Risk management implementation projects – unreasonable expectations

As I discussed in prior posts, risk management implementation projects can be very challenging. The perceived success is often directly related to the expectations for the project. In this post I’ll write about some common, but unreasonable, expectations. My next post will address the  flip side – what you should expect to receive from the project.

Unreasonable — Risk management is a one-time analysis

Everyone recognizes the need to continually update accounting records and periodically produce new balance sheets and income statements. Your risk environment, similarly, is constantly changing and needs to be updated if it’s to provide value. When risk management is treated as a one-and-done activity, it runs into two fundamental problems.

First, the information in the very first risk assessment is, essentially, an unvalidated model of your organization’s risk environment. It’s often unwise to place confidence in an unvalidated model. Instead, this risk model must be revisited from time-to-time and adjusted until the model reflects an ongoing representation of the real world. If a risk management model, 12 months later, indicates that a particular risk is the greatest risk to the organization does that still make practical sense? If not, what assumptions need to be tweaked?

Second, any organization’s real world environment is not static. It changes daily. The greatest benefit of risk management is to capture changing conditions and help identify where and when certain strategies may no longer be optimal and should be revisited. This capability focuses management’s attention on  either mitigating a new emerging risk or taking advantage of a new emerging opportunity. This value is lost if risk management is viewed as a static project.

Unreasonable — Risk management will deliver hard and objective answers about risk

Sorry. Risk management is inherently subjective. The foundation for risk management relies on people’s opinions of how different  activities and risks might impact your organization. Occasionally, in very specific risk areas, there may be  sufficient data such that analytical risk models can be created. But even these apparently objective models are based on historical experience and assumptions about future probability. It’s important to recognize that risk management always relies on opinions and assumptions. The goal is to remove the superficial subjectivity surrounding assumptions, definitions, and personal self-interest. When this superficial subjectivity is removed, it is far easier to discuss, rank, and monitor the impact and likelihood of risks.

Perhaps most important is to simply avoid the illusion of objectivity and openly recognize that periodic ongoing updates to your risk management system fulfill two purposes – i) to recognize changes to your risk environment (i.e., the inputs to your risk management model) and ii) to provide ongoing validation to your organization’s risk management model, itself.

Unreasonable — Management can fully outsource the implementation project

Senior management must remain involved to some level. No one outside of the senior management team can know all of the important strategic and tactical issues within your organization. This means that, except in broad general terms, no single individual can effectively:

  1. Design the ultimate risk management deliverable,
  2. Identify all of the risks,
  3. Determine which risks might be more potentially harmful to the organization,
  4. Determine the likelihood that those risks might actually occur.

Of course, the more time that someone spends inside the organization doing research and  interviews they can become more familiar with the organization. But that’s still no substitute to directly involving the right people at all levels of the organization. It’s the only option if the foundation is to be built on solid, informed opinions rather than uninformed generalities.

Recap: This post addresses some of the unreasonable expectations. You may have additional ones in mind and I would love to hear from you. The next post will flip this over and discuss some very reasonable expectations that management should have.


One thought on “Risk management implementation projects – unreasonable expectations

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s