Risk is managed by managers, not specialists.
Risk is the uncertainty of outcomes. Outcomes are supposed to be managed by managers. Not by risk specialists.
Managers can do it well without us, and maybe better. They are already making risk based decisions every day.
Annual business planning should lead a manager to think directly about the uncertainty of the outcomes from what they do. When submitting the business plan, the manager wants to be able to look the boss in the eye. The boss will want to know why the business plan will come true, why its performance goals will be reached, and why the dream won’t turn into a nightmare.
The truly confident answer will come from the manager having assessed exactly those uncertainties. We call them ‘risks’.
The manager’s confidence does not come from an enterprise risk framework. It does not come from systems, templates and standardised scales. It will not come from the involvement of a risk specialist, nor from using an approved process.
The confidence will come from having asked and answered the right questions about the outcomes that matter, the likelihood of those outcomes being reached, and the ways in which the outcomes might be very different to those planned and promised.
The Clear Lines on Audit and Risk lead managers to ask and answer those questions, and to looking the boss confidently in the eye.
The manager identifies a range of potential outcomes on each objective, pathways to each outcome, and the likelihood of each pathway and outcome.
These are the tips to managers in Clear Lines on Audit and Risk:
- Define the objectives of the work unit, as intended outcomes for the year. Classify the outcomes as benefits, costs, dangers, and capabilities. Under ‘dangers’, list unintended outcomes that the unit is supposed to avoid and prevent. ‘Capabilities’ include expectations beyond the end of the year. (Direct link to these details)
- For each objective, paint a picture of success. Then paint a picture of each better and worse potential outcome, from ‘Far better than expected’ through to the ‘Worst imaginable’. (Direct link to these details)
- Use these outcome pictures for communicating forecasts, and the uncertainties around those forecasts. ‘Risk’ is simply the likelihood of an outcome other than the expected outcome. On any day in the year, each of the outcome pictures, good and bad, has a likelihood. Each of the likelihoods might be acceptable, or not. Good outcomes have a minimum acceptable likelihood, and bad outcomes have a maximum likelihood. Those tolerances are based on the organisation’s risk appetite. Risk appetite is the organisation’s willingness to accept uncertainties of particular kinds.
- For each potential outcome picture, identify the pathways by which it might be reached. Call each of these pathways ‘a risk’. Recognise ‘wrong assumptions’ as an important source of uncertainty, along with events that might happen. Identify the controls that make each ‘risk’ and its outcome more or less likely.
- Estimate the likelihood of each outcome picture, both directly and by adding up the likelihoods of pathways (risks) leading to that outcome picture. The collection of all pictures, each qualified by a likelihood, is called the Risk Based Outcomes Forecast (direct link to details).
- If any outcome has a likelihood that might be too low or too high—representing unacceptable—do something to change it. Doing something can mean changing the controls, or cancelling the activity. Some of those controls might involve monitoring and acting on indicators. It can also mean discussing the situation with the boss. Accept that changing controls or cancelling an activity to improve the likelihood of one outcome will usually make another likelihood worse. The goal is to make all outcome likelihoods acceptable at the same time. Some might be better than acceptable.
- Ensure that the unit is funded and committed to doing what you decide. For each critical control, make sure there’s an alert if it stops working.
For unit managers, the Clear Lines on Audit and Risk explain each step fully in plain English, with examples and models.
The process is in the spirit, and letter, of ISO 31000 applied to a work unit. It creates a single view of forecast outcomes that includes ‘risk’. Risk specialists work for managers. Managers don’t work for risk specialists.
This is what you want to know as a risk specialist:
- Any manager can and should be managing risk in their unit. They don’t need corporate support or direction to do it. The client is the manager’s boss, not the CRO. The boss cares because boss performance assessments are affected by unit outcomes. The process works for any size unit with a business plan. It leads the manager to tailor their own efforts to their own situation, and does not need tailoring by a risk expert.
- Identified ‘risks’ relate directly to the specific objectives of the work unit as understood by the unit manager and the boss. There is no impact scale that blurs together consequences of unrelated kinds. A lot of the time is spent on the objectives before getting to the R word.
- There is no need for systems, templates, or lookup tables. There is no ‘program’ to roll out.
- The centre of risk management is a conversation with the boss. It is not the risk register. The conversation creates the practical understanding of risk appetites and tolerances, even if they have not been set formally.
- The overall picture of risk is also the overall picture of forecast performance. It is simply the spread of likelihood across alternative outcome pictures. For each objective, one of those outcome pictures is planned success. The likelihoods of the other outcomes represent risk around planned success. Looking across all the objectives, the most likely outcomes together represent the performance forecast.
- Management of risk is driven by a demand for confidence. That demand is actually felt by the people involved. It is not an aspiration to ‘do risk management’. The demand comes directly from enterprise concerns about outcomes, and will not degenerate into a compliance exercise. (That is, until someone sets out rules, templates, and procedures, then checks for compliance instead of real-world value. Please don’t do that.)
- The underlying concepts are from ISO 31000, applied to a work unit within an organisation, not to the enterprise as a whole. Risk is understood as the effect of uncertainty on objectives. Objectives are the preferred unit outcomes for the year. Uncertainty works in both positive and negative ways, and affects both intended and accidental outcomes. Other process details are from SA/SNZ HB 436:2013, and a few are original, but all are consistent with ISO 31000.
- Your role as a risk specialist is to help managers at the work unit level and at the boss level. At the upper level, you help the boss to clarify expectations of unit managers and to advise on whether those expectations have been met. You’re accountable to both managers. They are not accountable to you.
Managers following the how-to guide will create auditable records consistent with the expectations in ISO 31000 Clause 5.7 direct link to details). They will do it in their own way without any mention of templates or systems.
Work unit risk management contributes to Enterprise Risk Management.
Management of risk at work unit level supports Enterprise Risk Management, and is a step toward the ERM vision. In ERM if the ‘work unit’ is the enterprise and the ‘boss’ is the Board. The simple approach in the how-to guide is not itself ERM.
|Seen it all||Version 3.|