Risk management as a practice and a profession needs to change – or become irrelevant

Open up just about any article, post, or other piece of thought leadership on the importance risk management or any of its adjacent spaces, and almost inevitably, it starts off with something along the lines of “we are living in times of unprecedented uncertainty and complexity” along with (as a bonus for those of us playing risk management BS bingo), a reference to VUCA (volatility, complexity, uncertainty and ambiguity).

It then continues with some repackaging of concepts that will be familiar to Strategic Risk readers. These might include ‘integrating risk with strategy’, resilience, scenarios, risk culture, ESG, GRC, or the much more cringeworthy (and broken) risk appetite statements, risk dashboards, and even (God forbid) the risk register.

If you are a risk management professional and have tried to communicate its importance to senior leaders or stakeholders, you – like I – have probably spewed these terms on multiple occasions. 

However, the articulation of risk management’s benefits and the way it is widely implemented and understood, is based on a fallacy. That fallacy is a cognitive bias called “the illusion of control” which is that we believe we have greater control over events than we really do.

Unless the profession comes to grip with this fallacy, no amount of re-positioning, talking about ‘positive risks’ as ‘opportunities’, wonderful and pretty dashboards, or even the use of generative AI will make one iota of difference.

”The articulation of risk management’s benefits and the way it is widely implemented and understood, is based on a fallacy.”

Of course, the world is indeed complex, and becoming increasingly so (a ‘no kidding, Columbo’ comment from you, dear reader, is perfectly appropriate here). Nonetheless, it is important to understand what that exactly means and why it matters.

David Snowden and Mary Boone produced a very useful definition of this in something called “The Cnyefin Framework”. Essentially, ‘complex’ as opposed to ‘complicated’ problems are those in which we cannot possibly know all the variables and how they interact. “Complicated” problems on the other hand, involve numerous interactions between knowable variables.

Complicated problems can be addressed via tools, processes, and policies. Complexity cannot. In short, much of risk management is solving for complicated problems all while thinking that these solutions address complexity. This is the illusion of control, and it’s also false advertising and our stakeholders can see that.

Risk management as a practice and a profession needs to recognise this and change – or eventually become irrelevant. One of the biggest early warning signs is a lack of younger professionals interested in risk management as a profession, as covered in StrategicRISK recently. 

”Risk management as a practice and a profession needs to recognise this and change – or eventually become irrelevant.”

Smart, curious and talented young professionals can see that risk management is not having the impact on organisations that it purports to have. In short, they don’t believe the advertising, and they are right in many cases.

The way forward ought to start with more humility and a focus on decision quality under uncertainty.

“Decision quality” means making the best possible decision at the time the decision is made, based on the information available. Single decisions should not be judged based on their outcomes, which can be products of skill, luck, or both (doing so is called ‘outcome bias’ or ‘resulting’).

It recognises that sometimes, we make the best possible decision, but it still does not work out. Over time however, quality decisions add up and organisations and individuals succeed with more regularity. It also recognises that sometimes, there will be failures along the way.

This is a shift in mindset for many risk functions (and in some cases, it requires a capability shift too). While not easy, there are a few practices that I think can start to help risk professionals make this change:

Separate ‘enduring’ versus ‘dynamic’ risk

At BT, we made a profound change to how risk was addressed by separating its world of risk into those that are ‘enduring’ – that is, those to which the business is always exposed and to which decision-making is recurring – and those that are ‘dynamic’ – those that one-off and relate to high-stakes, often strategic decisions and objectives that require more careful deliberation – because they are truly ‘complex.’

Doing so negated the need for thousands of risks in hundreds of risk registers by defining and implementing the enduring activities that needed to be in place to address them. This helped to free management time and reduced internal ‘decision fatigue’.

Focus on decision quality and minimise everything else

Risk professionals can similarly look at the range of their organisation’s risk management activities and put them into two buckets: one, those that help improve decision-quality, and two, everything else. Things like risk registers, risk appetite statements and risk reports will fall into the latter bucket.

Priority should be given to working with leaders when objectives are set, and supporting key decisions (such as big investments, acquisitions, product launches, considering new programmes, etc.) when they are made (for instance, by providing healthy challenge, analysis, and facilitation).

Look outside for insights

There is a wealth of knowledge and useful practices in the realms of decision science, behavioural science (an incredibly important area that is often ignored by those in risk), statistics, the humanities and subject matter experts across industries or on complex topics that are highly applicable to the challenges risk professionals and their organisations face.

If any profession should recognise the illusion of control and the need for a focus on decision quality, it is the risk management profession.

There is power in the humility that this recognition requires. By so doing, it would get out of its own way and become what it could and should be: a way to help us all thrive in what is – in the least possible risk management BS bingo sense – a truly uncertain and complex world.