This article was updated 23 March 2018 based on comments by Rory Kilburn, Kat Kapuscinski, Pat Lisk and Clive Martin, in the LinkedIn Group ISO 31000 Risk Management Standard. Changed text looks like this, and you see credits by hovering the mouse over changed text.
Every middle manager does some ‘risk management’: at least once a year, when submitting an annual plan for the unit. Risk specialists know that risk management should be a lived daily practice, and that doing it once a year is a pointless ritual. Yet that happens in my world.
In my world, the work unit annual plan is called a ‘business’ plan, to distinguish it from other levels of planning. A work unit within a large organisation is not usually a ‘business’. Many units are functional specialities, without revenue goals.
The annual business plan for a work unit links the outcomes to be achieved with the resources to be used. It is an agreement between the work unit manager and the organisation. From the unit manager’s point of view, the organisation and its stakeholders are represented by one boss, typically an executive.
Why it matters
Work unit annual planning is one of the most basic applications of ‘risk management’. The risk element of work unit annual planning is not the same thing as enterprise risk management (ERM).
Organisation risk frameworks come and go, as do consultants, ‘risk champions’ and risk management blogs. Regardless of those comings and goings, annual plans must still take ‘risk’ into account to be credible.
The organisation and the boss will expect management of risk during annual business planning. They will do so because they want to believe the commitments in the plan, because they want due attention to what can go wrong, and because the plan must recognise the costs of responding to uncertainty. These are good reasons to demand management of risk in annual planning.
The risk management scoped for annual ‘business’ planning is as important as other kinds of risk management, and it involves many more managers.
Part 2 explains where you come in, and sets out seven specific assumptions. You might doubt all of them.
You may feel that ERM is so important and powerful that it will take care of the risk aspect of work unit annual planning, once ERM really takes off. You might say that about the organisation’s ‘risk framework’, or its ‘risk culture’, rather than about its ‘ERM program’. If you’re right about that, there may be no need for a how-to guide, or for a why-to guide, because the why and how questions are answered already.
My experience with middle management, and with a risk committee, is that ERM and organisation ‘frameworks’ have not done anything so useful, though the theory is sound enough in both ERM and in ISO 31000:2009 Section 3.
I have also seen that middle managers usually manage the effects of uncertainty pretty well, in the complete absence of ‘risk management’, to the point where formalising ‘risk management’ could be seen as an unhelpful distraction. Where there are big problems, ‘risk management’ isn’t the solution.
My conviction is that responding to the effects of uncertainty is nevertheless a key part of work unit annual planning. In am also convinced that if middle management planning doesn’t respond to uncertainty, the organisation that contains middle management is failing to address risk responsibly. I am less convinced that work unit annual plans, or organisational risk management, are keys to success. The world is much more complicated than that.
Your experience may differ. Your convictions may also differ.