Pre-Risk Management: Everything before you think you're managing things tagged 'risk'

Great contests and adversarial positions arise from risk management beliefs and practices but so little focus or consideration is taken for all the things that take place long before anyone thinks they are managing things now called 'risk'.

In other words, what happened and how much analysis took place before you started managing things now tagged as risk?

Remarkably (read shockingly!) far too many things being managed in the name of risk are hastily assembled discussion points or an advanced shopping list of palatable talking points categorised and administratively listed on spreadsheets and risk registers formed in less time it takes to commute to and from a workplace on a weekly basis.

Pre-risk management is therefore all that stuff, behaviour, information, knowledge, curation, filtration, shortcuts and activity that takes place before things now call risk are management.

So little pre-risk management is documented, discussed in detail or adequately taught in 3-day risk certification courses it remains the greatest threat and ironically 'risk' associated with contemporary management of risk practices within organisations.

Moreover, pre-risk management is neither an accounting nor general management discipline or adequately informed process.

Pre-risk management entails complex, messy, invisible factors such as:

• Situational awareness
• Risk perception, cognition, values, ideology, morality, ethics, visibility, communications, innumeracy, culture, etc
• Information and knowledge asymmetry
• Sociology, politics, economics, criminology, risk sciences, management, organisational psychology, etc
• Statistics, natural frequencies, ambiguity, uncertainty, volatility, central tendencies, p-values, null hypothesis, etc
• Relationships, human behaviour, rational/irrational actions, mother nature...

and the list goes on.

With all these dynamic and disparate factors...how is it your management list of risk is so static and routinely scheduled for update?

The window dressing that conceals and dismisses all the pre-risk management factors are risk matrices, registers, spreadsheets and other increasingly whizz-bang technology overlays.

Again, it is remarkable (shocking) how many 'risk' entries have little to no supporting assessment or analysis documentation outside of a calendar meeting event or summarised minutes of meeting.

A growing legion of individuals, department and providers continue to manufacture 'pulp' risk content for registers, spreadsheets and debate. Much of which provides little to no supporting evidence, methodological rigour or reliable/verifiable data informing said risk status.

So here is a simple test.

Retrieve your current 'risk' register, spreadsheet, dashboard or whatever it is you are using and compare it to all the content, evidence, analysis, assessments and empirical findings you have that informed this final product. Should you discover a dearth of supporting data, evidence and other empirically defensible materials informing your risk list/s, it is time to add 'management of risk' to your risk spreadsheet, register or dashboard as you have likely manufactured yet another corporate theatrical process such as the ever increasing and vague nomenclature associated with risk; such as resilience, 3 lines of defence, risk enablement and other organisational language that asserts results without evidence or methodological rigour.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk & Management Sciences