From process to purpose

Globally accepted Risk Management frameworks and practices are driven by process-thinking. This approach is a way of interpreting events in terms of processes of change that create them and is as such largely based on historic information and producing “backward-looking” results. The actual contribution to the effective management of risk is limited and therefore we need to shift the focus to the desired outcomes and the value that can be added to the business to build sustainable competitive advantage.

In many organizations, leadership’s traditional functional mindset represents one of the most significant barriers to change. Indeed, there is reason to believe that the traditional functional paradigm has done more to impede customer focused, business performance improvement over the past two decades than almost any other factor. It reinforces a task focus and traditional command and control behavior. Many organisations are still trying to innovate in the age of disruption….. they will not be around for very long.

On the other hand; if the leadership is clear on the purpose and expected outcomes; and clear on all the purposes for every process step they need to employ to deliver the ultimate purpose, then they are purpose driven. Any process step that does not add value to the ultimate purpose is simply not done and the outcome will deliver better decisions and increased value.

For Enterprise Risk Management this involves a mind-shift from Risk Management as a process; to the purpose of the effective management of risk; mitigating negative risks and exploiting positive risks by everyone at all levels of the business; in a structured way to the benefit of the organisation as a whole and build sustainable competitive advantage.

If you are still trying to Identify all the risks you are exposed to within the context of your business or spend endless hours converting historic data into useless risk reports in an effort to mitigate as much risk as possible for a green light on the road to taking less risk (for less reward); spending a fortune on controls and the digging of trenches for your lines of “defense”…. Fear no more!

The Radical Risk Management process is here and the future is bright for those who choose to go through the disruption of dumping the outdated thinking, concepts, models and processes; things like the risk management “process” that is based on the assumption that it is possible to identify all the risks you are exposed to and then follow a dedicated process of mitigating all those risks as well as ideas like “Green is Good” and the 3/4/or even worse, 5 “Lines of Defense”. The management of risk is a mental process, not a technical process of data gathering, evaluation and reporting at consistent intervals with an expectation of a different outcome; or even “improvement.” Those who do nothing will just be exploited by those who change and get better at the management of risk.

Risk Intelligence:

“Information is anything that can be known, regardless of how it is discovered. Intelligence refers to information that meets the stated or understood needs of [the users] and has been collected, processed, and narrowed to meet those needs. Intelligence is a subset of the broader category of information. Intelligence and the entire process by which it is identified, obtained, and analyzed respond to the needs of [users]. All intelligence is information; not all information is intelligence” --Mark M. Lowenthal, Intelligence: From Secrets to Policy (from Special Warfare Bulletin, JFK Special Warfare Center and School, Fort Bragg.)

In an effective risk culture, people care enough to think about the risks associated with their jobs before they make decisions on a daily basis.

In the ultimate risk culture, every person acts as a risk manager and will constantly evaluate, control and optimise risks to make informed decisions and build sustainable competitive advantage for the organisation. (Read more about Risk Culture Building in my other articles on LinkedIn)

Success depends on the levels of accountability you drive in your organisation and the time and effort you put into building an effective risk culture. Do not even attempt this if you are going to keep a process of making risk decisions in committees where these decisions are “syndicated” without anybody taking any accountability. That will not work in the Radical Risk Management process!

There is also no need to employ consultants to help you with this, I could never anyway understand why organisations would pay “outsiders” to come in and gather ideas from their staff and convert these into PowerPoint presentations they sell back to the organisation. There is no Blueprint of one-size-fits-all for the Radical Risk Management process, you have to build the unique process in your organisation, based on the underlying corporate culture and organisational structure and focusing on driving both the behaviours you want to encourage and the behaviours you want to avoid.

You need to take each of the four components and develop these within the context of your business strategy, goals and objectives. If a risk will not prevent you from reaching your business goals, don’t worry about it; you can never identify all the risks you are exposed to, the key factor is how your employees will respond to a situation of risk in “real-time”. Business is not a game and business decisions based on last quarter’s risk report is not such a good idea in real-life, there is no reset button!