For those risk managers who are not already questioning risk management, here is why risk manager Andrew Potter, believes it is time to get behind #ChangingRisk 

Disclaimer: The views and opinions expressed in this article are my own and do not necessarily reflect the official policy or position of my employer. Although the remarks below are entirely my opinion, all my learnings and experiences thus far in various roles have led to me aligning the threats and opportunities (in other words, risks) to the strategy and goals of the firm to make risk management more relevant. For those risk managers who are not already doing this, here is why I think it is time to get behind #ChangingRisk

Let’s be honest here: risk management is not rocket science. If it was, I wouldn’t be doing it.

It is also not a one size fits all type of discipline which is why risk management must be adapted to fit the organisation you work for and it must be relevant.

I remember an executive (now a CEO for a household Australian name) describing risk management “boring as bat sh*t!”. The only possible reason such a comment could have been warranted is that risk management within their organisation was not relevant to their strategy, mission, vision and/or ambition and so saw it as irrelevant. There is another possible reason, but I will refrain from mentioning it in this forum.

If eyes roll when you mention risk management, it may be worth taking a step back, reassessing the approach taken and identifying an alternative. One approach that is very successful is ensuring that the organisations executive goals/objectives relating to the strategy, mission, vision and/or ambition are cascaded through the business.

It is fundamentally important that departmental or functional goals/objectives are relevant and aligned to achieve the strategy, mission, vision and/or ambition…if they are not, these areas essentially do not have the right focus (and maybe this a leadership issue that needs to be rectified as they are not heading in the same direction or on the same page as the Executive and Board).

If the above does not happen…it is very hard for Risk Management to be effective and relevant. But I will continue.

Risk management is about managing residual threats and opportunities that can impact and/or assist achieving the strategy, mission, vision and/or ambition. To do this, in your risk management discussions/workshops you need to start by understanding why the stakeholder group are relevant to the organisations success and what goals/objectives they have. Next work in collaboration to identify what threats can impact them from achieving those particular goals/objectives and what opportunities exist or can materialise to help achieve those goals/objectives.

Following this, the organisation should prioritise what resources should be committed to the management of the threats and opportunities … I won’t dare mention risk matrices as a potential option to help guide this prioritisation as there is a lot of commentary in this space about their ultimate usefulness (they work for me…just saying) … at the end of the day every option will have its flaws.

What is important is that a framework (like risk matrices) to provide guidance (not the ultimate determination) is in place to provide a consistent method. What is next is even more important where the relevant stakeholders get together to agree that the correct threats and opportunities have been identified and the appropriate plans, mitigations and resources have been assigned for their achievement.

There you have it, in my mind (and I may be wrong) Risk Management explained simply. I also drew a simple picture to make this easier for those that do not like a page of text.


 Risk managers - this is your moment to take charge of your profession and join the growing number of peers who are eagerly #ChangingRisk. Want to get involved? Email our content director, Kin Ly