For years, people have been talking about the need to "embed" risk-management processes. I used to talk about this too, but I have gradually become aware of various reasons why embedding never seems to work.
The root cause is the concept behind the term "embed". What is lurking underneath this apparently innocuous word is the belief that "I know best" and the fact that "I am telling you what you should be doing". Some risk managers hang on to a steady belief that all would be fine in organisations if only people did as they were told and completed the risk registers.
Apart from the obvious disrespect, managers resist a formulaic approach to risk management because they don’t believe it is helping them to manage. Completing the framework documents becomes another chore to keep head office happy, but has nothing to do with managing risk in reality or making better decisions.
Managers are managing risks all the time, using a range of data, plus their judgement and experience, to balance risks in decisions. It is core to management. So telling managers that they are "doing" risk management when they are identifying risks and ranking them is nonsense.
That aspect of recording risks is only an act of communication, and often a poor one at that.
A better approach is to work with managers and go with the grain, integrating risk management into their ways of working. Finding out what they already do is a good place to start. The annual planning round is a good chance to reflect on changes so that the work plan can incorporate the actions needed. You might need additional resources or priorities; you might need different skills. The actions can be tracked over the period of the plan and picked up in individual plans and targets.
We also need to accept a higher degree of complexity. Risk management is not simply about avoiding risk or preventing bad things happening. Organisations need to take some risks to achieve their strategic goals, but in a managed way. Individual managers are balancing risks when they make decisions: for example, if you need to reach people affected by an earthquake but there are still aftershocks, or you accept sponsorship from companies but have concerns about their environmental policies, or you accept a contract for less than the full cost, but it’s better than turning people in need away.
Risk management is not a binary choice but a trade-off. This judgement needs to be informed by discussions about how the organisation lives its values. The external environment is always changing, so you need to refresh these discussions, making your approach to risk-based decisions dynamic, not static. Sometimes we get the balance wrong or do not have all the information we need. It’s useful feedback to help adjust future decision-making.
I hope I have persuaded you to stop trying to embed risk and start integrating risk judgements into day-to-day management.
Kate Sayer is senior consultant at specialist auditors Sayer Vincent