CIO TipsRisk

Does Risk Management need more fizz?

How many risk meetings are attended by business leaders because they feel they have to rather than they want to? Often the Risk Meeting is only slightly above having to read the Health and Safety policy each quarter in terms of interest. (Sorry, I am sure that somewhere in the world there is a Health and Safety policy that is a real page turner!).

Here is a picture for those who enjoy watching paint dry.

How many Risk Registers contain very generic risks leading too generic or vague actions? Risks that seem to dwell permanently on the register and never get closed off, lingering like old rock stars? Well known to everyone but not quite listened to anymore.

“Risk – We have key person dependencies in our IT team”

“Action – let’s invent cloning”

How many Risk Management systems would be described as dynamic, energising and a driving force for improving corporate profitability? One a scale of lots to never?

Where are you on the lots to never scale?

Risk management, instead of being a dynamic and energetic driving force in the organisation and one that enables greater profitability has become for some, a milestone that is more about compliance with the risk system that addressing the risks themselves.

Closing a risk is seen in risk circles as something you just don’t do. You can accept it, mitigate it or reduce it but God forbid you cannot close it!

My two-penny worth –

  1. Risk Discovery needs a kick up the arse. There needs to be far more of it, lots more risks identified and logged and better risk awareness across organisations. We need to see as much of the iceberg as we can!
  2. Risks need to be specific and not generic. Generic risks are rarely enablers of action.
  3. Risk definition needs to be the gateway to resolution not an exercise in self preservation within the corporate hierarchy.
  4. Risks should be closed once addressed – this means that they are written in a way that implies they can be! Do away with the ridiculous ‘residual risk syndrome!’
  5. Risk Management systems need to become advocates of risk activity – not of getting fewer risks.
  6. We must be able to come up with a better way of assessing impact and probability other than High, Medium and Low by now?
  7. Risk meetings need to be charged with energy and engaging. You should want to attend as it is your business and your opportunity to make more money!
  8. A risk that you have had on your risk register for a year is not a risk, it is a way of life, move on.

The health of the risks management system needs to be judged on the activity, how many risks are opened, being actioned and closed – fewer risks on the register might not be a good thing!

If there was ever a time to supercharge risk management, it is now! Actually, it was last Thursday but let’s go with now.

Leave a Reply

Your email address will not be published. Required fields are marked *