What is risk management? It’s not following a risk management process

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000. Registers and scales do not define Enterprise Risk Management either.

What to read first: Reconciling definitions of risk management What is risk management? (supplement for risk specialists)

Risk specialists

Possibly you were a little uncomfortable when I dismissed risk registers and risk ratings as non-essential. It is even possible that until now, you have equated risk management success with use of a ‘standard’ level of risk lookup table that looks something like this.

1. In-
5. Cata-
A (almost certain) High High Extreme Extreme Extreme
B (likely) Medium High High Extreme Extreme
C (moderate) Low Medium High Extreme Extreme
D (unlikely) Low Low Medium High Extreme
E (rare) Low Low Medium High High

Possibly this diagram gives you reassured glow, with a secret discomfort about the irregular pattern. Or perhaps it makes you wince. (It’s from AS/NZS 4360:1999; alternative values are available in HB 436 C5 and C6.)

I have spent a lot of hours on reworking this style of matrix. Possibly I once assumed that risk management actually means using such a matrix.

On the other hand, you might suspect, like many before you, that registers and ratings are an unhelpful intrusion into the management of risk, understood as part of actually managing. You may feel that ISO 31000, ‘risk management’, and its process police are a bureaucratic block on doing useful work that deals with real concerns in the real world.

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000.

  • ISO 31000 does not include the word ‘register’, nor the word ‘matrix’. To sledge-hammer the point:

Although the standard stipulates that risk management activities should be traceable, it is not always necessary, practical or of benefit to prepare a comprehensive, or even selective, register or log of risks.

Indeed a common risk management error is for organisations to regard the generation of a register of risks as either the main purpose or end goal of risk management activity, whereas, as explained in Annex A of the Standard, the actual purpose is to ensure the organisation understands is risks and that they are within its criteria. [HB 436]

  • ISO 31000 does not prescribe use of likelihood or consequence scales at all, let alone use of a particular scale, or use of a consistent scale across an organisation.
  • ISO 31000 does not discuss or recommend comparing or adding risks of different kinds. As a result, it does not need anything like the look-up matrix for that purpose. It does not even need scaled levels of risk.
  • On the other hand, ISO 31000 starts off with eleven Key Principles of risk management, none of them linked to prescribed steps or scales. Failure to implement the principles (all eleven of them) is failure to implement ISO 31000. The first Key Principle is that risk management creates and protects value, linking ‘risk management’ with the real world and not with process adherence. In the 2017 revision of ISO 31000, this principle is not only the first, it is at the centre of all the other Key Principles.
  • After the Key Principles, ISO 31000 talks about a risk management framework. The ISO 31000 framework is not a procedure with scales and templates. Outside ISO 31000 itself, the word ‘framework’ is often applied to prescribed policies, structures, and processes, often with scales and templates. But the ISO 31000 ‘framework’ refuses to discuss those, and instead refers to more decisive features of the real world, such as capability, motivation, and accountability for managing risk.
Most objections to ISO 31000 are objections to risk registers, standard matrices, and centralised bureaucracy. But risk registers, matrices, and bureaucracy are not part of ISO 31000, even if they are somewhat entrenched in the informal risk management culture that claims authority from ISO 31000.

The matrix above only ever appeared as an Appendix in versions of AS/NZS 4360 prior to 2004. It is in Appendix E in the 1999 edition as an example and did not appear at all in the 2004 revision, nor anywhere in ISO 31000:2009. It lives on as examples in HB 436, again in an Appendix, not in the main body, and not in a Standard [Tables C5 through C7, Appendix C]. It has been repeated and promoted widely in secondary sources. COSO ERM is not one of the sources that repeat the matrix. Like ISO 31000, COSO ERM avoids this level of process prescription altogether.

Whatever your starting position, the best resolution is to adopt the principles from ISO 31000 and to do what it takes to implement those principles. No methods and processes are uniquely correct. It’s implementing the principles that matters.

I would also clarify the actions you take, as the risk specialist working with the nuts and bolts, are far less important than the drivers and attitudes of the leaders at the top of your organisation. Working with the leaders is the most important part of your role.

Registers and scales do not define Enterprise Risk Management either.

I just listed a series of ISO 31000 features proving that registers and scales are not essential to risk management as defined in that Standard, and as I defined it.

The listed features of ISO 31000 were about ‘risk management’ as a common thread in all human activity, and not about Enterprise Risk Management for an organisation.

I will explore the specific features of Enterprise Risk Management in a future piece. Assuming we share an understanding of the differences between pure risk management and ERM, it is reasonable to think that standardised registers and comparable scales for risk levels might be the necessary or best way to implement Enterprise Risk Management. There is a global industry based on that idea.

As with risk management in general, ERM is not defined by its methods. The ISO, COSO and IIA define ERM by the ends, not the means.

I am not about to put the global risk register industry out of business. However, I believe that it is possible to achieve effective ERM, involving the understanding of all kinds of risk and all levels of the enterprise, without:

  • a centralised risk register
  • scales for likelihood, consequence, or level of risk that are shared across different kinds of activity and objective
  • any lookup matrix for levels of risk.

To some extent, all of these elements actually get in the way of managing risk up, down, and across a large enterprise. I will be outlining an alternative approach in future articles. In the meantime, you might like to Google ‘Objective Centric Risk Management’, which is not my approach exactly, but it is another approach well worth your consideration.

It may be the case that a centralised risk register and scales are involved in good ways to do ERM, but I am yet to be convinced that they are necessarily the best way. A lot of well-observed practical experience would be needed to settle that question.

Next article for Specialists

What is risk management? It’s not what ‘risk managers’ do

If you are a risk specialist supporting management, you advise the decision makers and their teams on how approach the organisational understanding of risk, and on taking action with that understanding. If you are risk specialist at the governance level (as an audit and risk committee member, say), your primary advice and support will be directed to the board or CEO rather than to the management hierarchy underneath them. The Chief Risk Officer (CRO) is a risk specialist operating at the C-level, the top level of management below the board and directors.

Risk specialists Version 1.0 Beta

Previous article for Specialists

Reconciling definitions of risk management

Risk specialists Version 1.0 Beta

Parent articles

What is risk management? (extras for risk specialists)

Risk specialists Version 1.0 Beta

Main article on What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.