|Seen it all||Version 3.|
About the how-to guide
The how-to guide is framed specifically for unit managers challenged to understand risk in their annual business plan. The guide does not mention other applications of risk management.
It gives steps for managers to take. It assumes that the manager knows the business, and does not give advice on risks applicable to specific types of business and activity.
A generalised version of the underlying risk management process has been published on LinkedIn. The LinkedIn version is directed to risk specialists. It generalises beyond business planning to ERM and to project risk management. It also discusses risk appetite and tolerances directly.
What’s different about it
In the Clear Lines on Audit and Risk,
- risk is the effect of uncertainty on objectives (not so different), and
- the effect on objectives is a defined difference in outcomes, usually at a named future date.
Popular risk practices understand something different by risk ‘consequences’, usually in the nature of setbacks or events that might be thought to affect objectives somehow. There is a long-standing culture of consequence scales that put the focus on a word like ‘high’, or a number like ‘3’, and not on a defined difference in an outcome.
Formal standards are consistent with understanding the ‘effect on objectives’ as a difference in outcomes, but never spell out that interpretation so clearly as in the Clear Lines on Audit and Risk.
Interpreting the ‘effect on objectives’ explicitly as an outcome difference is the trademark feature of the Clear Lines approach to risk management. In line with this feature, the Clear Lines put a lot of emphasis on understanding objectives, and on understanding outcomes other than planned achievement of objectives.
- The Clear Lines recommend that potential outcomes are compelling pictures, rather than debatable metrics shown as numbers.
- The Clear Lines have a fresh explanation of risk appetite and tolerances, based on the trademark interpretation of ‘effect on objectives’ as outcome differences. The fresh interpretation is consistent with the ISO and COSO interpretations, though not necessarily with regulators’ interpretations.
- In the Clear Lines, likelihood is defined as the likelihood of a specific difference in outcomes. That is different from than the likelihood of an unplanned event, and usually much less. (This detail is supported explicitly by HB 436, in the ISO 31000 family.) Likelihood is estimated both for separate risks (understood as pathways to an outcome), and for reaching a given outcome (by any pathway).
These are other important features of the how-to guide for managers on risk in work unit business planning.
- It is about middle managers’ real-world experience with business planning and risk. It is not a grand vision for Enterprise Risk Management, in which the majority of middle managers are left behind. It can support Enterprise Risk Management, as long as Enterprise Risk Management is not just code for ‘standard scales’ and a power shift to risk specialists.
- It deals with risk in business planning as something separate from the other kinds of risk management in which the same readers may be involved, such as health and safety, security, projects and so on (as well as ERM).
- The steps in the how-to guide are for middle managers, who need not rely on a risk expert.
- It assumes that risk is being managed for the right reason. The right reason is to assure protection of stakeholder interests. For middle managers, stakeholders are represented by a boss. The boss is a real person who can be seen across a desk. The approach to risk is not about fulfilling the dreams of risk experts, consultants, or risk software vendors. If the boss doesn’t cooperate by representing stakeholder interests, those interests are still important. The manager is well advised to discover and anticipate those interests, even if there is no help from the boss.
In short, the approach is all about real managers. It is about the important effects of uncertainty in the work that they do. It is not ‘doing risk management’ for compliance or other less compelling reasons. Those are the wrong reasons to manage risk.
You will first want to know if this is a safe place to send your clients. Even before that, you want to know if this stuff is worth reading at all. To help you answer those critical questions, there is a fast-track summary of the process for your quick evaluation. The fast-track summary for risk specialists is written in a compact style for experts. It includes references.
The how-to guide for unit managers is in a different style. Everything is explained fully. It does not assume any knowledge of risk management. There are worked examples and models. There are no templates that can be separated from explanations and hard questions. Unthinking reliance on templates has been a near-fatal cancer within risk management.
You can refer your unit managers to the how-to guide directly. You can also create your own guidelines reflecting the ideas in this guide.
Most of all, you can comment on every article in the guide, as can unit managers. The Clear Lines on Audit and Risk will promote good alternative views and methods, consistent with the fundamental principles.