)

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

Stream supplements: Risk Specialists Executives Australian Government CRMA CRISC

Some other main topics Discrete risk management processes within an enterprise

‘Enterprise Risk Management’ and risk management (coming soon)

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *