Implementing Risk Management

Just read an article by someone addressing 5 steps for implementing risk management. It was very formal and very much in the spirit of ISO31000. Words like “commitment” and “controls” were used. I wondered whether the author used ChatGPT. These days we are losing our ability to easily discern.

My concern while reading the article was about the connection of the author with reality of how organizations actually work. Here are some observations based strictly on my experience:

• Regardless of hierarchical structure, organizations are not cohesive and linear in terms of process continuity and bandwidth for noticing and treating risks. Things fall through the cracks at different rates and scale person-to-person and function-to-function.
• Senior management is primarily worried about performance and achievement of set objectives. They are receptive to having a risk-conscious mindset, but are typically very poorly trained to operate with this mindset consistently. Moreover, their status often leads to overconfidence.
• “Reactive” risk management still beats “proactive” risk management. Just think about the speed and scale of ChatGPT adoption despite a number of warnings from very prominent minds. Here’s a link to a talk which should terrify you.
• We are all subject to cognitive biases. Sadly, deep knowledge of this subject and countermeasures during decision-making are not yet standardized in organizations.
• Even when new processes are slated for implementation, organizations still don’t have consistent ways of scrutinizing their design and associated assumptions about risks, adoption, and continuity of effectiveness and efficiency.

So here’s my take on what should be considered for implementing risk management. I suspect ChatGPT won’t be able to conjure this up.

1. Any new process implementation project in an organization requires a dedicated team and project manager. Nothing should start without this.
2. If you can’t agree on the definition of risk in your organization, you won’t be successful with implementation of anything focused on managing risk. Definition of risk should be tied to achievement of organization’s objectives, as well as understanding of mission-critical assets and potential loss scenarios.
3. Like any other set of processes, risk management requires resources and continual oversight. So, any risk management program should be designed and implemented with the assumption of minimal available resources and minimal commitment (see, I can use this word, too!) from people asked to help with this.
4. If risk management processes cannot be infused into all functions of the organization, this should be carefully addressed to help avoid unexpected loss events and liability down the road.
5. Risk management, first and foremost, is a tool for decision-making. Therefore, it should be viewed, designed, implemented, and maintained with this in mind.

What do you think?

Thanks for your attention.

Soar above mediocrity.