A risk register makes you feel good.
It makes you feel you have accomplished something, a list of risks that might cause harm to the organization.
It makes the executive team and the board feel that they can check the box: “do you have a risk management program? Yes.”
But, does that risk register help people formulate and then execute the right strategies for the organization to deliver optimal value?
Does it help people at all levels of the organization make informed and intelligent decisions?
In fact, does it do more harm than good? Does it give the false impression that risk to organizational objectives is managed at acceptable levels, when in fact decisions are made daily that do not give appropriate consideration to “what might happen”?
I did a small consulting project for an organization recently that wanted to improve its risk management. I pointed out that their annual filing with the SEC had 13 pages of risk factors. I asked whether they were used to enable better decision–making. The answer was a bunch of smiles. Frankly, I doubt that the executives present were even familiar with those 13 pages.
As I suggested in Risk in the Fourth Dimension, we need to consider what we are trying to achieve and why.
The purpose of risk management is not to produce or review a list of risks. It is to help the organization achieve its objectives by considering what might happen and acting to optimize outcomes.
What do the leaders and decision–makers of the organization need to be informed and successful?
Is it a list of risks?
Do risks remain static or are they dynamic?
In World-Class Risk Management I not only point out the need to manage the business at the speed of risk (I love the fact that others have adopted my phrase), which is dynamic, but that we need to consider the potential aggregate effect of risks on each corporate objective.
There are some risks that are transitory, such as those you consider when deciding which candidate to hire for an open position, and others that are continuing.
All you will see on a risk register (or for some a heat map, misleading as those charts are) are those that are expected to continue in some shape or form.
But even those continuing risks can change with surprising volatility, which is rarely indicated on a risk register.
A risk register or other form of list of risks does have some value, but it is limited.
I believe it is better to have a list of objectives and a continuing assessment of the likelihood they will be achieved.
That’s what matters. That’s why we need some form of risk management.
I ask again the question in Risk in the Fourth Dimension: are we just doing what we are told, as children, or are we figuring out how to help people make better decisions, as adults? That may be quite different from so–called traditional ERM, SRM, etc.
I welcome your comments.
- How effective is your board (or governing body)? - August 14, 2024
- Internal audit and generative AI - July 17, 2024
- A risk-based approach to auditing governance processes - June 19, 2024